Jump to content


Photo

post hijack issue...previously had res://


  • Please log in to reply
7 replies to this topic

#1 gumby1

gumby1

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 July 2004 - 03:06 AM

HI All,

I had that awful res:// hijack and ran adaware/ spy bot S&D, followed all instructions from the pinned post on this site regarding this hijack - have got control of my browser again.

Now I have an issue with a thing called c:\windows\system32\cral.exe. Each time I connect to the internet norton firewal says this file is trying to access the internet and it is 'high risk' and I have searched for answers on google but no one seems to know.

Has anyone else had this issue?

#2 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 04:36 AM

Hi,gumby1

You could post a HJT Logfile here so they may have a.
look at it for you but please do not remove any items

http://www.spywarein.../hijackthis.zip

Some info

Download then save the file/install to a new folder called HijackThis or something similar, not your Desktop or the Temp folder, and double click on the "HijackThis" icon.
and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, then post it here in a reply

Gday :bounce:

#3 gumby1

gumby1

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 July 2004 - 05:02 AM

Hi Rootkit,

Yes, I have HJT and I have posted a log a few times but no one seems to reply which is understandable considering the ferosity of this res:// hijack - it is the worst I have encountered EVER. CWS, Adaware and Spybot S&D always seem to take care of things and I have run all in safe mode, but ,I suspect there are some remnants in my registry. I have updated all adaware,spybot s&d and fortunatley it took care of most of it and I was able to regain control of my browser. I am starting to think I might get a MAC - I am sick of virus,trojans and alike. Nice to see another Australian on the forum. If someone is able to take a look at this HJT log it would be much appreciated. Peace all.

Logfile of HijackThis v1.97.7
Scan saved at 7:54:34 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\cral.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yale Knudson\Local Settings\Temp\Temporary Directory 12 for hijackthis1977.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cral.exe] C:\WINDOWS\system32\cral.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8167.2487847222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEF124F-5FD5-4337-B073-0A505D31016B}: NameServer = 192.189.54.37 192.189.54.26

#4 gumby1

gumby1

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 July 2004 - 05:47 AM

Oh by the way - I can see cral.exe in the hjt log file however, I have tried to delete using HJT but it seems to come back and, I am not sure of it's function. I ran a registry mechanic and it didn't do anything either - seems awfully strange.

#5 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 05:49 AM

Hi,gumby1

Please look at my first post there was a link to.
update to the new Hijackthis Ver 1.98 get that
then run new scan & post it here

Gday :wave:

#6 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 05:55 AM

Hi,gumby1

Yes i see it for something like that you may need to
goto Safe Mode & Show Hidden and System files
find that file & delete it but please do not do that

now not sure they want me to have you remove
anything so hold for someone to tell you what to
do here have a great day

Gday :bounce:

#7 gumby1

gumby1

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 July 2004 - 06:34 AM

Hi Rootkit,

My apologies, I over looked that it was a new version. Here is the logfile from the newer version - much appreciated.

Logfile of HijackThis v1.98.0
Scan saved at 9:31:41 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\cral.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yale Knudson\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cral.exe] C:\WINDOWS\system32\cral.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEF124F-5FD5-4337-B073-0A505D31016B}: NameServer = 192.189.54.37 192.189.54.26

#8 gumby1

gumby1

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 July 2004 - 07:14 AM

one question - google can't find anything on cral.exe does this mean it shouldn't be there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button