HijackThis Log -- "04 Entries"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Planetsunshine, Jan 6, 2005.

  1. Planetsunshine

    Planetsunshine Private E-2

    Holy smokes, great stuff posted here about spyware and removal techniques...New to this nasty business, but having read several postings and in particular the instructive posts by Major Attitude and Chaslang, I've got a specific question about the difference between 04 entries that are actually legitimate and those that are likely malware...

    From the snapshot of my log, copied herein, I see the line format containing the file name in parentheses before the path is--as suggested by Chaslang--used by malware authors...However, looking at the names contained in each of the entries, they match legitimate programs or components I have installed on my hard drive.

    Edit by chaslang: Inline, old version log changed to attachment

    I'm concerned about the first 5 entries...Can it be that these are truly malware files masquerading as legitimates?

    My spyware problems are pop-ups (eg. strip poker site), infected system warnings and re-directs left over after I removed "about:blank" using about:Blaster and the "fresh-search" toolbar from my computer.

    Yes, I still have the infamous http://*.63.219.181.7 URL in my Trusted Sites Zone.

    Can anyone give me their opinion on the status of the 04 entries above?
    Any help is greatly appreciated.

    Thank you.

    Bruce
    "Planetsunshine"
     

    Attached Files:

    Last edited by a moderator: Jan 6, 2005
    Planetsunshine, Jan 6, 2005
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Well, if you do not know that IP address, in other words, if it isnt your internet provider, get rid of it. A quick look shows your ip address isnt even close to that, so odds are its a problem.

    Some to remove:
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\WINDOWS\System32\unlodctl.exe
    C:\WINDOWS\System32\openconf.exe
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    Again, these 2 could be your ISP, call them if unsure. If they are not your ISP, delete them.

    O15 - Trusted Zone: http://*.63.219.181.7
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F18FE7-D645-4337-AA83-69C6E2A2B8A4}: NameServer = 69.50.166.94 69.31.80.244
     
    Major Attitude, Jan 6, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since MA started looking at your log I left it but changed it to an attachment. However in the future you need to follow the sticky threads and run:
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Also there are guidelines about how and when to post HJT logs and you need to get the proper version of HJT. See this sticky also:
    NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    You must remember to exit all browsers before running HJT and you must install HJT in the proper directory as specified in the sticky. You have it here:
    C:\Documents and Settings\CAROL WRIGHT.CAROL\My Documents\Downloads\HijackThis.exe

    After fixing the above items and doing what MA suggested. Also have HJT fix these lines:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    Then reboot in safe mode and delete:

    C:\WINDOWS\System32\unlodctl.exe
    C:\WINDOWS\System32\openconf.exe

    Now reboot in normal mode.

    For your trusted zones problem you need to download this file to your computer where you can find it:

    RemV3.Zip

    Extract all the files to a folder (make it a folder for only these tools).
    Then boot into safe mode and run the remv3.bat file.

    Then, while still in Safe Mode, scan with HijackThis and save the log as safe.log

    Next, Reboot to Normal Windows, scan with HJT again and save that log as normal.log

    Please attach both those logs.

    Now look in your drive C root folder (the c:\ folder) and find log.txt. Upload that file back here as an attachment.
     
    Last edited: Jan 6, 2005
    chaslang, Jan 6, 2005
    #3
  4. Planetsunshine

    Planetsunshine Private E-2

    Chaslang and Major Attitude...

    Thank you for your fast, highly informative replies...Please accept my apology for posting the HijackThis log file...I had failed to read your warnings in the Sticky threads...

    Okay, I'm prepared to follow the step-by-step procedure as outlined by Chaslang but I first have to figure out a repair to my mouse not working in Safe Mode...Navigation is cumbersome using the keyboard and I don't think I can accomplish much of anything without a functioning mouse in Safe Mode.

    Anyone have a fix for the Mouse?...O/S is WinXP Pro.

    Thank you.

    Bruce
    "Planetsunshine"
     
    Planetsunshine, Jan 7, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it a standard PS2 Mouse or USB? Did it ever require special drivers to be loaded?

    This may be a topic for the Hardware Forum.

    Try running all the stuff I gave you in normal boot and see what you can do.
    You need to get the RemV3.bat run ASAP.
     
    chaslang, Jan 7, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds