HijackThis logfile deleted due to virus

Question

ahinamaria 0 Newbie Poster

19 Years Ago

Hi!
I have had just about the same problem as I found out that lots of others as well have encountered. Hotmail leaves me with a blank page when trying to log in, although the login process seems to work just fine.

I found out about HijackThis and thought I would try it out, since I have Norton Antivirus, ZoneAlarm Firewall, SpyBot S&D, and Adaware SE and none of these seems to be able to fix the problem.

The problems don't stop there, though... When HijackThis starts to create the log file, Norton Antivirus keeps deleting the log file with this notice:

Object name - C:\Documents and S....\hijackthis.log
Virus name - MHTMLRedir.Exploit
Action taken - Automatically deleted.

So, it appears that HijackThis is trying to save a virus in the log file and Norton Antivirus is deleting it.

Does anyone recognise this problem? I would be very grateful for help of any kind - with both the HijackThis problem and the Hotmail login problem!

Thank you and a Happy New Year,
Maria.

windows-virus

6 Contributors
8 Replies
234 Views
2 Days Discussion Span
Latest Post 19 Years Ago Latest Post by dlh6213

All 8 Replies

caperjack 875 I hate 20 Questions

19 Years Ago

Disable nortons auto protect until after you scan with hijackthis and create the log

crunchie 990 Most Valuable Poster

19 Years Ago

First of all we have to remove Newdotnet, either from add/remove programs, or by going here and scrolling down to the uninstall tool.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
TrojanDropper.Win32.Small.cw
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03493b97aa74f0...ip/RdxIE601.cab
Netster

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

Reboot and post another log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ahinamaria 0 Newbie Poster · Answer 1 · 2005-01-03T03:18:12+00:00

Hi Caperjack!
Thank you - that worked fine. Just a bit worried about that virus thing since my computer seems to freak out quite frequently despite all nice programs I have downloaded to prevent that. Here comes my HijackThis logfile - could you also help me find what might cause MSN Hotmail to fail opening the Inbox after login is completed? That would really make my day! I can see that I have a few of "Hijacked Internet access by New.Net" - is this it and, if so, can you tell me how to get rid of them?

Logfile of HijackThis v1.99.0
Scan saved at 22:02:45, on 2005-01-02
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Real\RealPlayer\RealPlay.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program\Norton AntiVirus\SAVScan.exe
c:\Program Files\interMute\SpySubtract\CWShredder.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administratör\Skrivbord\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet6_38.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Family and Friends Reminders.LNK = C:\Program\Corel\Print House Magic\cffrem.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Administratör\Lokala inställningar\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03493b97aa74f0e24518/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19A266B1-EADE-4248-BB54-9C3927D6350F}: NameServer = 130.244.127.169 130.244.127.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{19A266B1-EADE-4248-BB54-9C3927D6350F}: NameServer = 130.244.127.169 130.244.127.161
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

dlh6213 27 Posting Maven Team Colleague · Answer 2 · 2005-01-03T14:08:00+00:00

Go to Windows Update and get the Critical Updates for your system. Hold off on SP2, however, until your system is clean.

jwenting 1,889 duckman Team Colleague · Answer 3 · 2005-01-03T18:50:44+00:00

These look highly suspicious too:
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Administratör\Lokala inställningar\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03493b97aa74f0...ip/RdxIE601.cab

And get rid of realplayer. It's a spyware infested mess.

Replace Norton with a good AV product.

deonnanicole 5 Posting Whiz in Training · Answer 4 · 2005-01-03T18:55:43+00:00

I believe Norton is a matter of preference and opinion. I have had it for over 6 months now and had absolutely no problems with it, nor have I been infected with any viruses. I think if you like Norton and are comfortable with it, keep it. :)

ahinamaria 0 Newbie Poster · Answer 5 · 2005-01-04T21:09:29+00:00

Ok - all work done so far, although my problem with accessing Hotmail still remains (might be caused by something else, I guess). Here is the new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 16:02:22, on 2005-01-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Administratör\Skrivbord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Family and Friends Reminders.LNK = C:\Program\Corel\Print House Magic\cffrem.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Does this look clean to you?

Thank you guys for all help - this is SO appreciated. You really do a wonderful job here and I hope that we amateurs don't annoy you too much with all our HijackThis logs...

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2005-01-04T21:27:37+00:00

Amatures don't annoy us, we're all amateurs of some sort :)

You still need to get your Critical Updates from Windows, that may fix your Hotmail problem.

Close all browser windows, scan with HJT, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

That's all I see. In addition to your Windows Updates, you should also get SpywareBlaster and/or SpywareGaurd; links to both can be found in this thread (along with other helpful advice):
http://www.daniweb.com/techtalkforums/thread5690.html

HijackThis logfile deleted due to virus

Recommended Answers Collapse Answers

All 8 Replies

Recommended Answers