1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] hijack this log please check

Discussion in 'Virus & Other Malware Removal' started by Phil_Crane, Sep 12, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    Logfile of HijackThis v1.98.2
    Scan saved at 00:27:38, on 13/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\WINDOWS\netw.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\Winamp\winamp.exe
    D:\WINDOWS\system32\WISPTIS.EXE
    D:\Program Files\Kazaa Lite K++\Kazaa.kpp
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\WINDOWS\system32\IEDriver\IEDriver.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\system32\sb.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Zenet] rundll32.exe D:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
    O8 - Extra context menu item: Add A Page Note - D:\Program Files\CommonName\Toolbar\createnote.htm
    O8 - Extra context menu item: Bookmark This Page - D:\Program Files\CommonName\Toolbar\createbookmark.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Email This Link - D:\Program Files\CommonName\Toolbar\emaillink.htm
    O8 - Extra context menu item: Search using CommonName - D:\Program Files\CommonName\Toolbar\navigate.htm
    O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by CommonName
    O10 - Hijacked Internet access by CommonName
    O10 - Hijacked Internet access by CommonName
    O10 - Hijacked Internet access by CommonName
    O11 - Options group: [CommonName] CommonName
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Got to Add/Remove programs and uninstall CommonName or CommonName Toolbar.

    Restart your computer.


    Go here

    Look at the top of the page for the Submit file box.

    Click on Browse

    Navigate to the C:\WINDOWS folder and upload the .... netw.exe .... file and let us know what you find.


    Go here and download Adaware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  3. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    File: netw.exe
    Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
    Packers detected: None

    AntiVir Heuristic/Backdoor.VB6 (probable variant) (1.22 seconds taken)
    Avast No viruses found (4.59 seconds taken)
    BitDefender No viruses found (4.04 seconds taken)
    ClamAV No viruses found (11.44 seconds taken)
    F-Prot Antivirus No viruses found (0.36 seconds taken)
    F-Secure Anti-Virus No viruses found (4.34 seconds taken)
    Kaspersky Anti-Virus No viruses found (4.31 seconds taken)
    mks_vir No viruses found (1.73 seconds taken)
    NOD32 No viruses found (6.71 seconds taken)
    Norman Virus Control No viruses found (6.63 seconds taken)

    Statistics
    Last piece of malware found was W32/Muerte in udt33.zip, detected by:

    Scanner Malware name Time taken
    AntiVir BDC/TDS.SE.Fun 2.56 seconds
    Avast Win32:Trojan-gen. {Other} 4.76 seconds
    BitDefender Backdoor.TDS.SE.32 3.69 seconds
    ClamAV X 8.01 seconds
    F-Prot Antivirus X 0.72 seconds
    F-Secure Anti-Virus Backdoor.TDS.SE.31 11.25 seconds
    Kaspersky Anti-Virus Backdoor.TDS.SE.31 7.35 seconds
    mks_vir Trojan.Tds.Se.31 3.02 seconds
    NOD32 Win32/TDS.SE.31 8.37 seconds
    Norman Virus Control W32/Muerte 2.24 seconds
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ok go ahead and uninstall CommonName, run Adaware and then post another log.
     
  5. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    Logfile of HijackThis v1.98.2
    Scan saved at 01:36:57, on 13/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\WINDOWS\netw.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\Program Files\Winamp\winamp.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Kazaa Lite K++\Kazaa.kpp
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Navigate to the C:\Windows folder and locate the netw.exe file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the Windows folder. Attach a copy of that zipped folder to your next post here please.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [control] D:\WINDOWS\netw.exe

    Restart to safe mode.

    How to start your computer in safe mode

    Now find the D:\WINDOWS\netw.exe file and right click it. Choose "Rename and remname it to netw.old for now.
     
  7. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    here is the file
     
  8. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    Logfile of HijackThis v1.98.2
    Scan saved at 02:08:23, on 13/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\WINDOWS\netw.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Documents and Settings\phil crane\Desktop\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Your log is clean! (y)

    I got the file. I'll let you know what I find out.
     
  10. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    ok mate thanx for your help :)
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    That file appears to be some kind of Keylogger. I have sent it off for further analysis. I would recommend that you change your critical passwords and look for a file on your C drive where what you have been typing may have been stored. Possibly a keylog.txt file.
     
  13. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    cant find no key log files or anything u reckon i should delte the file or wait on a rewply to where you have sent it
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I would go ahead and delete it.
     
  15. Phil_Crane

    Phil_Crane Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    270
    ok thanx for all your help mate :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Solved] hijack please
  1. genubi
    Replies:
    0
    Views:
    283
  2. bj nick
    Replies:
    0
    Views:
    614
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273231

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice