• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ccrb

missing dll bluescreens win2000

12 posts in this topic

I have read the faq.

 

I have a win2000 pro system that was so bound up with malware, the company finally relected and called me in to fix it.

 

ad aware finds 100+ objects, almost all malware, very few cookies.

 

The system was way behind on security updates.

 

Thinking I should bring windows up to date, I tried applying SP4 and after that, I blue screen on a missing dll (winsvr.dll in one case, was missing).

 

clearly, my approach must be to recover the system again, loading win2000 on top of itself (again) and then fixing the malware, and getting a pure system before doing a windows update.

 

Am I on track here?

 

I have hijack this downloaded and ready to use

I have adaware updated and ready to use

I download spybot s&d but cannot get it updated (checksum errors)

I downloaded cws shredder and about:blast just in case I needed them.

 

I can't post a log here, because I've screwed up trying to do a windows update first.

 

Ideas? Procedures?

Share this post


Link to post
Share on other sites

ah. finally able to get hijack this!

 

I have run spybot s&d in safemode, and it couldn't remove ezcybersearch.surebar

 

and here is the log of hijack this:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:04:15 PM, on 7/19/2004

Platform: Windows 2000 SP1 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\System32\SxgTkBar.exe

C:\WINNT\system32\msiexec.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

C:\WINNT\System32\automove.exe

C:\WINNT\wovax.exe

C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll (file missing)

O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [hKuRh7.exe] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [wovax] C:\WINNT\wovax.exe

O4 - HKLM\..\Run: [hKuRh7] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab

O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/jpager/y/pg5_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8187.4207060185

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

 

Also, when this system is booted a lot of software install windows open briefly then close.

Share this post


Link to post
Share on other sites

You have an older version of hijackthis - please use the update feature - hijackthis - config - misc tools - update. Also :-

Important: Create a folder on the C: drive called C:\HJT.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.

Unzip HijackThis into this folder. Please delete the old copy (including the zip copy) so it can't be used.

If required a tutorial is here = Hijackthis Folder Tutorial

======================================

 

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.

OR

Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.

 

hKuRh7.exe

id53.exe

automove.exe

Tvm.exe

 

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll (file missing)

O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O4 - HKLM\..\Run: [hKuRh7.exe] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [wovax] C:\WINNT\wovax.exe

O4 - HKLM\..\Run: [hKuRh7] C:\documents and settings\jplace\local settings\temp\hKuRh7.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab

O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

 

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

 

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

 

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Or items 8 & 9 from this link :

http://www.russelltexas.com/malware/faqhijackthis.htm )

 

All content (except those dated today) but not the folder itself

C:\documents and settings\jplace\local settings\temp\

 

Folder > c:\installer\

File > > C:\WINNT\System32\automove.exe

File > > C:\WINNT\wovax.exe

Folder > C:\Program Files\TV Media\

 

Then Reboot and post a fresh log for me to check.

Share this post


Link to post
Share on other sites

I did all the above, plus took out the yahoo pager entries and a few other tool bar entries...

 

looks good BUT there's still an attempt to install software (MS Office?) when I do much of anything.

 

Here's the log

 

Logfile of HijackThis v1.98.0

Scan saved at 6:01:22 PM, on 7/19/2004

Platform: Windows 2000 SP1 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\msiexec.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

Thanks so much

 

Rob in Indiana :oops:

Share this post


Link to post
Share on other sites

This line is bad

 

O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

 

Fix that with hijackthis - should not be a problem.

 

Your other problem may be solved when you get your windows updates done, as you are a long way behind (I remember you had problems doing so because of the malware) so get them next - plus these extra programs to help you keep clean.

=======================

 

This is my normal post for when you are clear - which you now seem to be - please advise of any problems :-

------------------------

How on earth did I get infected with all that spyware in the first place?

http://www.net-integration.net/cgi-bin/for...ct=ST;f=38;t=30

51

Also available from here :- http://www.computercops.biz/postlite7736-.html

or http://boards.cexx.org/viewtopic.php?t=957

--------------

Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

 

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

 

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

 

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

 

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

 

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

Share this post


Link to post
Share on other sites

Back on client's computer.

 

I left an antivirus scan running last night, and here are the results:

 

 

Incident Status Location

 

Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\TEMP\~7172796890.tmp

Virus:Trj/SubSearch.C Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\1DY9QF79\IEService215[1].exe

Virus:Trj/Debeski.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\29GFQ3I9\start[1]

Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\49E3GXUJ\hp1[1].exe

Virus:Trj/Idly.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\4DQNKT2J\IdleUI[1].dll

Virus:Exploit/Mhtredir.L Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\ATYHQRMP\old[1].htm

Virus:Trj/Downloader.HH Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\B2YVI576\s_win32[1].exe

Virus:Exploit/Mhtredir.B Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\GH2BS9MB\OLD[1].CHM

Virus:Trj/Seeker.W Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\GPMJ4TEJ\object-c002[2].hta

Virus:Trj/Debeski.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\H03LKLO8\newobject1[1].hta

Virus:Trj/Revop.F Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\bdl14122[1].exe

Virus:Trj/Siboco.A Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\hp2[1].exe

Virus:VBS/Psyme.N Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\OBCARF29\IEService215[1].chm

Virus:VBS/Psyme.N Disinfected C:\Documents and Settings\jplace\Local Settings\Temporary Internet Files\Content.IE5\XBOBUZO7\IEService215[1].chm

Virus:Trj/Downloader.HH Disinfected C:\Program Files\Windows Media Player\wmplayer.exe

They were all marked as repaired or deleted, and I guess I shouldn't be worried quite as much about the IE5 cache files (which I'll delete ALL of them) as I should be concerned about wmplayer.exe.

 

I'm currently running a Trend Scan right now, and I'll rerun PANDA and RAV until they all return clean.

 

Here is my latest HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:46:14 AM, on 7/20/2004

Platform: Windows 2000 SP1 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\msiexec.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\NOTEPAD.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

:mellow:

Share this post


Link to post
Share on other sites

hmmm. Trend is finding a great deal more trojans, and cannot repair them. I'm manually deleting all that get listed. :!:

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 1:49:29 PM, on 7/20/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\MsiExec.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Navnt\POPROXY.EXE

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Navnt\navapw32.exe

C:\Documents and Settings\Administrator\DESKTOP\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.yahoo.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAEB2CE-A26A-4B22-8402-8A19DC8CC2E0}: NameServer = 192.168.42.254,66.103.111.10,64.19.9.33,64.19.9.18

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

some windows updates went thru. Some fail every time (any ideas?). None result in bluescreens. System turned over to client.

Share this post


Link to post
Share on other sites

Well the malware found by the AV scan where all in the temp folders - make sure you clean all those out.

 

Windows update - well MS have a update trouble shooting page - try that. But I don't have any machines with win2000 so I am at a loss to give advice.

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0