Jump to content


Photo

sorry i hate to ask but here is my log :(


  • This topic is locked This topic is locked
13 replies to this topic

#1 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 05:21 PM

well after a solid week of this fighting coolweb i'm pissed because i am a highly advanced computer user and this poop won't go away lol so please if 1 of you's could please help.

Logfile of HijackThis v1.97.7
Scan saved at 6:13:33 PM, on 6/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Roger Wilco\roger.exe
C:\Documents and Settings\Rath\My Documents\spyware mozilla\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6372AE94-CA49-4E7D-A2F3-9FE085857F45} - C:\WINNT\system32\mgenl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4811921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB485AC4-C4CB-4BFE-879C-898F00CB8ECD}: NameServer = 206.47.244.57 206.47.244.91

i even know that all the R0 and R1 are suspect but i still cannot get rid of this sucker.

the makers of this kinda stuff should be shot i swear.

thx for any help here after a week of battleing this thing i'm becoming a little irate lol

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 June 2004 - 05:29 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Also, click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FindnFix.exe and it will install a folder called FindnFix on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 06:19 PM

wow that was fast kudo's here is the info :)

C:\WINNT\system32\ctlg.dll

and the find and fix log


Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
C: is not dirty.

Fri 06/25/2004
7:12pm up 0 days, 11:07
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINNT\System32\CTLG.DLL +++ File read error
\\?\C:\WINNT\System32\CTLG.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
CTLG.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINNT\SYSTEM32\
ctlg.dll Fri Jun 18 2004 5:55:44p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\CTLG.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group RATHSBEAST\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
7:13pm up 0 days, 11:07
Fri 06/25/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-25-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-25-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota

**File C:\FINDnFIX\WIN.TXT
        ą’’’Š 8 € ° ą  @ Ų’’’vk 6 ų   AppInit_DLLs Ą’’’C : \ W I N N T \ s y s t e m 3 2 \ c t l g . d l l Š’’’vk  h   DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   GDIProcessHandleQuota ą’’’vk  Š   Spooler š’’’y e s ą’’’vk  €   swapdiskŠ’’’vk  0   TransmissionRetryTimeoutš’’’9 0  `č Š’’’vk  €'   USERProcessHandleQuota ? ’’’’


well heres to hoping to another fast reply and kudo's again :)

#4 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 07:18 AM

i know it says not to bump but my post is back on page like 14 or something could some1 have a look plz :)

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 07:21 AM

Sorry - missed your reply earlier.

Open the FINDnFIX folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move %WinDir%\System32\CTLG.DLL %SystemDrive%\junkxxx\CTLG.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.



Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, skip that step and proceed this way instead. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the CTLG.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.


Posted Image

#6 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 09:06 AM

Sun 06/27/2004
10:03am up 0 days, 0:04

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
C: is not dirty.

*Locked files...
* result\\?\C:\junkxxx\CTLG.DLL

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\JUNKXXX\
ctlg.dll Fri Jun 18 2004 5:55:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\CTLG.DLL


Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Searching ==>C:\JUNKXXX\CTLG.DLL
Run Time(sec) 0
**File C:\JUNKXXX\CTLG.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

move %WinDir%\System32\CTLG.DLL %SystemDrive%\junkxxx\CTLG.DLL

-ra-- W32i - - - - 57,344 06-18-2004 ctlg.dll
A R C:\junkxxx\CTLG.DLL
File: <C:\junkxxx\CTLG.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\CTLG.DLL
Directory "C:\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "C:\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

File "C:\junkxxx\CTLG.DLL"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs

---------- NEWWIN.TXT
ogAppInit_DLLsoutsŠ
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001320: 01 00 00 00 01 00 6F 67 . 5F 44 4C 4C 73 6F 75 74 ......og _DLLsout
**File C:\FINDnFIX\NEWWIN.TXT
        ÷*łwą’’’Š  H x ˜ Ų  Š’’’vk     DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   GDIProcessHandleQuota ą’’’vk  h   Spooler š’’’y e s ą’’’vk  €   swapdiskŠ’’’vk  Č   TransmissionRetryTimeoutš’’’9 0  `č Š’’’vk  €'   USERProcessHandleQuota Ų’’’vk  €   ogAppInit_DLLsoutsŠ ’’’’UVųw’źłwŪčłw ƒkW|H?W|śHW|%cW|FgW|³@W|+>W|Ż˜W|ģ>W|=åW|

