Jump to content


Photo

Day 4: Still fighting res:// bug


  • Please log in to reply
5 replies to this topic

#1 DrinknHand

DrinknHand

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 05:10 PM

Hello, all...

Been fighting this one for days now and it keeps coming back. Below is the most recent HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 4:38:16 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Qlock\Qlock.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Trojan Killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICAN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E20491B5-C74F-47E3-9E92-972F39822E4A} - C:\WINDOWS\System32\fdhl.dll


Of course, I can, and do, repeat all the steps and perscribed in the numerous threads to get rid of this one, but finally noticed a few trends...

After I kill it (temporarily that is), I notice the following:

1) Page file growth (double or triple the norm)
2) Explorer.exe becomes a memory hog (at times 200,000kb+)

Has anyone else noticed this?

Oh, one other thing... I passed this information on to the folks at Symantec in the Security Response group. Seems they hadn't (or at least the manager hadn't)

I'm running Ad-Aware (current build), Norton AV2003, SB S & D, Trojan Hunter, HJT and a anything else suggested in these threads.

Thank god I'm drinking, or I'd have just reformated the damn machine by now.

#2 DrinknHand

DrinknHand

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 05:41 PM

Forgot to add that I'm also experiencing problems executing a program (Easy Video Joiner). Got an error message reading, "Cannot execute due to bad sector or virus" or something to that effect.

Thinking initially that the bug might have corrupted the program, I uninstalled and tried to re-install, only to get the same error after install.

I've noticed in other threads here and other spyware forums that some people are reporting this sort of symptom in regards to installing new anti-spyware programs.

Anyone seeing this w/ this bug?

#3 vitki

vitki

    Member

  • New Member
  • Pip
  • 1 posts

Posted 22 June 2004 - 05:51 PM

I followed the advice in the pinned post at the top of this forum and it worked for me.
I downloaded, installed and updated ad-aware. I booted into safe mode, ran a smart scan and deleted all files that it found. I then ran a scan with the whole C drive selected, not a smart scan. It found a lot more files (mainly cookies in other user's folders) including some dat, dll and cat files. I deleted everything and booted back into normal mode.
I went into internet properties before launching IE and saw the the homepage was still set to the malware dll file, so I changed it back to google. I launched IE and all worked as it was supposed to.
Knock on wood, it is fixed.

Vitki

#4 DrinknHand

DrinknHand

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 06:46 PM

Yeah, been there, done that. Repeatedly.

Like I've said, I've been wrestling with this one for four days. All forward progress is quickly erased when it comes back.

I'm currently showing as clean, but worry it will come back soon.

Knock wood, fingers crossed, and a quick prayer.

#5 DrinknHand

DrinknHand

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 09:26 PM

Bump

#6 DrinknHand

DrinknHand

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 10:03 PM

Bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button