Jump to content


Photo

Banging head on wall...


  • Please log in to reply
1 reply to this topic

#1 flouts

flouts

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 June 2007 - 04:00 PM

Hi everyone, this is my first topic here...
I am gonna post the story from the beginning.

Pc with win xp and ADSL connection through modem. Security software: Panda Internet Security. Problem: Connects to the internet, but when you try to browse through firefox or explorer you get a page not found no matter what page yu try to view.
My steps to resolve.
1. Try to ping google.com from command, i get unknown host.
2. I do nslookup google.com returns an address correctly....so i get suspicious..
3. Scan with Panda (which is up to date)....no threats found...
4. Scan with Spybot S&D, some minor things found (mostly cookies) i fix everything..
5. Scan with Ad-aware, CWShredder, Rootkit Revealer... everything ok, apart from some Alexa related cookies.-- btw problem remains---
6. I unistall Panda and install Kaspersky, guess what, 6 Trojans found, i neutralize all, some could not be deleted, Kaspersky reported will be deleted at Startup...i reboot and Kaspersky reports that all threats have been neutralized.
The problem seems to be fixed, i can browse the Internet with either firefox or explorer...BUT... when i fire up explorer kaspersky informs me that explorer.exe tries to load new or modified modules...i deny loading to all and everything works fine (if i allow computer hangs), also when i load firefox kaspersky informs that i try to download a Trojan, from a web address, which is not my homepage...i block everything and all work smoothly, but every once in a while (even when pc is idle) i get messages from kasperky that it has blocked a trojan, or that i try to d/l one... seems like PC is not clean still

so i run netstat and get an awful lot of of open and listening connections, and i have nothing open, not even a browser.... so this brings me to my current state

I unistall Kaspesky antivirus and install Kaspersky internet security, thinking that a firewall would be of greater help.
I did a full system scan with updated bases and all and found one Trojan..namely:Trojan-Downloader.BAT.Ftp.ab File: C:\WINDOWS\system32\o

Since then, i am browsing the internet and nothing weird has happened,no Trojan downloaders or anything, but i am still not sure that my PC is clean.

Also forgot to mention that before i installed KIS, i checked my windows services and disabled a pretty weird lookin service with no description or anything, called MSNRAV

I am posting my Hijack log file.

Logfile of HijackThis v1.99.1
Scan saved at 11:56:55 μμ, on 25/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Litsa\LOCALS~1\Temp\HIJACK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Ραδιόφωνο - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D374EF4-4D68-48BE-9FC6-031CA7DB7474}: NameServer = 193.92.150.3 194.219.227.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

Before disabling the MSNRav service, it used to be the last entry in my Hijack log.....

Wish for your opinion.
Thanks in advance



SORRY FOR DOUBLE POST.... WAS MISTAKE CAUSE I PRESSED STOP ON BROWSER AND POST AGAIN...

Edited by flouts, 25 June 2007 - 04:07 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 28 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button