branding

Navigation



You are not logged in.
Login | New user registration 		Main Index | Search | Active Topics | Who's Online | FAQ / HELP

Security >> HijackThis logs help and analysis
Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  

 |  Print Topic Pages: 1 | 2 | >> (show all)
blazenko
regular


Reg'd: Wed
Posts: 22
ad-w-a-r-e
      #140230 - Thu Dec 16 2004 04:31 PM
Reply to this post Reply   Reply to this post Quote  

Hi

I'm suffering from "ad-w-a-r-e.com" pup-ups...

When i run HJT, all seems fine, apart from changes to hosts file:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

I've read about this malware, and tried all solutions i found, but none works. I've instaled VX2-remover add-on for AdAware, but when i run it, it keeps saying that system is clean. After long hestitation, I've also run look2me's Uninstaller... hestitation because if i understood well, look2me are the very authors of the [ah em!], but people seem to have had success by running the uninstaller... not me, however. Says "no version found to be removed"
I've also emptied ...../LocalSettings/Temp dir while in safe mode, and it removed most of the [ah em!] i had, but not these pop-ups... please help!!! i'm supposed to be working on a tight deadline but this [ah em!] has eaten up almost whole of my day...

Here's HJT log. Apart from Running Processes part (which is not visible when running/fixing HJT), all other items are ok and legal on my comp, expect those hosts changes, as i said... but maybe someone sees something i don't...

Thnx!!

Logfile of HijackThis v1.98.2
Scan saved at 17:32:36, on 16/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Install\HiJackThis etc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.monitor.hr/index2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140354 - Thu Dec 16 2004 09:37 PM
Reply to this post Reply   Reply to this post Quote  

Download the program Hoster which gives you the ability to restore the default host file back onto your machine. To do so, download the Hoster program and run it. When it opens, click on the Restore Original Hosts button and then exit Hoster.

Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.monitor.hr/index2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Download and run AD-AWARE SE. & Spybot Search & Destroy Delete anything they find.

Tutorials
Ad-Aware Second Edition Tutorial

Spybot Search & Destroy Tutorial


Click the reply button above, right, and post another log.

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140498 - Fri Dec 17 2004 11:47 AM
Reply to this post Reply   Reply to this post Quote  

Thnx Joe

I did everything you said, including removing (HJT fixing) two items which i knew were ok, just in case (Links folder and start page)

Btw, Hoster fixes the hosts file, but it gets overwritten again within 5 seconds (i measured), even tho i set it to read-only (in Hoster)

The dreaded pup-ups still keep popping up...

Please help, someone! IT says everywhere that VX2 plugin for AdAware should remove this, but it doesn't! i'm going nuts!

Here's the log after all the recommended steps:

Logfile of HijackThis v1.98.2
Scan saved at 02:22:33, on 17/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\TextPad 4\TextPad.exe
D:\Install\HiJackThis etc\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: blazenko]
      #140501 - Fri Dec 17 2004 12:09 PM
Reply to this post Reply   Reply to this post Quote  

i should mention there's one more thing... whenever i boot, upon entering windows, i get a RUNDLL error, which says it's missing a dll for running UMonitor... name of the dll is each time different. Hopefully this might be a clue...

Thnx in advance for all help regarding this and ad-w-a-r-e popups!!


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140504 - Fri Dec 17 2004 12:22 PM
Reply to this post Reply   Reply to this post Quote  

I think you may well have the new very hard to shift variant of the Look2Me infection. I'll have to take advice on this and get back to you later.

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140507 - Fri Dec 17 2004 12:34 PM
Reply to this post Reply   Reply to this post Quote  

Thanx man!!

I think so too, look2me was much mentioned in what i've been able to find out about this, and i've read that the recommended solutions (which i have already tried) remove most but not all versions... seems i've been unlucky enough to get one of those others...

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140508 - Fri Dec 17 2004 12:45 PM
Reply to this post Reply   Reply to this post Quote  

The good news is we have already had an occurrence of this here and we believe we have a fix. Bear with me while I consult my colleagues about it. If our suspicions are right we should be able to sort it.

In the meantime can you try to remember when this occurred? This date is very important I understand to identify the bad files.

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140511 - Fri Dec 17 2004 12:54 PM
Reply to this post Reply   Reply to this post Quote  

Yup, i contracted the bastard yesterday, 16. Dec...

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140525 - Fri Dec 17 2004 02:12 PM
Reply to this post Reply   Reply to this post Quote  

OK lets try this:

Download FindIt.zip and unzip it
to your desktop.



Open the FindIt folder and run the Find.bat file.

A text file called Output.txt will be created.
Save this file and post it's contents in your next reply along with the new HijackThis log.

Joe
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140544 - Fri Dec 17 2004 03:28 PM
Reply to this post Reply   Reply to this post Quote  

Thnx Joe

I ran Find.bat, and while DOS window was open, i got the following notification:
16-bit MS-DOS-subsystem (<---title)
C:\WINNT\System32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. System file is not suitable for MS-DOS and MS Windows use. Click Close to close the application.

(perhaps it's usually a bit differantly worded, i was translating from Dutch)

I had to click [Close] on it for about 5 - 6 times (it would pop up again immediately)

In the end, this is the Output.txt i got from it:

================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 224,396 q2pslc771f.dll
17/12/2004 02:40 <DIR> dllcache
17/12/2004 02:38 224,124 kt0ql7d51.dll
16/12/2004 16:45 224,830 vat3216.dll
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
5 bestand(en) 1,062,502 bytes
1 map(pen) 23,120,609,280 bytes beschikbaar

------- Hidden Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 <DIR> dllcache
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
08/09/2003 19:41 <DIR> GroupPolicy
08/09/2003 19:37 21,825 folder.htt
08/09/2003 19:37 271 desktop.ini
4 bestand(en) 411,248 bytes
2 map(pen) 23,120,605,184 bytes beschikbaar

---------- Files Named "Guard" -------------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
1 bestand(en) 224,124 bytes
0 map(pen) 23,120,605,184 bytes beschikbaar

--------- Temp Files in System32 Directory --------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
23/08/2001 15:00 74,802 atl.dll.tmp
11/01/2000 01:00 2,828 CONFIG.TMP
3 bestand(en) 301,754 bytes
0 map(pen) 23,120,605,184 bytes beschikbaar

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{660BB81E-52DD-4E8D-9E18-833B59364B80}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Drivers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\alsmib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{DA4F8A68-7BFD-422D-98EB-413EE73902B1}"
"IDex"="VT00"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\kt0ql7d51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Locked Files -----------------


-------------- XFind Qoologic Results --------------


-------------- XFind Aspack Results ---------------


-------------- Locate.com Results ---------------

================================



After that i ran HJT and this is the log:

================================
Logfile of HijackThis v1.98.2
Scan saved at 16:33:29, on 17/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Macromedia\Flash MX\Flash.exe
C:\Program Files\Adobe\Photoshop 5.5\Photoshp.exe
C:\Program Files\TextPad 4\TextPad.exe
D:\Install\HiJackThis etc\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

================================


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140547 - Fri Dec 17 2004 03:46 PM
Reply to this post Reply   Reply to this post Quote  

I've just had a look at another log and I think there must be an English Version of the log. It looks as if we are on the right track so can you check that out and download again please and then post both logs again.

Better safe than sorry.

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140552 - Fri Dec 17 2004 04:05 PM
Reply to this post Reply   Reply to this post Quote  

Oooops, i never noticed the log was (partly) in Dutch! I only saw the top line (in english) and then copy/pasted into the post...

My system is in Dutch, that's probably why...

I translated the log, if that's any help?

Here goes:

------- System Files in System32 Directory -------

The volume name of disk C is LOLEK
The volume number is B490-F09F

Directory of C:\WINNT\System32

17/12/2004 02:40 224,396 q2pslc771f.dll
17/12/2004 02:40 <DIR> dllcache
17/12/2004 02:38 224,124 kt0ql7d51.dll
16/12/2004 16:45 224,830 vat3216.dll
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
5 file(s) 1,062,502 bytes
1 folder(s) 23,120,609,280 bytes available

------- Hidden Files in System32 Directory -------

The volume name of disk C is LOLEK
The volume number is B490-F09F

Directory of C:\WINNT\System32

17/12/2004 02:40 <DIR> dllcache
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
08/09/2003 19:41 <DIR> GroupPolicy
08/09/2003 19:37 21,825 folder.htt
08/09/2003 19:37 271 desktop.ini
4 file(s) 411,248 bytes
2 folder(s) 23,120,605,184 bytes available

---------- Files Named "Guard" -------------

The volume name of disk C is LOLEK
The volume number is B490-F09F

Directory of C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
1 file(s) 224,124 bytes
0 folder(s) 23,120,605,184 bytes available

--------- Temp Files in System32 Directory --------

The volume name of disk C is LOLEK
The volume number is B490-F09F

Directory of C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
23/08/2001 15:00 74,802 atl.dll.tmp
11/01/2000 01:00 2,828 CONFIG.TMP
3 file(s) 301,754 bytes
0 folder(s) 23,120,605,184 bytes available

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{660BB81E-52DD-4E8D-9E18-833B59364B80}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Drivers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\alsmib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{DA4F8A68-7BFD-422D-98EB-413EE73902B1}"
"IDex"="VT00"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\kt0ql7d51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Locked Files -----------------


-------------- XFind Qoologic Results --------------


-------------- XFind Aspack Results ---------------


-------------- Locate.com Results ---------------

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140579 - Fri Dec 17 2004 05:30 PM
Reply to this post Reply   Reply to this post Quote  

OK, I've done the fix for you but I have sent a copy to my colleague first as there are a couple of things I want to clarify.

