More problems

norton is finding the following:

mediaticketsinstaller.ocx Adware.CDT
mtrslib2[1].js Adware.CDT
clearlogs.exe Hacktool
SUB0T.dll Backdoor
WINMGNT.EXT Backdoor

<_<

Here's my hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 7:40:20 AM, on 11/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Help\Tours\htmlTour\dll\vpt3\choco\svchostdll.exe
c:\windows\system32\server.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\lsasvc.exe
C:\WINDOWS\Help\Tours\htmlTour\dll\vpt3\choco\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ms-ntfs.exe
C:\WINDOWS\system32\service.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\dllcache\here\winsm.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A8D3004-E747-7E9B-8356-64550DA67A13} - C:\WINDOWS\System32\zusec.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [IISAdmin] C:\WINDOWS\system32\logonsrv.exe
O4 - HKLM\..\Run: [Microsoft AUTH Update] MSlti32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [Microsoft AUTH Update] MSlti32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft AUTH Update] MSlti32.exe
O4 - HKCU\..\Run: [Utus] C:\Documents and Settings\Nathaniel\Application Data\coe.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8107.6588541667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

The biggest problem :

http://www.trendmicr...me=WORM_RBOT.FH

But you have had that for months: <_<

http://www.geekstogo...t=0

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {1A8D3004-E747-7E9B-8356-64550DA67A13} - C:\WINDOWS\System32\zusec.dll (file missing)

O4 - HKLM\..\Run: [IISAdmin] C:\WINDOWS\system32\logonsrv.exe
O4 - HKLM\..\Run: [Microsoft AUTH Update] MSlti32.exe

O4 - HKLM\..\RunServices: [Microsoft AUTH Update] MSlti32.exe

O4 - HKCU\..\Run: [Microsoft AUTH Update] MSlti32.exe
O4 - HKCU\..\Run: [Utus] C:\Documents and Settings\Nathaniel\Application Data\coe.exe

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Documents and Settings\Nathaniel\Application Data\coe.exe
c:\windows\system32\dllcache\here <= the entire folder

Then disable System Restore, reboot, and re-enable System Restore.
Disabling or enabling Windows XP System Restore

Then do an online virusscan for example here: http://housecall.antivirus.com/

Truthfully, I think you have a rootkit on board and it will probably be faster and safer to reinstall the entire computer. I would certainly advise to change any passwords on that computer after we are done and not to store anything private on it unless you are sure it's clean and secure.

Regards,

Pieter

#1
Betafish

Posted 25 November 2004 - 06:41 AM

Advertisements

#2
Metallica

Posted 25 November 2004 - 07:39 AM

#3
Metallica

Posted 25 November 2004 - 07:50 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us