Jump to content


Photo

New machine -- same kind of attack


  • This topic is locked This topic is locked
15 replies to this topic

#1 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 22 July 2004 - 04:46 PM

:gasp:

I have read the FAQs, heck, this my third machine I've worked on, but they're all a little different.

Logfile of HijackThis v1.98.0
Scan saved at 4:23:39 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\rob\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iwnwt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iwnwt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iwnwt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\iwnwt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iwnwt.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iwnwt.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Startup: timesync.lnk = C:\timesync.cmd
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C78A8F-8982-4B46-8A7A-E86781252EB5}: NameServer = 209.253.113.18,209.253.113.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{19C78A8F-8982-4B46-8A7A-E86781252EB5}: NameServer = 209.253.113.18,209.253.113.2



Things I noticed that might be important:

1) any attempt to open IE generates a software install windows for MSOffice. I've been able to determine that this window is ruse and the res://.....dll is reinfecting.

2) I can't run trend over the net as the malware terminates IE

3) certain popups contain the title ONLY THE BEST. I've seen that before.

what I've done...

of course, with the reinfections, we're back at square one

1) delete all entries in hijack this that refer to the #####.dll
2) delete lines with references to redirects or things that aren't familiar to me. I've been reading these logs a lot now, and I'm getting more confident in doing this.
3) I've deleted all cookies, all temporary Internet files, all files in temp directories I can find. I ran cleanmgr.
4) I've run spybot and adaware...

but, as I'm back at square one, I'm once again asking for help...

Rob

#2 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 23 July 2004 - 07:55 AM

any help would be appreciated.

#3 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 23 July 2004 - 08:42 AM

Hi ccrb,

You have a nasty CoolWebSearch infection. Let's try running a removal tool made for this type of infection.

Download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, and Ok again to start the scan. It will generate a log. Post that log along with a new Hijackthis log back into ths thread.

#4 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 23 July 2004 - 12:42 PM

:gasp: Installed about:blaster, ran it in safe mode, deleted all the new stuff repopulated in HJT.

As soon as I logged on in unsafe mode all of the dlls were back in hjt.

Gone back into safe mode, deleted the randoms in hjt; run about:blaster again, now running adaware in this safe mode, will also run spybot s&d in safe mode.

But before I go back into unsafe mode, I'll post the logs here. There's still something, somewhere that I am missing.

#5 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 23 July 2004 - 01:01 PM

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\System32\nter.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 4 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 12:54:18 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\rob\AboutBuster.exe
C:\rob\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Startup: timesync.lnk = C:\timesync.cmd
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


and: contents of timesync.cmd:
rem timesync.cmd
net time \\pcserver /set /y

:D

#6 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 23 July 2004 - 07:37 PM

Hi ccrb,

Sorry I missed ya in the chat room. That last log looks good. :) Excellent job. Looks like about:buster in safe mode may have done the trick. Also, that .cmd file is ok. It looks like it's a time synchronization script pointing to a server on their network.

You already know all this, but I'll give you my spyware protection speil anyway. :)

Protection - download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...ww/resource.htm

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see So how did I get infected in the first place?

#7 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 26 July 2004 - 11:01 AM

after getting your goahead to boot up in unsafe mode, I checked the network settings - thinking that an IP address may be a problem, and the system came up and infected itself again.


grrrrrr.

Here is the hjt los. It was absolutely clean in safe mode.

Logfile of HijackThis v1.98.0
Scan saved at 10:35:48 AM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\appjj32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\msdl32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\rob\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ajkod.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ajkod.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ajkod.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ajkod.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll
O2 - BHO: (no name) - {8569FDF9-C711-43F3-A565-2CF6435DF7E0} - C:\WINDOWS\System32\clebda.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [msdl32.exe] C:\WINDOWS\msdl32.exe
O4 - Startup: timesync.lnk = C:\timesync.cmd
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C78A8F-8982-4B46-8A7A-E86781252EB5}: NameServer = 209.253.113.18,209.253.113.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{19C78A8F-8982-4B46-8A7A-E86781252EB5}: NameServer = 209.253.113.18,209.253.113.2
O18 - Filter: text/html - {CFAA24BF-8582-4D63-B4BC-F6241E7AB53A} - C:\WINDOWS\System32\clebda.dll
O18 - Filter: text/plain - {CFAA24BF-8582-4D63-B4BC-F6241E7AB53A} - C:\WINDOWS\System32\clebda.dll

What a mess, eh?

anyhow. I also downloaded mozilla, so I can at least get out on the net (this infection cripples IE). Running trend as soon as I can get mozilla working.

#8 Komodo

Komodo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 July 2004 - 02:31 PM

O17 - HKLM\System\CCS\Services\Tcpip\..\{19C78A8F-8982-4B46-8A7A-E86781252EB5}: NameServer = 209.253.113.18,209.253.113.2
O17 - HKLM\System\CS1\Services\

Im not sure what these are, anyway when I had a reinfecting PC even after virus/spyware scans I went through my windows//system32 folders found a boat load of DLL's and exe's that shouldnt be there.

Might want to do the same, you can mouse over and see information about the files, make sure you have hidden files and system files off

try bitdefender.com it finds alot of files just doesnt remove them, gives you a good idea of what to lookf or to delete
id create a system restore point before you start deleting dll's it can be risky.

#9 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 26 July 2004 - 03:17 PM

Logfile of HijackThis v1.98.0
Scan saved at 3:04:36 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\appjj32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\rob\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\david\Application Data\Mozilla\Profiles\default\g69ae6zi.slt\prefs.js)
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: timesync.lnk = C:\timesync.cmd
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#10 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 26 July 2004 - 03:22 PM

have hijackthis fix teh following with no browser windows open:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll

reboot computer into safe mode

delete if there:

C:\WINDOWS\mspv32.dll

empty recycling bin and post a new log from normal mode.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#11 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 26 July 2004 - 03:40 PM

Logfile of HijackThis v1.98.0
Scan saved at 3:31:29 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\appjj32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\rob\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\david\Application Data\Mozilla\Profiles\default\g69ae6zi.slt\prefs.js)
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: timesync.lnk = C:\timesync.cmd
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

:gack:

#12 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 26 July 2004 - 03:55 PM

Logfile of HijackThis v1.98.0
Scan saved at 3:47:20 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\david\Desktop\HijackThis.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\david\Application Data\Mozilla\Profiles\default\g69ae6zi.slt\prefs.js)
O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: timesync.lnk = C:\timesync.cmd
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

:bounce:

#13 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 26 July 2004 - 03:59 PM

with no browser windows open, fix the following:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {236CA94F-3393-2D7A-CDB1-7118197846E2} - C:\WINDOWS\mspv32.dll (file missing)


reboot computer.

You should finally be good to go!




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#14 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 26 July 2004 - 04:53 PM

good to go. scanning using panda (can't get trend to load). doing windows updates.

#15 ccrb

ccrb

    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 29 July 2004 - 10:09 AM

system stopped asking for Office CD when Office was reinstalled. Newest version of Norton found a trojan, and customer complained AGAIN of hijack. A thorough scan with Norton in safe mode. Manual deletion of infected files. HJT and a:b cleaned system again. In normal mode, system shows clean with HJT and Norton.

Waiting for a few days.

#16 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 January 2005 - 05:15 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button