Hope he isn't having the office party, lol

Be back later,

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140589 - Fri Dec 17 2004 05:46 PM
Reply to this post Reply   Reply to this post Quote  

Thanx man, i hope so too ;)))

i sure am not - in fact, i had to cancel the party tonight because of work...


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140670 - Fri Dec 17 2004 08:48 PM
Reply to this post Reply   Reply to this post Quote  

Ok, Try this and then post a new log and let us know how you got on.

Step 1
Download POCKETKILLBOX

You will use it later in the fix.

Step 2

Please boot up in Safe Mode.

Open up the C:WINDOWS\system32 folder, click on 'View' > by Details and Arrange by Size.
Scroll down to the 217-226kb range and check the properties (right click > Properties) of each file created on or after the 16.12.04.
Check under 'Version' or 'Summary' that they include Microsoft’s name. If not, add the filename to the list below for deletion.

Also right click and check this file C:\WINDOWS\system32\vat3216.dll If it does not include the Microsoft name include it below.

Now open PocketKillBox.

In the address bar, type or cut and paste each of the following lines in one by one and click the red x button to remove. Click YES when asked to confirm each deletion, click NO when asked if you want to reboot after each deletion until the last line has been entered.

Be sure to put a check in the 'Delete on Reboot' box.

C:\WINDOWS\system32\q2pslc771f.dll
C:\WINDOWS\system32\kt0ql7d51.dll
C:\WINDOWS\system32\vat3216.dll
(Subject to the above) C:\WINDOWS\system32\??rvices.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\(now add the others you found)
Step 3

To make sure this is infection has been shifted, reboot in normal mode and download Registrar Lite and install it.

Open Registrar lite and Copy and paste the following into the address bar and click go:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

Look in the right pane for {660BB81E-52DD-4E8D-9E18-833B59364B80}

Right click on it and delete it.
OK out and close registrar lite.

Then run the find.bat file again. If {660BB81E-52DD-4E8D-9E18-833B59364B80} does not show up again you're done.

Close all windows and browsers, run HJT again and fix the following:-

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch


Finally, run Hoster.zip again to reset your Hosts file.

Reboot and post a fresh HJT log along with a new find.bat log.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140726 - Sat Dec 18 2004 12:10 AM
Reply to this post Reply   Reply to this post Quote  

Hi Joe, thanx for the effort!!!

did all.

i only wasn't sure what you meant by
"(Subject to the above) C:\WINDOWS\system32\??rvices.exe"
so i took it to mean to check whatever contains rvices.exe in its name, against Version etc stuff, and there was only services.exe, but in two instances, which i don't understand how can be possible - two files with same name in same folder; with different icons... one of them hidden perhaps, judging by icon... anyway, this second one doesn't have Microsoft mentioned, but because i didn't know how to delete it without deleting the legal one, i left it (since deletition wasn't manual, but by KillBox)
is this as it should be?

no popups yet, i'll let you know if they reappear. God, i hope not.

but when i boot, i do have a new (copy of?) QuickLaunch toolbar added to exsiting bottom bar of Windows...?

Hereby the fresh logs:

=========================
------- System Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 <DIR> dllcache
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
2 bestand(en) 389,152 bytes
1 map(pen) 23,121,952,768 bytes beschikbaar

------- Hidden Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 <DIR> dllcache
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
08/09/2003 19:41 <DIR> GroupPolicy
08/09/2003 19:37 21,825 folder.htt
08/09/2003 19:37 271 desktop.ini
4 bestand(en) 411,248 bytes
2 map(pen) 23,121,952,768 bytes beschikbaar

---------- Files Named "Guard" -------------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32


--------- Temp Files in System32 Directory --------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

23/08/2001 15:00 74,802 atl.dll.tmp
11/01/2000 01:00 2,828 CONFIG.TMP
2 bestand(en) 77,630 bytes
0 map(pen) 23,121,952,768 bytes beschikbaar

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Drivers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\alsmib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{DA4F8A68-7BFD-422D-98EB-413EE73902B1}"
"IDex"="VT00"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\jt2007fme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Locked Files -----------------

-------------- XFind Qoologic Results --------------


-------------- XFind Aspack Results ---------------


-------------- Locate.com Results ---------------

=========================



=========================
Logfile of HijackThis v1.98.2
Scan saved at 01:07:40, on 18/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\PROGRA~1\ICQ\ICQ.exe
D:\Install\HiJackThis etc\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
=========================


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140732 - Sat Dec 18 2004 12:42 AM
Reply to this post Reply   Reply to this post Quote  

We had a slight glitch.

This is how it was intended:
C:\WINDOWS\system32\vat3216.dll (Subject to the above)
but for some reason it appeared wrong in the post. You will notice I made a note asking you to check the vat3216.dll file because it was put on your Computer earlier than the others and may not have anything to do with the problem.


This one:
C:\WINDOWS\system32\??rvices.exe
must go as it still appears in the findit log. Use Killbox.


The HJT log is clear now.

See how it goes for a few days and post back.

Some of these damn fixes are a nightmare.

Joe.
Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140733 - Sat Dec 18 2004 12:55 AM
Reply to this post Reply   Reply to this post Quote  

i see you're replying fast, so if you're still there, a quick check:

- back then in safe mode, when i entered C:\WINNT\system32\??rvices.exe into KillBox adrress bar, it lists it below (in red) as services.exe. that was part of the reason i didn't dare delete it (i was afraid about the legal services.exe). Now after your re-intruction i think ??rvices.exe might mean the hidden file, but i want to check (i never worked with hidden files before, so excuse mo for thinking aloud or asking stupid questions :)

- do i have to run KillBox in safe mode again?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 11788
Loc: London
Re: ad-w-a-r-e [Re: blazenko]
      #140789 - Sat Dec 18 2004 11:11 AM
Reply to this post Reply   Reply to this post Quote  

I think we should take stock of the situation, I've had another look at these files in the "Findit" log and the ??rvices is dated 19/11/2004 so that means it was created before the problem started. Also services.exe is a vital system file and as the two are indistinguishable its probably best to leave it alone if the Computer is now behaving itself.

Have you sorted out the "Quicklaunch"?

I meant to ask you what is "Koppelingen"?

Joe.

Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

Post Extras: Print Post   Remind Me!   Notify Moderator  
blazenko
regular


Reg'd: Wed
Posts: 22
Re: ad-w-a-r-e [Re: Joe_London]
      #140797 - Sat Dec 18 2004 01:28 PM
Reply to this post Reply   Reply to this post Quote  

Thnx

this ??rvices.exe is a strange buddy... judging by date it's not connected to this last attack of mine, but this wasn't my first jam, so it might be a leftover from the previous one (i did have an attack around that time!).
I did a search on it, and two sources call it a Trojan (http://www.spywareguide.com/product_show.php?id=1096 and http://www.xblock.com/product_list_full.php), otherwise it just shows in about 500 people's HJT logs... and the only product that claims to remove it is some "X-Cleaner". Do you know anything about X-Cleaner?
I'm puzzled because, while on one hand the trojan theory might be true, on the other hand i know (or i think i know) that some of so-called spyware-removers are actually made by the very hackers who deliver trojans... from what i've experienced till now, it seems to be a pure and clean racketeering (create a problem, then offer a solution)
...and i don't know if X-Cleaner is one of them?
Since KillBox lists it as services.exe, and i therefore don't dare use it on it, I'm thinking of just deleting it manually... but i'm still hestitant... damn! :)

> Have you sorted out the "Quicklaunch"?

this time it wasn't there; but now i think it's not really a problem, because it is not some product-toolbar, it's just another copy of my own quicklaunch toolbar; same icons, same name, just a diff. order of icons...

> i meant to ask you what is "Koppelingen"?

yeah, that's one of the things i removed at your request against my better judgement :) It's just Dutch for "Links", and it's the default Favourites map to show as a IE toolbar on a Dutch system... i'll restore it, it contains my handy links.

========
Since we're at (least near) the end of this particular sh*t, i'd like to express my gratitude, for this work you do... you guys are truly amazing! To be able to get help this detailed is one of the most amazing aspects of Internet and you guys are definitely it's most valuable Saints... i have no other word. In cyber-heaven, you guys sit to the right of the CyberLord ;)
Do you accept donations? I'm pretty broke at the moment (no job for a year now, just some work, what i can scratch up in my half-legal situation here in Holland), so i can't give much, but a few beers i can and would like to buy. Paypal maybe?

You can let me know still what do you think about this ??rvices puzzle, if you care to...

Thnx once again, and i'll keep you posted if the pop-ups re-appear!


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | >> (show all)

Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
Rate this topic

Jump to


Extra information
0 registered and 25 anonymous users are browsing this forum.

Moderator:  putasolutions, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, greysts, TheFatControlleR, Noviciate 


Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      Mark-up is enabled

Rating:
Topic views: 1992

Contact Us | Privacy statement Main website

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts


Search

© Copyright IPC Media Limited 2009, All rights reserved