Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

wininet.dll corrupted by w32.desktophijack [RESOLVED]

Started by looking4help , Jul 18 2005 08:39 PM

This topic is locked

#1
looking4help

Posted 18 July 2005 - 08:39 PM

New Member

Member
7 posts

Norton detects but cannot repair, quarantine or delete. I have followed all of the general suggestions on this site to clean my computer up. Trend Housecall also detects (as TSPY_ALEMOD.A), but cannot fix. Oddly enough, Panda Activescan does not detect. Hijack This log is as follows....

Logfile of HijackThis v1.99.1
Scan saved at 9:33:16 PM, on 7/18/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestat...ab?ver=2,0,0,54
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I have researched all over the web and tried numerous things to no avail. Although I was able to get rid of the other file (oleadm.dll) that was giving me trouble. Please help!

Dawn

#2
Guest_thatman_*

Posted 20 July 2005 - 01:14 AM

Guest

Hi looking4help

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
looking4help

Posted 20 July 2005 - 06:11 PM

New Member

Topic Starter
Member
7 posts

I was able to fix the wininet.dll file last night by downloading and creating a Windows 98 boot disk. I deleted the old file from c:\winnt\system32 folder and copied a good one back in DOS. Norton does not find any viruses anymore, but my desktop image is still black and I would like to make sure there are no remnants.

Just wanted to give you an update b4 I start going through the steps you listed above.

#4
looking4help

Posted 20 July 2005 - 06:51 PM

New Member

Topic Starter
Member
7 posts

I have done everything up to clearing out files in the Prefetch folder. I get a message saying there is no such folder on my computer so I'll just skip that step and proceed to the next one.

Ewido scan results are below. FYI...drive f: is a second hard drive that used to be in a different computer which I now use to backup my files on. I didn't realize Ewido was going to scan that as well. Probably needs to be done eventually, but I'll exclude that drive on the remaining scans to reduce the info you have to read through.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:41:42 PM, 7/20/2005
+ Report-Checksum: 77A8A99E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Cookies\donnie tull@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Cookies\donnie [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Cookies\donnie [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Cookies\donnie tull@specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Cookies\donnie [email protected][1].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\alchem.cab/alchem.exe -> TrojanDownloader.Alchemic : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\alchem.exe -> TrojanDownloader.Alchemic : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\euniverse.exe -> Trojan.Keenval.a : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\fSGfeSR.exe -> TrojanDownloader.IstBar : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\polmx.cab/polmx.exe -> TrojanDownloader.Agent.ae : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\polmx.exe -> TrojanDownloader.Agent.ae : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\powerscan.exe -> Spyware.PowerScan : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\THI4B9.tmp\wupdt.exe -> TrojanDownloader.Intexp.b : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\THI7B95.tmp\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\THI7B95.tmp\twaintec.cab/preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temp\whenu.exe -> Adware.SaveNow : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\49UB89A7\ESBAdultInstaller[1].ocx -> TrojanDownloader.Agent.bp : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\49UB89A7\euniverse[1].exe -> Trojan.Keenval.a : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\49UB89A7\istsvc[1].exe -> TrojanDownloader.IstBar.fr : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\4DAVODMJ\sidefind13[1].dll -> Spyware.SideFind : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\4DAVODMJ\whenu[1].exe -> Adware.SaveNow : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\MTCVML65\istbar[1].dll -> TrojanDownloader.IstBar.dh : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\MTCVML65\istdownload[2].exe -> TrojanDownloader.IstBar : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\MTCVML65\sfexd001[1].htm -> Spyware.SideFind : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\O1W74JOV\ncase_new[1].exe -> Spyware.180Solutions : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\O1W74JOV\powerscan[1].exe -> Spyware.PowerScan : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\O1W74JOV\sfbho13[1].dll -> Spyware.SideFind : Cleaned with backup
F:\Documents and Settings\Donnie Tull\Local Settings\Temporary Internet Files\Content.IE5\O1W74JOV\sidefind[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
F:\Program Files\ClearSearch\A_ClearSearch.DLL -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\ClearSearch\csAOLldr.exe -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\ClearSearch\CSBB.DLL -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\ClearSearch\Loader.exe -> Backdoor.Ruledor.e : Cleaned with backup
F:\Program Files\Common Files\SearchUpgrader\SearchUpgrader.exe -> TrojanDownloader.Keenval.g : Cleaned with backup
F:\Program Files\CSBB\A_ClearSearch.DLL -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\CSBB\csAOLldr.exe -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\CSBB\CSBB.DLL -> Spyware.ClearSearch : Cleaned with backup
F:\Program Files\CSBB\Loader.exe -> Backdoor.Ruledor.e : Cleaned with backup
F:\Program Files\IncrediFind\BHO\IncFindBHO170.dll -> Trojan.Keenval.a : Cleaned with backup
F:\Program Files\Power Scan\powerscan.exe -> Spyware.PowerScan : Cleaned with backup
F:\Program Files\Radmin\raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
F:\Program Files\Radmin\radmin.exe -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.21 : Cleaned with backup
F:\Program Files\Radmin\r_server.exe -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.21 : Cleaned with backup
F:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind : Cleaned with backup
F:\Program Files\TV Media\Tvm.exe -> Spyware.TotalVelocity : Cleaned with backup
F:\Program Files\TV Media\TvmBho.dll -> Spyware.TotalVelocity : Cleaned with backup
F:\Program Files\TV Media\TvmCore.dll -> Spyware.TotalVelocity : Cleaned with backup
F:\Program Files\VVSN\VVSN.exe -> Adware.SaveNow : Cleaned with backup
F:\WINDOWS\alchem.exe -> TrojanDownloader.Alchemic : Cleaned with backup
F:\WINDOWS\Downloaded Program Files\ESBAdultInstaller.ocx -> TrojanDownloader.Agent.bp : Cleaned with backup
F:\WINDOWS\polmx.exe -> TrojanDownloader.Agent.ae : Cleaned with backup
F:\WINDOWS\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
F:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
F:\WINDOWS\systb.exe -> Trojan.Imiserv.c : Cleaned with backup
F:\WINDOWS\system32\pybnbi.exe -> TrojanDownloader.Agent.ae : Cleaned with backup
F:\WINDOWS\system32\raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
F:\WINDOWS\system32\r_server.exe -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.21 : Cleaned with backup
F:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.b : Cleaned with backup

