Jump to content


Photo

hijack to index.html 96676


  • Please log in to reply
9 replies to this topic

#1 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 01 July 2004 - 02:41 PM

Could you please help eliminate this hijack? I've read the FAQ. I've scanned with CWShreader, Spybot, Ad-aware, Registry mechanic, and PCBug Doctor. When I start MS Internet Explorer it is redirected to res://afvcn.dll/index.html#96676.

Using HijackThis, I've eliminated the redirects (the first six lines of the HijackThis log), reset my homepage, and that works for one itteration, then IE home page is reset again.

Problem two: after all this 'fixing' I'm now missing shell.dll, and bridge.dll.
Problem three: Notepad comes up fine, but quits randomly.

I don't know if problems two and three are related to the hijack, or to fixes.

Could you please help? Following is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:04:37 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Wintab32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\netxv32.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\GeoGraphix\Tools\GeoSync.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\nteu.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG04.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe
O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{234CF7D0-7546-45E2-8337-D91D96E4EF6A}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

Thanks a bunch. ..Jasha

#2 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 03:24 PM

Hi,jashac

Please download the Latest Ver, rescan post Logfile

http://www.spywarein.../hijackthis.zip

Gday :wave:

#3 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 01 July 2004 - 03:42 PM

Thanks
Here is the new hijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 3:36:56 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Wintab32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\netxv32.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\GeoGraphix\Tools\GeoSync.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\nteu.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe
O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun"
O4 - HKCU\..\RunOnce: [RealPlayer1] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
O4 - HKCU\..\RunOnce: [RealPlayer2] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{234CF7D0-7546-45E2-8337-D91D96E4EF6A}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

sure appreciate your time on this, Jasha

#4 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 04:13 PM

Hi,jashac

Can you try this please?

Please download this tool called 'About:Buster':

http://www.downloads...AboutBuster.zip

Unzip it to your desktop.

DO NOT relaunch Internet Explorer at any point during this.

Now, boot in to safe mode. Instructions on how to do so are in the following link:

http://service1.syma...src=sec_doc_nam

(Follow the instructions revelant to your operating system. In this case it is either Windows 2000 or XP)

Once in safe mode, Run HijackThis again, close all open windows (that includes Internet Explorer and Windows Explorer), put a checkmark next to the following, and press "Fix Checked":


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll

O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe
O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe

Guy's not sure here
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe


DO NOT relaunch Internet Explorer.

Launch the About:Buster program you had earlier downloaded. Click 'OK' to the first prompt you get upon launching the program. Now, click the big 'Start' button. Click the 'OK' button you now see. Leave it to scan (that can take some time, so please be patient). Once it has finished, (it'll have text, beside the 'OK' button, identical to 'Done Scanning') then copy/paste it's report somewhere. To copy/paste it all, please select (highlight) with your mouse ALL of the text in the white box (in About:Buster). Right-click with your mouse and select 'Copy'.

Now, launch Notepad and RIGHT-click in the empty space. Select 'Paste'. Now the logfile from About:Buster will have been copied into Notepad. Click 'File' (in the menus...) > 'Save As'. Save it in C:\ and as Log.txt.

Now, restart the computer as normal and you'll return into Windows 'Normal' mode.Once back in 'Normal' mode, re-scan with HijackThis. Save that new logfile. Post that new logfile from HijackThis aswell as the Log.txt you saved in safe mode (which is the logfile/report from About:Buster).


Now you have some items that need to be removed
from safe Mode & Hidden and System files so do not
fix any of this let the Pros here have a look at this

Good luck :wave:

#5 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 01 July 2004 - 04:49 PM

Rootkit - thanks for your help. I will proceed as you suggest. In the meantime, I've downloaded TrojanHunter and run it. It found trojans, adware.IELoad.100, Adware.JDF.100, LittleWitch.621, and TrojanDownlader.agent.103. Sould I have it delete these before I proceed?
Thanks.

#6 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 01 July 2004 - 05:20 PM

The link to symatnic for booting in safe mode is not working. (I've tired various itterations and cannot get there) Is it different thanpressing F8 during the start-up?

I'm wanting to follow your instructions explicitly. Thanks. J

#7 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 July 2004 - 03:17 PM

Rootkit,
thanks for guidence..
I did run trojanHunter.
followed your instructions
following is the HijackThis log (normal mode) after deleting items in the Safe Mode:

Logfile of HijackThis v1.98.0
Scan saved at 3:07:21 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/COLOR]
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Wintab32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\GeoGraphix\AdaptiveServer80\win32\dbsrv8.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\GeoGraphix\Tools\GeoSync.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

Interesting because the R.. entrys were not there in Safe Mode. I went back to Safe Mode and reran HijackThis scan to make sure I hadn't just missed them. not there...

Following is the AboutBuster log run in safe mode:

About:Buster Version 1.23
Removed! : C:\WINDOWS\eifesk.dat
Removed! : C:\WINDOWS\htdoiz.dat
Removed! : C:\WINDOWS\ixvkyz.dat
Removed! : C:\WINDOWS\mqbdju.dat
Removed! : C:\WINDOWS\ncpgcf.dat
Removed! : C:\WINDOWS\qudwsn.dat
Removed! : C:\WINDOWS\rvpggw.dat
Removed! : C:\WINDOWS\xusbvb.dat
Removed! : C:\WINDOWS\xysjfa.dat
Removed! : C:\WINDOWS\yetopp.dat
Removed! : C:\WINDOWS\System32\yjxdp.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

What's next?
Thanks in advance, ...Jasha

#8 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 05 July 2004 - 04:25 PM

rootkit - hope you had a good fourth of july - bump

#9 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 08 July 2004 - 09:10 AM

Hey guys,
during the interm, I've continued to get updates for Ad-aware, Spybot, TrojanHunter, and Registry Mechanic, and run them.
It appears that the Highjack is gone.
How do I tell for sure?

Also in searching around, I found Home Search remorve at www.hsremove.com/

has anyone used this successfully?

Thanks .... JashaC

#10 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 08 July 2004 - 09:19 AM

One remaining problem:
I use a rolodex program called Sharkware. When I start it I get an error message which says: Cannot find SHELL.DLL

Following is an excerpt from CEShredder scan only report:
Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe

How can I fix this?
Thanks,
Jasha




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button