Jump to content


Photo

s.o.s


  • Please log in to reply
10 replies to this topic

#1 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 June 2004 - 01:53 AM

Hi
Could anyone please help me.
Here is a list of symptoms:
(1)home page is ALWAYS "cool web search" even when I change it in "iternet options".
(2)When I click on " internet exlpoer" to bring up a web page, it takes 20-30 seconds to come up, plus, the box is about 1" square on my desktop.
(3) After connecting to the net, down in the toolbar i get these 2
"http://accu.acculoader.com......" AND "C:\WINNT\dl.html"
(4) 20 seconds later i get a message from norton telling me there is a malicious script: C/WINNT/-embedding
(5) All functions are verrrry slow, from minimzing to opening anything from the desktop.
My log from hijack this is below:

Logfile of HijackThis v1.97.7
Scan saved at 2:54:54 PM, on 2/06/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSVCCDA.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\loadqm.exe
C:\WINNT\system32\wintime.exe
C:\WINNT\System32\svchosd.exe
C:\WINNT\mstasks2.exe
C:\Documents and Settings\Shaun McPherson\Application Data\aoel.exe
C:\WINNT\System32\rundll32.exe
C:\Documents and Settings\Shaun McPherson\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Shaun McPherson\Application Data\winyl\winyl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinTime] C:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINNT\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINNT\svchost.exe
O4 - HKCU\..\Run: [Ermr] C:\Documents and Settings\Shaun McPherson\Application Data\aoel.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8000.8444444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx


Also, outlook express keeps getting hacked too
Please help me guys. It would be appreciated
Cheers
Craig

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 05:22 AM

Your version of IE is ancient, it's no wonder you are getting hijacked. Click here to get the latest version of Internet Explorer. Click here to make sure that you have the latest Critical Update patches for Windows. It's very important to keep your system up to date to avoid unnecessary security risks.

Then using HJT create a startuplist log (Config>misc tools and check the two boxes under the button). Post it in your next reply.

Also, click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.
Posted Image

#3 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 June 2004 - 06:46 AM

Firstly..thanks heaps for replying
I will install new I.E tomorrow (Ihave to free up some room on C drive first)
I updated Ad-aware and ran it...it found over 220 objects which I deleted.
Rebooted and ran hjt

Logfile of HijackThis v1.97.7
Scan saved at 9:35:34 PM, on 2/06/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSVCCDA.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\loadqm.exe
C:\WINNT\system32\wintime.exe
C:\WINNT\System32\svchosd.exe
C:\WINNT\mstasks2.exe
C:\WINNT\System32\rundll32.exe
C:\Documents and Settings\Shaun McPherson\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinTime] C:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINNT\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINNT\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8000.8444444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx

Thanks again mate...hope you can solve this
Cheers,
Craig

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 06:50 AM

Could you post that startuplist log as well?
Posted Image

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 06:58 AM

Whilst I'm looking over that...click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\WINNT\winupd.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\WINNT\winupd.exe listing should show up in the window. Then repeat the process, this time adding:

C:\WINNT\system32\wintime.exe

If that's successful you should have the two files listed. Then repeat so that all these files appear in the list as well:

C:\WINNT\mstasks2.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\svchosd.exe

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [WinTime] C:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINNT\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINNT\svchost.exe

Reboot when done. Could you go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Reboot when done. Rescan with HJT and post a new log.
Posted Image

#6 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 June 2004 - 03:46 PM

G`day...here is my start-up list
i`m going thru the procedure you mentioned now.
Thanks again

StartupList report, 3/06/2004, 6:45:37 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Shaun McPherson\Desktop\StartupList.EXE
Detected: Windows 2000 SP1 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSVCCDA.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\loadqm.exe
C:\WINNT\system32\wintime.exe
C:\WINNT\System32\svchosd.exe
C:\WINNT\mstasks2.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\WINNT\svchost.exe
C:\Documents and Settings\Shaun McPherson\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
NeroCheck = C:\WINNT\system32\NeroCheck.exe
LoadQM = loadqm.exe
WinTime = C:\WINNT\system32\wintime.exe
Upgrade Service = C:\WINNT\winupd.exe
Aplune Service = svchosd.exe
RunDLL = rundll32.exe "C:\WINNT\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
ist service uninstall = C:\WINNT\mstasks2.exe /u

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Windows Deafult Configuration = C:\WINNT\svchost.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Minesweeper Flags Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...MineSweeper.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.14...tiveXImgCtl.CAB

[MessengerStatsClient Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...StatsClient.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINNT\DOWNLO~1\MEDIAT~1.OCX
CODEBASE = http://www.mt-downlo...tsInstaller.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8000.8444444444

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[EPSImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg...ntrol_v1-32.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by1fd.bay1.ho...ex/HMAtchmt.ocx

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\documents and settings\shaun mcpherson\cookies\shaun mcpherson@mediaplex[1].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
System: C:\WINNT\system32\system32.dll

--------------------------------------------------
End of report, 6,583 bytes
Report generated in 0.220 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 04:22 PM

OK, that found it. Let's doublecheck the keys. Please surf to http://www.billsway.com/vbspage/ and scroll down to Registry Search Tool. Download, unzip and run RegSrch.vbs

Copy and paste this in the dialog box: system32.dll

After a while a prompt will come up. Click OK to write the results to wordpad and post them.
Posted Image

#8 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 June 2004 - 05:00 PM

Did as asked above
I placed "system32.dll" in the box and pressed "ok"
Instantly got a message from norton saying
"Malicious script detected"
Fe is " c:\documents and settings\shaun mcpherson\desktop\regSrch.vbs"
I click "ok" to stop this script.
Then nothing happens.
Please advise
Thanks again

#9 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 June 2004 - 06:16 PM

Hi Daemon
Ive done all that you asked above
Ran a final ad-aware and hjt
HJT log is below

Logfile of HijackThis v1.97.7
Scan saved at 9:16:12 AM, on 3/06/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTSVCCDA.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\rundll32.exe
C:\Documents and Settings\Shaun McPherson\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8000.8444444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{27EFD9B1-6B07-4B08-BD62-208B6835B69F}: NameServer = 203.2.75.132 198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{27EFD9B1-6B07-4B08-BD62-208B6835B69F}: NameServer = 203.2.75.132 198.142.0.51

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 01:01 AM

You have to tell Norton to run the file. The dll is bad and we still need to remove it otherwise the redirect will come back.
Posted Image

#11 Macca31

Macca31

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 03 June 2004 - 04:02 AM

ok..thanks so much for your help and dedication to this subject Daemon
I applaud you

Craig




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button