EDITED May 31st
=============
Here is my hijackthislog from today.
Logfile of HijackThis v1.99.1
Scan saved at 6:48:33 μμ, on 31/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Web\sygateFireWall\SPF\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\E_S00RP2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\shnlog.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINNT\system32\intmon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\SETI@home\[email protected]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Photo\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloaded folder\Downloaded
Zips\antivirus\housecallantivirus\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = WWW browser is
Microsoft Internet Exploder
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} -
C:\PROGRA~1\Web\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program
Files\Netscape\users\tango\prefs.js)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINNT\system32\hp6627.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} -
C:\PROGRA~1\Web\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINNT\system\cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common
Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C42 Series]
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series"
/O16 "IP_192.168.0.4P1" /M "Stylus C42"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD
Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_server.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Web\SYGATE~1\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WindowsFZ] C:\WINNT\system32\LogFiles\A5281300.so
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton Internet Security\Norton
AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
/Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common
Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\Photo\CASIO\Photo
Loader\Plauto.exe
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program
Files\Web\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} -
C:\PROGRA~1\Web\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent -
{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\Web\COPERN~1\COPERN~1.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\Web\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\Web\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} -
C:\PROGRA~1\Web\COPERN~1\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Web\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
- C:\PROGRA~1\Web\MESSEN~1\YPager.exe
O10 - Broken Internet access because of LSP provider 'c:\program
files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...housecall/xscan
53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control
Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivi...n/ravonline.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
http://pointa.autode...nu/InstBanr.Ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
http://pointa.autode...nu/InstFred.Ocx
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03)
-
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program
Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS
Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION -
C:\WINNT\system32\E_S00RP2.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet
Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation
- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. -
C:\Program Files\Web\sygateFireWall\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation -
C:\WINNT\System32\WFXSVC.EXE
=======================================================
I am stupid, I admit it now for all to know!
Because I downloaded this http://vcodec.com/download/vc1_05a.exe
and being tired and exhausted and out of guard, I executed the program.
Whoa! Bang!
All [bleep] broke loose.
First it went for my modem and tried to dial. I pulled the plug off the wall and then a getright window opened. Closed it.
The plug removal did its job but Im on a DSL line...
Then the yellow triangle, the IE popups. Messages informing me of incoming threats, click ok to find out how to erase them....etc!
Thats when I noticed the NewDotNet folder in my C:/program files. Any relation?
Now I got the following message along with an IE popup with ads.
"Critical system error
Please read this message carefully
Your PC is infected by spyware
you must improve your PC security and system performance by deleting spyware from your operating system.
Attention, failure to delete spyware from your PC can result in damage of system resources and personal files corruption. Use special software to remove spyware and adware from your computer. Click OK to get all available anti spyware software. OK CANCEL"
Yea right!
Closed my network connection.
Bought the latest NAV 2005.
But the install was on the infected rig so I get the feeling that the bug went into the installation.
BLUE SCREEN ... smitfraud.c has f***ed my IE and system cannot continue normal operation.
Ran update and cleaned. Several trojans and ads were removed.
Rebooted
Cleaned again. More threats removed.
Not the triangle.
I noticed that
nwlink1px.sys did several attempts to contact outside.
Opened the Sygate PersonalFirewall log viewer and backtraced the attempts to
===69.50.171.148
===Atrivo Technologies, William Lu 69.50.171.0.1
===Origin: remote initiated
===Rem name: dumpserv.com
===Rem port: 80
blocked nwlink from responding to the net.
Dloaded the latest Ad-aware installed, updated and ran it. 63 threats were removed.
Rebooted and ran again.
Showed no threat, all clean according to it.
But the triangle popped up again. And I wasnt even connected.
Now the symantec CCPROXY.exe starts going for the same above address with repeated attempts.
blocked ccproxy and nwlink from connecting but I cannot get through to the internet.
unblocked ccproxy, internet is open now.
Triangle again
Click on it and a (bogus) MSN advertising page pops up on IE. with header "protect your computer"
one sample link here
"http://securitydownl....php?id=042a9a9
00f237efd871c57f06de670b3"
another "http://securitydownl...5f0a03b76f0757"
they all go to securitydownload but on the page other urls are written...!
HELP!
This guy is banging at my door every 5 seconds and my firewall is keeping himout for the time being but I need to get rid of him.
Went to the other posts where this smitfraud issue is discussed but they are for XP.
could I use the solution on my W2000pro?
My guess is that every solution is personalized.
Please help.
And if you can, bomb this william lu out of his pitiful existence.
It would do all of us a lot of good...
Thanx in advance.
Ducatista.
Edited by ducatista, 31 May 2005 - 10:48 AM.