::Report End

#5
looking4help

Posted 20 July 2005 - 07:00 PM

New Member

Topic Starter
Member
7 posts

Ad Aware log:

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, July 20, 2005 7:51:41 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R55 19.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R55 19.07.2005
Internal build : 64
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 498059 Bytes
Total size : 1502891 Bytes
Signature data size : 1470396 Bytes
Reference data size : 31983 Bytes
Signatures total : 41888
CSI Fingerprints total : 966
CSI data size : 33960 Bytes
Target categories : 15
Target families : 715

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:51 %
Total physical memory:261136 kb
Available physical memory:131732 kb
Total page file size:632948 kb
Available on page file:556900 kb
Total virtual memory:2097024 kb
Available virtual memory:2045796 kb
OS:Microsoft Windows 2000 Professional Service Pack 3 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

7-20-2005 7:51:41 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 164
ThreadCreationTime : 7-21-2005 12:22:30 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 7-21-2005 12:22:32 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 7-21-2005 12:22:33 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 244
ThreadCreationTime : 7-21-2005 12:22:34 AM
BasePriority : Normal
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 256
ThreadCreationTime : 7-21-2005 12:22:34 AM
BasePriority : Normal
FileVersion : 5.00.2195.5430
ProductVersion : 5.00.2195.5430
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 420
ThreadCreationTime : 7-21-2005 12:22:37 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 468
ThreadCreationTime : 7-21-2005 12:22:37 AM
BasePriority : Normal
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:8 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 584
ThreadCreationTime : 7-21-2005 12:23:04 AM
BasePriority : Normal
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:9 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 536
ThreadCreationTime : 7-21-2005 12:43:48 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 504
ThreadCreationTime : 7-21-2005 12:51:32 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1659004503-1292428093-839522115-500\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 10

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

7:53:26 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:44.672
Objects scanned:65584
Objects identified:0
Objects ignored:0
New critical objects:0

#6
looking4help

Posted 20 July 2005 - 07:41 PM

New Member

Topic Starter
Member
7 posts

Panda did not find any viruses this time either. It looks like there is no available log if this is the case, but the Hijack This log is below.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:53 PM, on 7/20/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestat...ab?ver=2,0,0,54
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Is there anything else I need to do or have I defeated this thing?

Thank you!

#7
Guest_thatman_*

Posted 21 July 2005 - 02:19 AM

Guest

Hi looking4help

Congratulations! Your system is CLEAN

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here

It Prevent's the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/

2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:

#8
Guest_thatman_*

Posted 22 July 2005 - 07:06 AM

Guest

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.