Help with HijackThis log

Progress!! My IT guy finally called and gave me the admin password. I will continue on with your instructions since I am completely logged in in safe mode so I might as well. Hopefully I don't need it again as I didn't write it down and probably can't remember it.



Kirsten

 

Okay, did everything in safe mode that I needed to do. Restarted in normal mode and it took my password there. But now I got this message when I restarted:

"You have used the System Configuration Utility to make changes to the way Windows starts.

The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.

Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility. "

Then there is a checkable box next to "Don't show this message or launch the System Configuration Utility when Windows starts. "

Then I got another error message that says:
"NotifyAlert.exe - Common Language Runtime Debugging Services
Application has generated an exception that could not be handled.
Process id=0x228 (552), Thread id=0x144 (324)

Click OK to terminate the application.
Click CANCEL to debug the application. "

Any ideas on where to proceed from here. As a note I did undue the commands for showing hidden files and folders before I left safe mode. I have not gone back and turned system restore back on yet. At least I have got quite a bit of progress though.

Thanks,

Kirsten

 

Congratulations! Too bad he didn't do that three days ago. (Too bad you didn't write down the password too. Never know when you might need it again)

Click terminate.

Check don't show and click OK. It's a result of using the /safeboot.

Finish up with original instructions.

 

Here is the results of my RAV scan. Looks like I still have some buggies.

Scan started at 7/26/2004 11:17:15 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\temp\d0r1t1s.exe->(CABSfx)->dir32.exe->(CExe) - Tool:HideWindows -> Infected
C:\temp\d0r1t1s.exe->(CABSfx)->dorod.exe->(FSGPE) - Backdoor:Win32/Hackdef.0_84 -> Infected
C:\temp\d0r1t1s.exe->(CABSfx)->niamx - Worm:IRC/Randon* -> Infected
C:\temp\d0r1t1s.exe->(CABSfx)->ppi.exe->(UPXW) - Backdoor:Win32/MotivFTP.1_2 -> Infected
C:\temp\d0r1t1s.exe->(CABSfx)->van32.exe->(FSGPE) - Trojan:Win32/HideWindow -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\WksPatch[1].exe - Win32/HLLW.Nachi.B.dam#2 -> Infected

Scanned
============================
Objects: 67275
Directories: 3145
Archives: 3505
Size(Kb): -1769737
Infected files: 6

Found
============================
Viruses found: 6
Suspicious files: 0
Disinfected files: 0
Mail files: 114


Here is my HJT log file

Logfile of HijackThis v1.98.0
Scan saved at 11:40:44 AM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwmahp.hudsonphysicians.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwmahp.hudsonphysicians.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe "
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe "
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: startup.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\Software\..\Telephony: DomainName = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3149C28F-9F86-4CE3-BC76-B9C74032B0E8}: NameServer = 66.44.144.10 65.222.44.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: NameServer = 66.82.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3149C28F-9F86-4CE3-BC76-B9C74032B0E8}: NameServer = 66.44.144.10 65.222.44.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com

 

Looks good. Well done! Daddy should have taken the time to teach you instead.

Appears that since there is only one user, I didn't have you empty all the proper temp folders.

Open C:\Temp, select all and delete. Open control panel, then internet options. In Temporary Internet Files section on General tab, click delete files and check the box for offline files in the opening window, then OK. You should be good to go after reinstalling Norton.

Also suggest you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates weekly.
Then download and install IESpyads. That will give you an added layer of protection against unwanted parasites.

You should also talk with your IT guy about installing a firewall. If he won't help you set one up, there's plenty of help available here.

 

Ah, that is the funny thing about Dad. He is great at theoretical stuff (something about computational learning theorums and the development of true artificial intelligence) but not so good when it comes to PC stuff, especially when it has to do with Microsoft.

Okay. I got all that. I still have to figure out how to uninstall the Symantec antivirus but I think I will try and tackle that in a little bit as it is still being stubborn about working or uninstalling.

I also think I will wait a couple of days before I try to clean up the personal system as when I ran AdAware on that there were 296 items to take care of. That way you can get a break from me and my jinxes.

I will see about the firewall. I should probably have one on my personal computer at any rate.

Thank you so much. I really appreciate all the help.

See you again soon!

Kirsten

 

You're more than welcome. Happy to help. Whenever you're ready, we can tackle the personal PC. All the uninstall directions for Norton are in previous posts. Newt's removal tool, Symclean, may work well. Not sure with corporate edition. Definitely need a firewall on each PC. Freebies here. Kerio, Sygate and Zone Alarm all popular. There have been quite a few issues with the latest ZA though. Search the board here. There are links to some of the older versions.