1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT Log: need thoughts

Discussion in 'Virus & Other Malware Removal' started by fredman, Mar 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. fredman

    fredman Thread Starter

    Joined:
    Jul 12, 2002
    Messages:
    195
    I have cleaned out a ton of stuff, but not quite everything, can anyone take a look at this and tell me if you see anything bad ? I still get pop-ups from 4-5 of the same places, one relates to SANDBOXER, another says something about III-Interactive - Microsoft Internet Explorer

    Logfile of HijackThis v1.99.1
    Scan saved at 12:11:08 AM, on 3/4/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
    C:\Program Files\Micro Focus\Net Express\mfsql\bin\xsrvnx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINNT\system32\kmw_run.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\KMW_SHOW.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\Bjte6hb.exe
    C:\WINNT\system32\Vip8gx.exe
    C:\GZ-ZIP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotsheet.com/index_2003.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hotsheet.com/"); (C:\Documents and Settings\fred\Application Data\Mozilla\Profiles\default\tzivulqp.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\fred\Application Data\Mozilla\Profiles\default\tzivulqp.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [89dwUT6] C:\winnt\system32\89dwUT6.exe
    O4 - HKLM\..\Run: [4GMQFGE4M23BAY] C:\WINNT\system32\PlsO0A54.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14b513c2f55149b19406/netzip/RdxIE601.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FMBS.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6D07DCB2-D147-42F8-A341-7882ABF51293}: NameServer = 68.9.16.30,68.9.16.25
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FMBS.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FMBS.local
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Micro Focus Directory Server (mf_CCITCP2) - Unknown owner - C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
    O23 - Service: Micro Focus XDB Server for NX 4.0 - Unknown owner - C:\Program Files\Micro Focus\Net Express\mfsql\bin\xsrvnx.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Let's make sure you know how to set your pc to view hidden files and how to boot to safe mode. Instructions here:

    Safe Mode:

    http://www.computerhope.com/issues/chsafe.htm

    Hidden files:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html


    Looks like you have the peper a. trojan.

    Download the peper fix:

    http://downloads.subratam.org/PeperFix.exe

    http://www.bleepingcomputer.com/files/virus/PeperFix.exe

    Click on the PeperFix.exe to launch it.

    Click the Find and Fix button.

    It will scan the %systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files. Run it again and reboot for good measure.


    After rebooting, open HJT and check the following entries, click Fix and then reboot to safe mode.

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [89dwUT6] C:\winnt\system32\89dwUT6.exe
    O4 - HKLM\..\Run: [4GMQFGE4M23BAY] C:\WINNT\system32\PlsO0A54.exe


    After rebooting to safe mode, find and delete this file:

    C:\winnt\system32\89dwUT6.exe

    Reboot to normal mode and post a cuurent log, okay?

    :)
     
  3. fredman

    fredman Thread Starter

    Joined:
    Jul 12, 2002
    Messages:
    195
    Well, I know how to view hidden files, and how to go into safe mode, I will print this off and give the other stuff a shot.

    I really appreciate your help, I have several things going on here and in the registry I am not so sure about, that's where I needed the help........

    Thanks again.
     
  4. fredman

    fredman Thread Starter

    Joined:
    Jul 12, 2002
    Messages:
    195
    Got rid of the items as you said, here is a new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:48:28 PM, on 3/7/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
    C:\Program Files\Micro Focus\Net Express\mfsql\bin\xsrvnx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINNT\system32\kmw_run.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\KMW_SHOW.EXE
    C:\GZ-ZIP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotsheet.com/index_2003.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hotsheet.com/"); (C:\Documents and Settings\fred\Application Data\Mozilla\Profiles\default\tzivulqp.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\fred\Application Data\Mozilla\Profiles\default\tzivulqp.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14b513c2f55149b19406/netzip/RdxIE601.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FMBS.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6D07DCB2-D147-42F8-A341-7882ABF51293}: NameServer = 68.9.16.30,68.9.16.25
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FMBS.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FMBS.local
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Micro Focus Directory Server (mf_CCITCP2) - Unknown owner - C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
    O23 - Service: Micro Focus XDB Server for NX 4.0 - Unknown owner - C:\Program Files\Micro Focus\Net Express\mfsql\bin\xsrvnx.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


    The other thing I'd like to get rid of is a pesky Norton Symantec pop-up that is generated from this machine that tells me my virus definitions are out of date, and I need to resubscribe (they are not, and I don't).
    Why NAV didn't find peper is beyond me.
    Anyway, this pop-up is system generated, and I don't see where I can turn it off in the NAV software itself.

    Ideas ?
     
  5. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Well your log looks good! (y) Sorry, don't have an answer for the NAV thing. My guess would be that Symantec would make it very difficult to disable any of their nags.

    Make sure you stay current with all MS critical updates.

    Check out this thread for more advice on keeping your PC safe:

    http://forums.techguy.org/t208517.html

    :)
     
  6. fredman

    fredman Thread Starter

    Joined:
    Jul 12, 2002
    Messages:
    195
    Believe it or not, I am a PC tech, but the one thing I don't know is the registry, how to know if what is in it is legit or not......

    And tonight the daughter downloads 2 of the new MSFT IM Trojans on HER pc, so now I reload it.........

    I do appreciate your help, can you tell me how to find out if something in the registry is 'legal' or not ? I have done google searches on things I thought were out of place, and generally I get no hits on it........
     
  7. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    You're welcome fredman. I don't have any place to point you for the registry entries. I would use Google too.

    :)
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/337163

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice