Still have problems?

Discussion in 'Malware Help (A Specialist Will Reply)' started by jabber73, Feb 4, 2006.

  1. jabber73

    jabber73 Private E-2

    Thanks for this great site. I am helping a friend with her Toshiba laptop. She was having major problems with her cable disconnecting and trying to connect to a new connection which was just a long number.

    I only have dial-up at my place so I installed Netzero and I experienced the same thing. About 1 minute after connecting my initial connection would terminate. If I look at the Network connections there was a clone connection in there that was trying to re-connect.

    I went through all the steps in the "Read & Run First" post and am attaching the logs here.

    Bitdefender found and deleted several Hijackers and that fixed the disconnection problem but there are still a few weird things going on.

    1) After initial bootup a message pops up stating that something is trying to connect to cnn.com. I have attached a jpg of the message.
    2) Norton Anti-Virus in the taskbar shows that Auto-Protect is DISABLED but if I check the Status in the main Window of Norton it shows it is on.
    3) Several services.exe processes crash within a few minutes of initial boot up.

    See attachments for logs and jpg.

    Thanks for any help/advice you can provide.
     

    Attached Files:

    jabber73, Feb 4, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by emptying the below quarantines:
    Norton AntiVirus\Quarantine
    Yahoo!\YPSR\Quarantine

    Any idea what the below program loading at startup is for?
    O4 - HKLM\..\Run: [cleaner] lib.exe

    It is probably in the c:\Windows\System32 folder.
     
    chaslang, Feb 4, 2006
    #2
  3. jabber73

    jabber73 Private E-2

    OK, emptied the 2 quarantines. I did this by deleting the files through Explorer, is there a better way? I emptied Recycle Bin also.

    the lib.exe file showed up as having a virus in one scan, I think a Norton full scan. I tried to kill it but it comes back. I have no idea what it is for.

    I figured out the some of the Host Services crashing. It was caused by Norton Worm Blocking not allowing them to run. Not sure if I should allow those processes or not?
     
    jabber73, Feb 4, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Normally within the programs there are options to empty the quarantine. That is the correct way to do it.

    We will fix in my next message!

    I'm not sure what you mean. Do you mean the svchost.exe process? This is a valid process as long as it is running from C:\windows\system32.
     
    chaslang, Feb 4, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [cleaner] lib.exe


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    c:\windows\system32\lib.exe or C:\windows\lib.exe


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 4, 2006
    #5
  6. jabber73

    jabber73 Private E-2

    OK. Ran HijackThis, checked lib.exe line and fixed it after exiting everything.

    Booted safe, lib.exe did not exist in either directory. Searched entire harddrive for it, did not come up. Double checked that all hidden/system files were showing per instructions.

    Delete everything in Prefetch folder, ran cccleaner.

    Rebooted in Normal. Still have several error messages upon booting. Ran HJT, new log attached as well as jpg of error messages.
     

    Attached Files:

    jabber73, Feb 4, 2006
    #6
  7. jabber73

    jabber73 Private E-2

     
    jabber73, Feb 4, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yahoo! Anti-Spy Application

    Your error messages are more than likely not due to malware. They may be due to something being corrupt of missing from your OS. Try running sfc /scannow from a command prompt. Other than that I would say bring those problems to the Sotware Forum.
     
    chaslang, Feb 4, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and by the way your HJT log is clean!
     
    chaslang, Feb 4, 2006
    #9
  10. jabber73

    jabber73 Private E-2

    Great, thanks for you help and the great info on this site.
     
    jabber73, Feb 4, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    One question though! Is Norton blocking svchost.exe from running? If so, you must not block it.
     
    chaslang, Feb 4, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds