Hijackthis Log

Sorry this got overlooked, soundguy. We'll get to this real soon, I promise. Be patient a few more hours, if you would, please.

Your machine has thebestse hijacker, which is discussed On This Tread. Read through that for an overview and general instructions, particularly the first post. For your particular case, my recommendation would be as detailed below.


First disable System Restore. For Win XP XP:
1. Right click "My Computer" on your Desktop
2. Click "Properties"
3) Click the "System Restore" tab.
4)Click to put a check mark in the 'Turn off System Restore on All Drives' box
5 Click 'OK'
6) At the "Restart" prompt, click "No"; you'll be restarting soon enough - and often - anyway.
7) To re-enable following the fixes, use the same proceedure to access the "System Restore" tab to remove the checkmark, and then click "Yes" at the Restart prompt. Do not re-enable System Restore untill you are sure the pests are gone.

Note: You will lose your previously saved restore points.

While not connected to the internet, and with only HiJackThis running, place checkmarks in the appropriate boxes to have it fix the following:

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL (file missing)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL (file missing)

Quoting from the earlier post to which I referred you,


That pretty much applies to your situation; find-and-delete-as-appropriate as detailed therein.


Now, create individual folders for each of the following, preferably directly on your hard drive, then download each into its own folder. Don't open or run anything yet.

Note: The following links should take you directly to the downloads. At the prompt, save each into the folder you created for it.

1) CoolWebShredder, a frequently updated removal tool for the most commonly encountered browser and search hijackers:

Direct Download of CoolWebShredder from Spywareinfo

2) AdAware Basic, a free, simple-to-use, competent, and frequently updated adware/spyware removal tool:

Direct Download of AdAware Basic

Note: Before opening and installing AdAware, see: How to update AdAware and AdAware Full Scan Instructions.


3) SpyBot S&D, another free removal tool, with several handy features of its own.

Direct Download of Spybot S&D from Safer Networking




When you are ready to begin the process, disconnect from the internet. Close ALL open browsers and exit all other programs.

Open the CoolWebShredder folder, and click the icon to start it. Click "Fix" (not "Scan Only") and let it fix whatever it finds. When it has completed, reboot.

With no browsers open or other programs running, navigate to the appropriate folder and install AdAware. When AdAware has been installed, connect to the internet and perform the update for it. When it has been updated, disconnect from the internet, configure AdAware for a full scan and run it, letting it fix everything it finds (it would be a good idea to click on "Help" prior to the first run and read the tutorial; it won't let you do so once it has started searching for problems, but if the tutorial is opened first, it can be read while the application is running - you won't have much else to do for a while anyway). There may be some items AdAware cannot fix without a fresh boot. If it asks permission to run on the next startup, grant it, reboot, and let it do its thing while still disconnected from the internet. When it has finished, run it again; it may find something that had been masked by stuff it removed on its previous passes. If it does not find anything, fine, otherwise, have it fix what it found, and run it again, untill either it comes up clean or twice finds but fails to remove the same stuff.

Next, with no open browsers or running programs, navigate to the appropriate folder and install SpyBot S&D. When the installation is complete, the program will open. There will be a "Search for Updates" button as the bottom of 3 large buttons in the righthand panel. Before running SpyBot, connect to the internet and update it. Next, when it has updated, leave Spybot open, disconnect from the internet, then select "Immunize", and then select "Install" in the panel beneath, titled "Permanently Running bad download blocker for Internet Explorer. Do not check any of the boxes in the lower panel (Recommended miscellaneous protection") at this time. Now, select "Search and Destroy", then select, at the bottom of that page, "Check for problems" (while it is running would be a good time to click on "Help", and read the tutorial - unlike Spybot can do some amazing, and very handy stuff, if you take the time to learn to use it). When that has finished, click "Select all items", then click "Fix selected items". As with AdAware, Spybot may ask to run again on next boot to fix some problems. Again, naturally, if so, grant it permission and reboot; if it does not, run it one more time anyway, then reboot.

Note: After the initial problems are dealt with, and you have familiarized yourself with the features and functions of both SpyBot S&D and AdAware, you can tweak them to suit yourself, but the first time around, settle for brute force.

That should pretty well sort things out for you. Visit Windows Update and get your OS and browser up to current spec before you do any surfing, and, of course, make sure you antivirus and anti-yuckware apps are fully updated and enabled.

If you're still having problems, download a fresh copy of HiJackThis and post the new log to this thread, with as precise a description of the difficulty you are having as you can provide.

soundguy,

Let us know if your puter is fixed. It helps us help others more efficiently.

Yes, I do believe my machine is fixed. Thanks!

Hijack This Log Update
OK here is the way my log looks now... I have just abolsihed a virus and my machine is still runnin a bit slow... any ideas according to the log?



Logfile of HijackThis v1.97.7
Scan saved at 11:18:30 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Documents and Settings\Ryan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.4979166667
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE60BEA-C202-445E-9A26-2E09F99A0E52}: NameServer = 207.69.188.187 207.69.188.186

You've still got a couple problems there. Most of the techie types have been busy due to the SASSER outbreak. I'll try to get to your log later today if I can ... sorry for the delay.

Hijackthis log
Hey thats ok, That virus I got hit with...ya you guessed it: sasser....Just get to my post when you have time.

Also, You might want to remind people that if they are having problems with their systems rebooting before they can get rid of sasser or blaster by installing the patch from Microsoft, that they can disable RPC without causing problems with their machine long enough to fix stuff.

I have posted instructions to do that with Win XP here:
http://www.able2know.com/forums/about24192.html

I dont know if that works for the other affected OS's, however since everything is based on the NT substructure...who knows.....

-Ryan