HijackThis log check

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Twistid, Nov 9, 2005.

  1. Twistid

    Twistid Corporal

    hello, yes i have followed the stickies in this forum before posting, i recently have been having some problems with certain areas of my computer, so I'll explain them, I do need someone to please analyze my HijackThis log file attached also (main point of this post). First, what happened was that, seemingly after a norton auto-update, activex completely stopped working. I have a backup hard drive, so i ran it to replace the C drive (windows drive). Norton was giving me an internal program error also, this went away when the drive was replaced by the backup, and windows update also didn't want to work, but this was also fixed and still does after the restore C drive. The only IE (Internet Explorer) problem i still have is ActiveX not working properly, I will probably end up having to uninstall-reinstall norton, i have tried everything i could find on the internet (troubleshooting ActiveX steps, install windows script 5.6, messing around with the IE settings, changing IE settings back to default, etc.). Also, I had found a supposive Backdoor spyware object with PestPatrol, it was called something like backdoor.Aimbot.aj. I scanned in safe mode, restarted in safe mode again and scanned again, it kept coming back. Pestpatrol listed the registry location, so i ran regedit and went to the location, the folders looked like web addresses blocked by Spybot through the Immune process. So, I uninstalled Spybot, and also erased all known traces of blocked sites in IE. I restarted in safe mode and did another scan, nothing found. I also did have some problems with Spybot also, I would tell Spybot to Immunize, and then checked again to see if it did the job, EVERY time i checked again it said: 2602 not immunized, or whatever it says, but also said 2000 some odd other areas were. At the moment, none of my spyware programs have found any other problems. Before I reinstall Norton, I wanted to get a HijackThis log analyzed.
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You have a few problems that needs to be addressed, please follow the below...

    Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

    Sysclean Package

    Pattern.zip

    Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

    Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.
     
  3. Twistid

    Twistid Corporal

    Alright, I downloaded the software, restarted into safe mode, and did a scan of my system. I have also saved another hijackthis log :). It is attached.
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download this trial version of Ewido Security Suite

    • Install ewido security suite
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
    • After it completes the update, click the Scanner button

    Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

    Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

    Open up Ewido and do the following:


    • Click on Scanner
    • Then click Settings
    • Under What to Scan? Select Scan every file
    • Then click OK
    • Click on Complete System Scan and the scan will start.
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report


    • Click Save report
    • Save the report to your desktop or anyplace you will be able to find it to upload here.
    Reboot into normal mode and reconnect to the internet.

    Come back here and post the Ewido Scan Report along with a fresh HJT log.
     
  5. Twistid

    Twistid Corporal

    Alright just finished the scan and the HijackThis log file. I did reboot in safe mode and also disconnected from the internet. Did the same thing for the previous software i was referred to also. It saved a log file, just seeing if you would like me to also attach that? Ewido report and HijackThis log are attached. By the way, the HijackThis log attached is a new one, the file is overwritten when HijackThis does a scan and saves it.
     

    Attached Files:

  6. Twistid

    Twistid Corporal

    I found something called "SchedulingAgent" in the default registry editor for windows (regedit) when i was searching through it for "Spybot" to delete any undeleted registry entries. I searched on google for this and some process sites said this was a backdoor trojan. I don't recall ever knowingly downloading something called SchedulingAgent. It is located under My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent. Is this a trojan? thanx
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download Spy Sweeper
    • Click the link above to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.
     
  8. Twistid

    Twistid Corporal

    Downloaded SpySweeper and installed. Updated definitions, or whatever they call the updates, and set the options. Restarted into safe mode and disconnected from internet for a better scan, also made sure options were still set right. Saved a log of the results and also have a new HiJackThis log posted. Your help is MUCH appreciated bjgarrick :), activex still isnt working though :(.
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = g:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYUS

    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O23 - Service: Promise Array Message Agent (RAIDmAgt) - Sonic Solutions - (no file)
    O23 - Service: Promise Array Message Server (RAIDmSvr) - Sonic Solutions - (no file)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Click Start > Run > type services.msc and Click OK

    Locate NTBOOTMGR (NTBOOT) and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply

    Locate NTLOAD and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply

    Locate NTSVCMGR and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply

    NOW:
    Navigate to and DELETE the following if they should remain:

    C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe

    C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
    Note: Remember to get all updates before doing the scans.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    After you complete ALL of the above, reboot to Normal Windows , and procede with the below steps...

    Please download HOSTER and then follow the below steps.
    • Unzip HOSTER to a convenient folder such as C:\Hoster

    • Run Hoster.exe, click Restore Original Hosts and then click OK.

