Unsolved
This post is more than 5 years old
10 Posts
0
3122
June 17th, 2004 14:00
hijacked log file
Scan saved at 10:20:41 AM, on 6/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\Config33.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\Marilyn Arnold\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Config33.exe] Config33.exe
O4 - HKLM\..\Run: [B03F8FF5] C:\WINDOWS\System32\heqkjubfza.exe
O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
O4 - HKLM\..\RunServices: [B898E535] C:\WINDOWS\System32\heqkjubfza.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3122/cpbrkpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.3264467593
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E10555-3ECA-461B-A2F7-289C2628D5F5}: NameServer = 166.102.165.13 166.102.165.11
xgrrl
7 Posts
0
June 18th, 2004 15:00
The entry: O4 - HKLM\..\Run: [Config33.exe] Config33.exe is a virus. More info as well as removal help can be found here: http://nts.jhu.edu/alerts/alert.detail.cfm?aid=307
I can't find any info on the entry O4 - HKLM\..\Run: [B03F8FF5] C:\WINDOWS\System32\heqkjubfza.exe. Can someone else advise? I believe it may be a virus, since there is no legit information that I can find.
Try running an anti-virus program if you have one installed. If you don't have one, consider purchasing Norton or McAfee, or try AVG Anti-virus for free from http://www.grisoft.com. Be sure the virus definitions are up to date.
I also suggest getting Lavasoft's Ad-Aware and Spybot Search and Destroy. Once you download, get the software updates, then scan your system.
Good luck...hope this helps!
Texruss
2 Intern
•
3.4K Posts
0
June 19th, 2004 05:00
Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.
See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm
Run Hijackthis, scan and check the box left of these numbered line items:
O4 - HKLM\..\Run: [Config33.exe] Config33.exe
O4 - HKLM\..\Run: [B03F8FF5] C:\WINDOWS\System32\heqkjubfza.exe
O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
O4 - HKLM\..\RunServices: [B898E535] C:\WINDOWS\System32\heqkjubfza.exe
With no other windows open click on fix checked button in Hijackthis.
Exit Hijackthis.
Reboot to SAFE MODE and Show HIDDEN FILES and folders (VERY IMPORTANT!)
FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following files:
C:\WINDOWS\System32\Config33.exe
C:\WINDOWS\System32\heqkjubfza.exe
Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.
Most of the baddies you have can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:
1. Latest version
2. Configured correctly for running options
3. New definitions from update feature
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
http://www.cjwd.demon.co.uk/spybot-adaware.html
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
If you have any problems with Disk Cleanup completing...XP users can fix it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Reboot and browse a bit, exit IE, and post a new Hijackthis log.
Special comments:
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)
MarilynArnold
10 Posts
0
June 21st, 2004 18:00
I did everything you said until I got to Reboot safe mode and I do not know where that is.
Please advise
Texruss
2 Intern
•
3.4K Posts
0
June 22nd, 2004 00:00
FAQ 8 and 9 on this page:
http://www.russelltexas.com/malware/faqhijackthis.htm
HTH,
Texruss
MarilynArnold
10 Posts
0
June 24th, 2004 13:00
I am new at computers, so I do not understand some things. I got to the line where you told me to type in explorer and My Documents came up. (is this correct) Then I went to My computer and C drive. I could not drill down and delete the 2 files you told me to delete, because I could not find them. Please advise.
I went to search and it found the file C\WINDOWS\System32\Config33.exe but it would not let me delete it. I never did find the file that ended with "heqkkjubfza.exe"
I also did download and run Spybot and Adaware. The problems it wants to fix that are red are DSO 3 entries. Each time I run it this same message about DOS comes up.
Texruss
2 Intern
•
3.4K Posts
0
June 24th, 2004 23:00
>I went to search and it found the file C\WINDOWS\System32\Config33.exe but it would not let me delete it.
Hit Control-Shift-Escape keys at same time (In Safe Mode). Stop the process config33.exe. Then delete it in Windows Explorer. If it still resists right button click on it and left button on Properties. Remove checkmark for ReadOnly and delete.
>I also did download and run Spybot and Adaware. The problems it wants to fix that are red are DSO 3 entries. Each time I run it this same message about DOS comes up.
False alerts in Spybot...I was hoping the new update from 6-23-04 would solve that, but it's still doing the same on mine...most folks get 5 false DSO's.
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
MarilynArnold
10 Posts
0
June 25th, 2004 14:00
Thanks so much, I did get it deleted, but the message came up that some programs may not work right if I did so. Hope this does not happen.
Texruss
2 Intern
•
3.4K Posts
0
June 26th, 2004 03:00
> did get it deleted, but the message came up that some programs may not work right if I did so. Hope this does not happen.
You don't want those kinds of programs loading. *;-)
Post a fresh log so I can check and see how you're doing.
Texruss