Jump to content


Photo

ZA server requests


  • Please log in to reply
5 replies to this topic

#1 pgcoutur

pgcoutur

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 08:36 PM

How do I eliminate them?
Here is Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 9:26:01 PM, on 6/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\VSTASCAN\vsaccess.exe
C:\WINNT\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINNT\system32\faxsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
c:\hijackthis\hijackthis.exe
C:\hijackthis\hijackthis.exe
C:\WINNT\System32\narrhook.exe
C:\WINNT\System32\odtext32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RexSyMon] C:\PROGRAM FILES\REX6000\IntellisyncForRex\rexsymon.exe
O4 - HKCU\..\Run: [feclient] C:\WINNT\System32\feclient.exe
O4 - HKCU\..\Run: [narrhook] C:\WINNT\System32\narrhook.exe
O4 - HKCU\..\Run: [odtext32] C:\WINNT\System32\odtext32.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Juno (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEC30731-8C51-4F12-AB79-DB2E497D3234}: NameServer = 205.188.146.146

#2 pgcoutur

pgcoutur

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 June 2004 - 08:34 PM

I'm increasing the queue position because no one has replied.

#3 lion7718

lion7718

    Advanced Member

  • Full Member
  • PipPipPip
  • 160 posts

Posted 10 June 2004 - 07:51 AM

Read this:
http://computercops....wtopic&p=192854

#4 pgcoutur

pgcoutur

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 June 2004 - 08:06 PM

I tried the suggested computercops comment. It said the module was no longer active. Can you summarize?

Edited by pgcoutur, 10 June 2004 - 08:08 PM.


#5 picard_uk

picard_uk

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,654 posts

Posted 11 June 2004 - 03:20 AM

Hello pgcoutur,

I'd like you to run both of the online scans from these links

http://www.pandasoft...n_principal.htm

http://housecall.tre...trendmicro.com/


Next, I'd like you run HiJackThis, check and fix the following if found

O4 - HKCU\..\Run: [feclient] C:\WINNT\System32\feclient.exe
O4 - HKCU\..\Run: [narrhook] C:\WINNT\System32\narrhook.exe
O4 - HKCU\..\Run: [odtext32] C:\WINNT\System32\odtext32.exe


Reboot the computer in safe mode by restarting and repeatedly tapping the F8 key.

Show hidden files and folders
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files option.
Click Yes to confirm.
Click OK.


Find and delete the following (Note - the online scans may have got rid of some or all of the files)

C:\WINNT\System32\feclient.exe
C:\WINNT\System32\narrhook.exe
C:\WINNT\System32\odtext32.exe
Note, only delete the files in bold.

Reboot as normal. Run HijackThis and post a fresh log.

You may want to get better protected so that this doesn't happen again.
Ad-Aware and
SpyBot Search & Destroy
Here's a nice tutorial on scanning with Ad-Aware and SpyBot

Keep your windows software updated at http://v4.windowsupdate.microsoft.com/. Failing to update leaves your machine open to attack.

Since this one looks to have slipped past Norton Anti Virus, you should update this also, or use the free piece of software that is available from the link below.

http://www.grisoft.c...s_dwnl_free.php



picard.
Every day's a school day....

I offer my services in these forums as a volunteer.
You can help support these forums.



ASAP member since 2005 Alliance of Security Analysis Professionals

#6 pgcoutur

pgcoutur

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 08:16 PM

I did as you requested. The prgms in question seem to be gone. Thank you! Here is the latest Highjackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:16:59 PM, on 6/13/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\realtime.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\VSTASCAN\vsaccess.exe
C:\WINNT\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINNT\System32\mdm.exe
C:\hijackthis\hijackthis.exe
C:\WINNT\system32\faxsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKCU\..\Run: [RexSyMon] C:\PROGRAM FILES\REX6000\IntellisyncForRex\rexsymon.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Juno (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by pgcoutur, 13 June 2004 - 10:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button