• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ccrb

coolwwwsearch and more

18 posts in this topic

I read the FAQ. I've followed instructions as best I can.

 

This is a client of mine... Win2K all service packs and security fixes in place. Browser hijacker keeps grabbing control. ran adaware after latest update. ran spybot s&d after latest update. Even deleted most lines using hijack this, but they return. The default home page for IE points to a res://<name>.dll/index.html

 

<name> has been qkrdg, hcoxq, unnko obviously randomized, and the dll files are hidden. I rename or delete them, and it just creates a new one.

 

Using hijack this, I have deleted most everything, but it comes back. Here's the latest:

 

Logfile of HijackThis v1.98.0Scan saved at 6:14:59 PM, on 7/14/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\winsr32.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\Program Files\Navnt\navapw32.exe

C:\WINNT\iezw32.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\unnko.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://unnko.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://unnko.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\unnko.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\unnko.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://unnko.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

 

sorry this is ugly, but I couldn't post it from the original machine, couldn't get into webmail. Heck, I couldn't even register at this forum because of the $%#^$@$ hijacker.

 

Just for the record, I have deleted (using hijack this) every line in the scan that contains the .dll name.

 

I'm at a loss, and I'd sure appreciate some help.

Share this post


Link to post
Share on other sites

Hello please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

 

 

 

Note: You may need to run it a few times in Normal mode or reboot into safe mode and try it. Directions.

Edited by mmxx66

Share this post


Link to post
Share on other sites

when I unzipped and installed about:blaster, I got errors

 

this occured in regular or safe mode

 

run time error "339"

Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid.

Share this post


Link to post
Share on other sites

ran about:buster

 

ran adaware & spybot one more time

 

ran hijack this:

 

Logfile of HijackThis v1.98.0

Scan saved at 2:03:56 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\winsr32.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\WINNT\iezw32.exe

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\administrator.THELEVYGROUP\DESKTOP\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

hijack this log in safe mode reads:

 

Logfile of HijackThis v1.98.0

Scan saved at 2:21:02 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\WINNT\iezw32.exe

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\administrator.THELEVYGROUP\Desktop\HijackThis.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\WINNT\system32\ntkj32.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

 

 

REMAINING PROBLEMS...

 

still see a popup for "only the best" which I think is related.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 2:50:47 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\WINNT\iezw32.exe

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\administrator.THELEVYGROUP\Desktop\HijackThis.exe

C:\WINNT\system32\ntkj32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\taskmgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\MsiExec.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe

O4 - HKLM\..\RunOnce: [ntkj32.exe] C:\WINNT\system32\ntkj32.exe

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R331 08.07.2004 or higher listed.

 

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

 

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

 

4. Reboot to Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

 

5. Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {CE958043-7FC9-973C-FD60-D5630D607123} - C:\WINNT\netdl.dll

O4 - HKLM\..\Run: [iezw32.exe] C:\WINNT\iezw32.exe

O4 - HKLM\..\RunOnce: [ntkj32.exe] C:\WINNT\system32\ntkj32.exe

 

7. delete the following files if present.

C:\WINDOWS\netdl.dll

C:\WINDOWS\iezw32.exe

C:\WINNT\system32\ntkj32.exe

 

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

 

9. Scan with Adaware and let it remove any bad files found.

 

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

 

12. Finally, do an online scanHERE. Let it remove any infected files found.

 

 

Post a fresh HijackThis log and the AboutBuster report back here please.

Edited by mmxx66

Share this post


Link to post
Share on other sites

There is no NETWORK SECURITY SERVICE. running win2k pro.

 

I have NETWORK CONNECTIONS

NETWORK DDE

NETWORK DDE DSDM

 

but that's all that begin with NETWORK

Share this post


Link to post
Share on other sites

ok. go ahead with the next step.

Share this post


Link to post
Share on other sites

Phew. quite a task. Aside from not having the service, the adaware in safe mode was an old version (same userid & password) than the adaware in normal mode. go figure. Anyhow, adaware basically came up with three items, none of them were cws.

 

Here are the logs.

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINNT\d3ia.exe

Removed! : C:\WINNT\iepa.exe

Removed! : C:\WINNT\sdkwe.exe

Removed! : C:\WINNT\yugnw.dat

Removed! : C:\WINNT\system32\zflih.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

as you can see, the dll's had morphed to new names, but I figured out by extrapolation all the lines to delete from highjack this.

 

and here's the other log (HIJACK THIS)

 

Logfile of HijackThis v1.98.0

Scan saved at 5:43:55 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\WINNT\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

...AND RIGHT NOW, I'm running the trend housecall scan.

 

I'm going to have to wrap this up shortly for the day. I have a meeting 60mi away. Any last suggestions?

 

And... thank you greatly for your help. A quick look at the default home page in IE shows it's not a dll, but in fact, google. No new popups have appeared. I hope... I really hope we caught it all.

Share this post


Link to post
Share on other sites

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

And also see TonyKlein's good advice

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

Well, thanks much. I've spent 8 hrs of the client's billable hours... I learned a lot, and... as most of my service calls are about malware, although I've been able to fix the others... this has been quite a trip.

Share this post


Link to post
Share on other sites

post a new log to give it a last check, but it looks pretty clean.

good luck :D:D

and happy surfing.

Edited by mmxx66

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 2:04:30 PM, on 7/20/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Webshots\WebshotsTray.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\Program Files\ACAD2000\acad.exe

C:\Program Files\ACAD2000\acad.exe

C:\Documents and Settings\Administrator\DESKTOP\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/slv/ycheck/as/*http://.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://...com/search?p=%s

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [AIM] C:\aol messenger\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: Webshots.lnk = C:\Webshots\WebshotsTray.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4A659D2-F41A-41DD-B5CC-B5D3B3F19041}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

client says no popups or trouble. This has been stable since Friday (Today is Tuesday). :D

Share this post


Link to post
Share on other sites

I missed this one.

You are running Spykiller. This is a program that advertises itself as removing spyware, but it apparently gives false positives to get you to buy it and then does a miserable job. Some even think that it may install malware. I recommend that you remove it in Add/Remove Programs. See this post for details about these programs: http://www.safer-networking.org/index.php?...tail=2004-02-05

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0