Jump to content


Photo

coolwwwsearch and more


  • This topic is locked This topic is locked
17 replies to this topic

#1 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 14 July 2004 - 06:34 PM

I read the FAQ. I've followed instructions as best I can.

This is a client of mine... Win2K all service packs and security fixes in place. Browser hijacker keeps grabbing control. ran adaware after latest update. ran spybot s&d after latest update. Even deleted most lines using hijack this, but they return. The default home page for IE points to a res://<name>.dll/index.html

<name> has been qkrdg, hcoxq, unnko obviously randomized, and the dll files are hidden. I rename or delete them, and it just creates a new one.

Using hijack this, I have deleted most everything, but it comes back. Here's the latest:

Logfile of HijackThis v1.98.0Scan saved at 6:14:59 PM, on 7/14/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winsr32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\iezw32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\unnko.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://unnko.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://unnko.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\unnko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\unnko.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://unnko.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com


sorry this is ugly, but I couldn't post it from the original machine, couldn't get into webmail. Heck, I couldn't even register at this forum because of the $%#^$@$ hijacker.

Just for the record, I have deleted (using hijack this) every line in the scan that contains the .dll name.

I'm at a loss, and I'd sure appreciate some help.

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 14 July 2004 - 07:02 PM

Hello please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.




Note: You may need to run it a few times in Normal mode or reboot into safe mode and try it. Directions.

Edited by mmxx66, 14 July 2004 - 07:03 PM.


#3 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 01:11 PM

when I unzipped and installed about:blaster, I got errors

this occured in regular or safe mode

run time error "339"
Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid.

#4 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 02:07 PM

ran about:buster

ran adaware & spybot one more time

ran hijack this:

Logfile of HijackThis v1.98.0
Scan saved at 2:03:56 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winsr32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\WINNT\iezw32.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\administrator.THELEVYGROUP\DESKTOP\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

#5 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 02:23 PM

hijack this log in safe mode reads:

Logfile of HijackThis v1.98.0
Scan saved at 2:21:02 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\WINNT\iezw32.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\administrator.THELEVYGROUP\Desktop\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINNT\system32\ntkj32.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com



REMAINING PROBLEMS...

still see a popup for "only the best" which I think is related.

#6 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 02:51 PM

Logfile of HijackThis v1.98.0
Scan saved at 2:50:47 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\WINNT\iezw32.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\administrator.THELEVYGROUP\Desktop\HijackThis.exe
C:\WINNT\system32\ntkj32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe
O4 - HKLM\..\RunOnce: [ntkj32.exe] C:\WINNT\system32\ntkj32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

#7 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 04:20 PM

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Donīt use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R331 08.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

4. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll
O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe
O4 - HKLM\..\RunOnce: [ntkj32.exe] C:\WINNT\system32\ntkj32.exe


7. delete the following files if present.
C:\WINDOWS\netdl.dll
C:\WINDOWS\iezw32.exe
C:\WINNT\system32\ntkj32.exe

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:


Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scanHERE. Let it remove any infected files found.


Post a fresh HijackThis log and the AboutBuster report back here please.

Edited by mmxx66, 15 July 2004 - 04:28 PM.


#8 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 04:55 PM

There is no NETWORK SECURITY SERVICE. running win2k pro.

I have NETWORK CONNECTIONS
NETWORK DDE
NETWORK DDE DSDM

but that's all that begin with NETWORK

#9 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 05:02 PM

ok. go ahead with the next step.

#10 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 05:45 PM

Phew. quite a task. Aside from not having the service, the adaware in safe mode was an old version (same userid & password) than the adaware in normal mode. go figure. Anyhow, adaware basically came up with three items, none of them were cws.

Here are the logs.

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINNT\d3ia.exe
Removed! : C:\WINNT\iepa.exe
Removed! : C:\WINNT\sdkwe.exe
Removed! : C:\WINNT\yugnw.dat
Removed! : C:\WINNT\system32\zflih.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

as you can see, the dll's had morphed to new names, but I figured out by extrapolation all the lines to delete from highjack this.

and here's the other log (HIJACK THIS)

Logfile of HijackThis v1.98.0
Scan saved at 5:43:55 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

...AND RIGHT NOW, I'm running the trend housecall scan.

I'm going to have to wrap this up shortly for the day. I have a meeting 60mi away. Any last suggestions?

And... thank you greatly for your help. A quick look at the default home page in IE shows it's not a dll, but in fact, google. No new popups have appeared. I hope... I really hope we caught it all.

#11 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 05:50 PM

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

#12 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 05:51 PM

so you think this is clean now...

#13 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 15 July 2004 - 05:57 PM

Well, thanks much. I've spent 8 hrs of the client's billable hours... I learned a lot, and... as most of my service calls are about malware, although I've been able to fix the others... this has been quite a trip.

#14 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 06:26 PM

post a new log to give it a last check, but it looks pretty clean.
good luck :D :D
and happy surfing.

Edited by mmxx66, 15 July 2004 - 06:27 PM.


#15 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 02:08 PM

Logfile of HijackThis v1.98.0
Scan saved at 2:04:30 PM, on 7/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Webshots\WebshotsTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\ACAD2000\acad.exe
C:\Program Files\ACAD2000\acad.exe
C:\Documents and Settings\Administrator\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...com/search?p=%s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\aol messenger\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Webshots.lnk = C:\Webshots\WebshotsTray.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

client says no popups or trouble. This has been stable since Friday (Today is Tuesday). :D

#16 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 20 July 2004 - 02:17 PM

Your log is clean.
Check this link about WeatherBug.
http://www.pchell.co...eatherbug.shtml
Good luck :D

#17 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 20 July 2004 - 02:22 PM

I missed this one.
You are running Spykiller. This is a program that advertises itself as removing spyware, but it apparently gives false positives to get you to buy it and then does a miserable job. Some even think that it may install malware. I recommend that you remove it in Add/Remove Programs. See this post for details about these programs: http://www.safer-net...tail=2004-02-05

#18 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 January 2005 - 05:15 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button