Jump to content


Photo

BHO not included in list


  • Please log in to reply
5 replies to this topic

#1 simonm

simonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 07:05 AM

Introduction

I have a spyware / hijack problem that is proving difficult to remove. See history below for more details.

I have run HijackThis and compared BHOs with the list on this website and found one that is not listed. {84850937-9A02-7E55-8FA6-C522AD1E86A5}. Is this malicious?. See Log below for more details.

Kind regards
Simon

PS I have a process running ipsw.exe, for which I can find no information. Is this a legitimate process or malign?

HijackThis log

Logfile of HijackThis v1.97.7
Scan saved at 12:53:12, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ipsw.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\netox.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Software\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton AntiVirus\AdvTools\WIPINFSE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\regedit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {84850937-9A02-7E55-8FA6-C522AD1E86A5} - C:\WINDOWS\system32\ntmi32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ipsw.exe] C:\WINDOWS\system32\ipsw.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [atlgv32.exe] C:\WINDOWS\atlgv32.exe
O4 - HKLM\..\RunOnce: [addwe32.exe] C:\WINDOWS\system32\addwe32.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [netox.exe] C:\WINDOWS\netox.exe
O4 - HKLM\..\RunOnce: [atlww32.exe] C:\WINDOWS\system32\atlww32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.4thenet.co.uk
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.micros...llery/msotd.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7405.4906134259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab

Some history

I have run Spybot Search and Destroy. This has cleaned up a lot, but is unsussessful in removing 5 occurences of DSO exploit. I have followed advice elsewhere and modified the value of 1004 to 3 in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0. However this modification resets to blank. I also note that the type of 1004 is REG_SZ and not REG_DWORD as expected.

I have run Spy Sweeper which identifies CWS_NS3 and CWS_NS3 Hijack. Neither Spy Sweeper nor CWShredder have been able to remove these. I have manually ended the process altgv.exe which appears to be connected with CoolWebSearch hijacker. I had to do this numerous times - it kept restarting - but now appears to have been ended.

A few days ago - at the beginning of my recent troubles - I noticed that in 30 minutes of light browsing the Internet I had SENT a phenomenal 16 MB of data. I realised that a process called winservicess.exe was responsible and maunally ended this process and removed it from the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This particular problem has not reappeared.

Norton AntiVirus shows up clean.

Windows XP, Norton AntiVirus, Spybot Search & Destroy, Spy Sweeper and HijackThis are all up-to-date.

I have wipped clean c:\windows\temp.

I have looked at all *.hta files on my hard drive - nothing suspicious. I have 100s of *.js files, so can not be sure that there are no malignant files amongst these.

Using HijackThis, I have already fixed the 5 hijacked references to homepages and search pages.

I have read the FAQs on this forum.

#2 shalafi

shalafi

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 28 June 2004 - 07:08 AM

edit

Edited by shalafi, 28 June 2004 - 06:25 PM.


#3 simonm

simonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 08:37 AM

More details on the three suspicious files mentioned before:

c:\windows\system32\ipsw.exe is 26KB is running (Windows task manager), but not in Registry. Also c:\windows\Prefetch\ipsw.exe-128EE657.pf (18 KB)

c:\windows\atlgv32.exe is 9KB is running (Windows task manager), and is in the Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce). Also c:\windows\Prefetch\atlgv32.exe-073E4558.pf (15KB)

c:\windows\system32\ntmi32.dll is 89 KB - Refered to in HijackThis (see Log in above post), is in the Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84850937-9A02-7E55-8FA6-C522AD1E86A5}\InprocServer32)
but is not running (Windows task manager).

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 28 June 2004 - 09:44 AM

Tick the entries in HijackThis scan, close all browser and Explorer windows, click Fix checked. HijackThis will make backups.

Reboot, see if everything is normal.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 simonm

simonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 10:16 AM

CNM, Can I just confirm "Tick the entries in HijackThis scan, ..."

Is that ALL entries?

regards
Simon

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 28 June 2004 - 10:22 AM

No no! Just the entries for the 2 files you were asking about.

Introduction

I have a spyware / hijack problem that is proving difficult to remove. See history below for more details.

I have run HijackThis and compared BHOs with the list on this website and found one that is not listed. {84850937-9A02-7E55-8FA6-C522AD1E86A5}. Is this malicious?. See Log below for more details.

Kind regards
Simon

PS I have a process running ipsw.exe, for which I can find no information. Is this a legitimate process or malign?


And the DSO exploit is a known bug in Spybot SD 1.3. They will be fixing it soon - probably in next update.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button