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 09:12 AM

Well done :D Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Rescan with HJT and post a new log in your next reply.
Posted Image

#8 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 09:27 AM

Logfile of HijackThis v1.97.7
Scan saved at 10:25:00 AM, on 6/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rath\My Documents\spyware mozilla\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A12AAB3F-7021-4A5B-94E0-B211991D7083} - C:\WINNT\system32\mgenl.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4811921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB485AC4-C4CB-4BFE-879C-898F00CB8ECD}: NameServer = 206.47.244.57 206.47.244.91



jesus what is this the black plague of spyware lol (thx agian for your time :) )

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 09:45 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rath\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A12AAB3F-7021-4A5B-94E0-B211991D7083} - C:\WINNT\system32\mgenl.dll (file missing

Reboot when done. Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here for a final check over.
Posted Image

#10 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 10:16 AM

Logfile of HijackThis v1.97.7
Scan saved at 11:09:01 AM, on 6/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Documents and Settings\Rath\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4811921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


ok my log looks clean and ad aware found nothing BUT i purchased xoftspy by pertologic and it finds 2 entries of malware CWS.mrhop here is it's log it shows it :(

xoftspylog by pertologic

Starting Scanning (Smart Scan Mode)
Scanning running processes.
1) : C:\Program Files\XoftSpy\XoftSpy.exe
2) : System
3) : smss.exe
4) : csrss.exe
5) : winlogon.exe
6) : services.exe
7) : lsass.exe
8) : Ati2evxx.exe
9) : svchost.exe
10) : ccSetMgr.exe
11) : ccEvtMgr.exe
12) : spoolsv.exe
13) : svchost.exe
14) : navapsvc.exe
15) : NPROTECT.EXE
16) : regsvc.exe
17) : SAVScan.exe
18) : MSTask.exe
19) : NOPDB.EXE
20) : symlcsvc.exe
21) : WinMgmt.exe
22) : MsPMSPSv.exe
23) : svchost.exe
24) : Ati2evxx.exe
25) : C:\WINNT\Explorer.EXE
26) : C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
27) : C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
28) : C:\WINNT\system32\CTHELPER.EXE
29) : C:\Program Files\Logitech\iTouch\iTouch.exe
30) : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
31) : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
32) : C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
33) : C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
34) : C:\Program Files\XoftSpy\XoftSpy.exe
1) CWS.mrhop
Name: Software\Microsoft\Internet Explorer\Main\Local Page:@:C:\WINNT\system32\blank.htm
Type: Registry Value
2) CWS.mrhop
Name: Software\Microsoft\Internet Explorer\Main\Local Page:@:C:\WINNT\system32\blank.htm
Type: Registry Value
Scan Finished

got any thoughts on this xoftspy removes it but returns after a reboot :(

Edited by Rath-bot, 27 June 2004 - 10:17 AM.


#11 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 11:16 AM

don't wanna do this but bump ;)

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 11:20 AM

I'm not familiar with xoftspy (maybe that's something I should rectify :oops: ) so I can't comment on the accuracy of it's detections. If CWShredder and AAW are coming up clean I don't think you have anything to worry about.

How is it running now?
Posted Image

#13 Rath-bot

Rath-bot

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 11:45 AM

well after the week of fighting spyware i am afraid to open IE again and have switched to mozilla permently which i might add does not fall victim to spyware even being infected mozilla ignored any spyware redirects or pop ups

but after searching and running a few other suggested programs i think (don't quote me on this) xoftspy is making a incorrect detection as the mrhop.dll is a cws problem although i do not have that dll anywhere it could be the name setting it off but dunno i have restarted several times done a bunch of surfing and ran HJT serveral times as well as cwshredder and ad aware and everything is still clean

BUT i would like to point out that not once did ad aware find any of the cws infections even after the recent update and xoftspy found them right from day 1 to bad you have to pay for it free to scan but no fixing unless you pay sigh.

and a BIG THANK YOU
this was me last week :gah:

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 12:20 PM

You're welcome - glad to help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button