[Solved] hijack this log please check

Logfile of HijackThis v1.98.2
Scan saved at 00:27:38, on 13/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\netw.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Winamp\winamp.exe
D:\WINDOWS\system32\WISPTIS.EXE
D:\Program Files\Kazaa Lite K++\Kazaa.kpp
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\IEDriver\IEDriver.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\system32\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Zenet] rundll32.exe D:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
O8 - Extra context menu item: Add A Page Note - D:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - D:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Email This Link - D:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - D:\Program Files\CommonName\Toolbar\navigate.htm
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by CommonName
O10 - Hijacked Internet access by CommonName
O10 - Hijacked Internet access by CommonName
O10 - Hijacked Internet access by CommonName
O11 - Options group: [CommonName] CommonName
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

 

Got to Add/Remove programs and uninstall CommonName or CommonName Toolbar.

Restart your computer.


Go here

Look at the top of the page for the Submit file box.

Click on Browse

Navigate to the C:\WINDOWS folder and upload the .... netw.exe .... file and let us know what you find.


Go here and download Adaware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Come back here and post another Hijack This log and we'll get rid of what's left.

 

File: netw.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
Packers detected: None

AntiVir Heuristic/Backdoor.VB6 (probable variant) (1.22 seconds taken)
Avast No viruses found (4.59 seconds taken)
BitDefender No viruses found (4.04 seconds taken)
ClamAV No viruses found (11.44 seconds taken)
F-Prot Antivirus No viruses found (0.36 seconds taken)
F-Secure Anti-Virus No viruses found (4.34 seconds taken)
Kaspersky Anti-Virus No viruses found (4.31 seconds taken)
mks_vir No viruses found (1.73 seconds taken)
NOD32 No viruses found (6.71 seconds taken)
Norman Virus Control No viruses found (6.63 seconds taken)

Statistics
Last piece of malware found was W32/Muerte in udt33.zip, detected by:

Scanner Malware name Time taken
AntiVir BDC/TDS.SE.Fun 2.56 seconds
Avast Win32:Trojan-gen. {Other} 4.76 seconds
BitDefender Backdoor.TDS.SE.32 3.69 seconds
ClamAV X 8.01 seconds
F-Prot Antivirus X 0.72 seconds
F-Secure Anti-Virus Backdoor.TDS.SE.31 11.25 seconds
Kaspersky Anti-Virus Backdoor.TDS.SE.31 7.35 seconds
mks_vir Trojan.Tds.Se.31 3.02 seconds
NOD32 Win32/TDS.SE.31 8.37 seconds
Norman Virus Control W32/Muerte 2.24 seconds

 

Ok go ahead and uninstall CommonName, run Adaware and then post another log.

 

Logfile of HijackThis v1.98.2
Scan saved at 01:36:57, on 13/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\netw.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Kazaa Lite K++\Kazaa.kpp
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Navigate to the C:\Windows folder and locate the netw.exe file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the Windows folder. Attach a copy of that zipped folder to your next post here please.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe

Restart to safe mode.

How to start your computer in safe mode

Now find the D:\WINDOWS\netw.exe file and right click it. Choose "Rename and remname it to netw.old for now.

 

here is the file

 

Logfile of HijackThis v1.98.2
Scan saved at 02:08:23, on 13/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\netw.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Your log is clean!

I got the file. I'll let you know what I find out.

 

ok mate thanx for your help

 

You're Welcome!

 

That file appears to be some kind of Keylogger. I have sent it off for further analysis. I would recommend that you change your critical passwords and look for a file on your C drive where what you have been typing may have been stored. Possibly a keylog.txt file.

 

cant find no key log files or anything u reckon i should delte the file or wait on a rewply to where you have sent it

 

I would go ahead and delete it.

 

ok thanx for all your help mate