Jump to content


Photo

missing dll bluescreens win2000


  • This topic is locked This topic is locked
11 replies to this topic

#1 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 19 July 2004 - 03:16 PM

I have read the faq.

I have a win2000 pro system that was so bound up with malware, the company finally relected and called me in to fix it.

ad aware finds 100+ objects, almost all malware, very few cookies.

The system was way behind on security updates.

Thinking I should bring windows up to date, I tried applying SP4 and after that, I blue screen on a missing dll (winsvr.dll in one case, was missing).

clearly, my approach must be to recover the system again, loading win2000 on top of itself (again) and then fixing the malware, and getting a pure system before doing a windows update.

Am I on track here?

I have hijack this downloaded and ready to use
I have adaware updated and ready to use
I download spybot s&d but cannot get it updated (checksum errors)
I downloaded cws shredder and about:blast just in case I needed them.

I can't post a log here, because I've screwed up trying to do a windows update first.

Ideas? Procedures?

#2 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 19 July 2004 - 04:09 PM

ah. finally able to get hijack this!

I have run spybot s&d in safemode, and it couldn't remove ezcybersearch.surebar

and here is the log of hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 4:04:15 PM, on 7/19/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\SxgTkBar.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
C:\WINNT\System32\automove.exe
C:\WINNT\wovax.exe
C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll (file missing)
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hKuRh7.exe] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [wovax] C:\WINNT\wovax.exe
O4 - HKLM\..\Run: [hKuRh7] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt2_x.cab
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo....ger/y/pg5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.baben...cabs/videox.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8187.4207060185
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} - https://folders.buzz..._3_0_605_20.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com


Also, when this system is booted a lot of software install windows open briefly then close.

#3 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 19 July 2004 - 05:14 PM

You have an older version of hijackthis - please use the update feature - hijackthis - config - misc tools - update. Also :-
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. Please delete the old copy (including the zip copy) so it can't be used.
If required a tutorial is here = Hijackthis Folder Tutorial
======================================

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.
OR
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.


hKuRh7.exe
id53.exe
automove.exe
Tvm.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll (file missing)
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O4 - HKLM\..\Run: [hKuRh7.exe] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [wovax] C:\WINNT\wovax.exe
O4 - HKLM\..\Run: [hKuRh7] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.baben...cabs/videox.cab
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} - https://folders.buzz..._3_0_605_20.cab

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.n...1916458,00.html
Or items 8 & 9 from this link :
http://www.russellte...qhijackthis.htm )

All content (except those dated today) but not the folder itself
C:\documents and settings\jplace\local settings\temp\

Folder > c:\installer\
File > > C:\WINNT\System32\automove.exe
File > > C:\WINNT\wovax.exe
Folder > C:\Program Files\TV Media\

Then Reboot and post a fresh log for me to check.
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#4 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 19 July 2004 - 06:04 PM

I did all the above, plus took out the yahoo pager entries and a few other tool bar entries...

looks good BUT there's still an attempt to install software (MS Office?) when I do much of anything.

Here's the log

Logfile of HijackThis v1.98.0
Scan saved at 6:01:22 PM, on 7/19/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Thanks so much

Rob in Indiana :oops:

#5 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 20 July 2004 - 02:53 AM

This line is bad

O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

Fix that with hijackthis - should not be a problem.

Your other problem may be solved when you get your windows updates done, as you are a long way behind (I remember you had problems doing so because of the malware) so get them next - plus these extra programs to help you keep clean.
=======================

This is my normal post for when you are clear - which you now seem to be - please advise of any problems :-
------------------------
How on earth did I get infected with all that spyware in the first place?
http://www.net-integ...ct=ST;f=38;t=30
51
Also available from here :- http://www.computerc...tlite7736-.html
or http://boards.cexx.o...topic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#6 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 09:22 AM

thanks Chris. I'm heading into the client within a half hour.

#7 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 11:47 AM

Back on client's computer.

I left an antivirus scan running last night, and here are the results:


Incident Status Location

Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\TEMP\~7172796890.tmp
Virus:Trj/SubSearch.C Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\1DY9QF79\IEService215[1].exe
Virus:Trj/Debeski.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\29GFQ3I9\start[1]
Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\49E3GXUJ\hp1[1].exe
Virus:Trj/Idly.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\4DQNKT2J\IdleUI[1].dll
Virus:Exploit/Mhtredir.L Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\ATYHQRMP\old[1].htm
Virus:Trj/Downloader.HH Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\B2YVI576\s_win32[1].exe
Virus:Exploit/Mhtredir.B Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\GH2BS9MB\OLD[1].CHM
Virus:Trj/Seeker.W Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\GPMJ4TEJ\object-c002[2].hta
Virus:Trj/Debeski.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\H03LKLO8\newobject1[1].hta
Virus:Trj/Revop.F Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\bdl14122[1].exe
Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\hp2[1].exe
Virus:VBS/Psyme.N Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\IEService215[1].chm
Virus:VBS/Psyme.N Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\XBOBUZO7\IEService215[1].chm
Virus:Trj/Downloader.HH Disinfected C:\Program Files\Windows Media Player\wmplayer.exe
They were all marked as repaired or deleted, and I guess I shouldn't be worried quite as much about the IE5 cache files (which I'll delete ALL of them) as I should be concerned about wmplayer.exe.

I'm currently running a Trend Scan right now, and I'll rerun PANDA and RAV until they all return clean.

Here is my latest HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 11:46:14 AM, on 7/20/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

:mellow:

#8 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 12:00 PM

hmmm. Trend is finding a great deal more trojans, and cannot repair them. I'm manually deleting all that get listed. :!:

#9 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 01:52 PM

Logfile of HijackThis v1.98.0
Scan saved at 1:49:29 PM, on 7/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PSSVC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\Administrator\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

#10 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 20 July 2004 - 01:53 PM

some windows updates went thru. Some fail every time (any ideas?). None result in bluescreens. System turned over to client.

#11 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 21 July 2004 - 03:00 AM

Well the malware found by the AV scan where all in the temp folders - make sure you clean all those out.

Windows update - well MS have a update trouble shooting page - try that. But I don't have any machines with win2000 so I am at a loss to give advice.
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#12 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 January 2005 - 05:15 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button