    • Click the X to exit the program.
    FINAL STEP

    Reset Web Settings & Default Security Settings:


    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

    After you have completed everything listed above, reboot and attach a fresh HJT log and let me know how things are running.
     
  10. Twistid

    Twistid Corporal

    Just finished completing all the steps. Attached a fresh HiJack This log. ActiveX still doesnt seem to be working though :(.
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Scan with HijackThis and Check the Boxes for the following:

    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    Make sure All Browser Windows are Closed when you Click FIX.

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.


    1) Click Start, and then click Run

    2) In the Open box, type cmd, and then click OK.

    3) At the command prompt, type the following commands, pressing ENTER after each line:

    Note: Click OK if you are prompted to do this.

    regsvr32 softpub.dll
    regsvr32 /u wintrust.dll
    regsvr32 /u initpki.dll
    regsvr32 /u dssenh.dll
    regsvr32 /u rsaenh.dll
    regsvr32 /u gpkcsp.dll
    regsvr32 /u sccbase.dll
    regsvr32 /u slbcsp.dll
    regsvr32 /u cryptdlg.dll
    regsvr32 /u softpub.dll



    4) Restart your computer!

    5) Click Start, and then click Run

    6) In the Open box, type cmd, and then click OK.

    7) At the command prompt, type the following commands, pressing ENTER after each line:

    Note: Click OK if you are prompted to do this.

    regsvr32 softpub.dll
    regsvr32 wintrust.dll
    regsvr32 initpki.dll
    regsvr32 dssenh.dll
    regsvr32 rsaenh.dll
    regsvr32 gpkcsp.dll
    regsvr32 sccbase.dll
    regsvr32 slbcsp.dll
    regsvr32 cryptdlg.dll
    regsvr32 softpub.dll


    8) Exit, Reboot and see if problem remains.
     
  12. Twistid

    Twistid Corporal

    Still isnt working :(. Attached new HijackThis Log.
     

    Attached Files:

  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

    After you complete the above, reboot and attach a fresh HJT log.
     
  14. Twistid

    Twistid Corporal

    Updated HijackThis log attached. Although activex still seems to not work, it did seem to fix the specific problems listed :) (the listings in HijackThis log).
     

    Attached Files:

  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Can you explain exactly what the problem is? Does it do it in Safe Mode?
     
  16. Twistid

    Twistid Corporal

    the 015 listings in my previous hijackthis logs, the protocol defaults. I was just saying that what you just told me to do (registry fix) seemed to work for the 015's in the previous HiJackThis Log. Although, activex still isn't working, if you are asking about activex working in safe mode then i apologize and will check ASAP.
     
  17. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    The ActiveX is the only problem right now, correct? Can you explain this, as in what isnt working properly.
     
  18. Twistid

    Twistid Corporal

    Seems so, i search for activex test on google, first result i go to (pc pitstop site), and when I go there it says "ActiveX is not supported". Also, when I go to hp.com and tell it to detect HP machines connected to my computer for updates (drivers or software), it scans for a long time and never brings me any results (it does state that hp is using activex to detect the machines). Also, i noticed that when I downloaded a file from majorgeeks.com on my brother's computer, that it comes up with a download file warning, as my computer used to do with me not too long ago, it has not done so since activex stopped working, not sure if it has anything to do with activex or not. Activex seemed to stop working after Norton Antivirus ran an automatic update, after this update it also said internal program error. I have a backup hard drive so i loaded the whole thing onto my windows hard drive, internal program error didn't happen again, but ActiveX has yet to have worked.
     
  19. Twistid

    Twistid Corporal

    By the way, I did also want to get a HijackThis log check/fix in the process. But the main problem I am having is ActiveX not working.
     
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Personally, I would recommend ditching Norton and install AVG AntiVirus. I have had multiple issues from Norton and never will use it again.
     
  21. Twistid

    Twistid Corporal

    I would, but I still have a subscription service with them, but I completely understand where your coming from cause Norton just seems so behind the rest of the programs and even when it does actually find something, it seems to simply to try and delete the files and no other strategy, which then can make the file unremovable with norton, at least in my experiences. I am planning to ditch norton after the subscription period (February), but until then I don't want my money wasted, to be ironic (lol). If there is nothing else I can do then I guess I'll uninstall and reinstall norton. I just wanted to be sure there wasnt any other way around it :). I really appreciate your help :).
     
  22. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I would recommend posting this issue in the Software Forum, those should be able to help you further.

    Good Luck!:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds