Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W2K - Browser Hijacker


  • This topic is locked This topic is locked
9 replies to this topic

#1 bobcope

bobcope

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 30 January 2005 - 06:52 PM

This Win 2000 machine seems to have a browser hijacker an possibly other malware. HJT log attached. Please let me have your thoughts and suggestions.


Logfile of HijackThis v1.99.0
Scan saved at 6:59:13 PM, on 1/30/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\lxamsp32.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\WINNT\System32\avupdchk.exe
C:\WINNT\System32\SVCHOSST.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/to.php?ID1=1166...8-C278DCF0F28A}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINNT\System32\DSMANA~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WinHID] WinHID.exe
O4 - HKLM\..\Run: [Antivirus Updates] avupdchk.exe
O4 - HKLM\..\Run: [Winsock2 driver] SVCHOSST.EXE
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] navmgrd.exe
O4 - HKLM\..\Run: [Tsk Mngr Hlp] wins32.exe
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Antivirus Updates] avupdchk.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update] navmgrd.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Tsk Mngr Hlp] wins32.exe
O4 - HKLM\..\RunServices: [WinHID] WinHID.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] navmgrd.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Winsock2 driver] SVCHOSST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pp...stemsoappro.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Tsk Mngr Hlp - Unknown - C:\WINNT\System32\wins32.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:59 AM

Posted 30 January 2005 - 10:28 PM

Hi bobcope

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes
avupdchk.exe
SVCHOSST.EXE
WinHID.exe
wugrds.exe
navmgrd.exe
wuam.exe
wins32.exe

and 'end task' them.

Next,
We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/to.php?ID1=1166...8-C278DCF0F28A}
R3 - Default URLSearchHook is missing
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINNT\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WinHID] WinHID.exe
O4 - HKLM\..\Run: [Antivirus Updates] avupdchk.exe
O4 - HKLM\..\Run: [Winsock2 driver] SVCHOSST.EXE
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] navmgrd.exe
O4 - HKLM\..\Run: [Tsk Mngr Hlp] wins32.exe
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Antivirus Updates] avupdchk.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update] navmgrd.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Tsk Mngr Hlp] wins32.exe
O4 - HKLM\..\RunServices: [WinHID] WinHID.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] navmgrd.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] SVCHOSST.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) –
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pp...stemsoappro.cab


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\System32\DSMANA~1.DLL
C:\WINNT\System32\P2P Networking\P2P Networking.exe <-- Folder
c:\program files\altnet\points manager\points manager.exe <-- Folder
C:\WINNT\System32\avupdchk.exe <-- File
C:\WINNT\System32\SVCHOSST.EXE <-- File ( careful with this one. The legit file is SVCHOST.EXE, Notice the extra S in the bad one )
WinHID.exe <-- File
wugrds.exe <-- File
navmgrd.exe <-- File
wuam.exe <-- File
wins32.exe <-- File
Reboot your computer to go back to normal mode and post a new log.

#3 bobcope

bobcope
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 01 February 2005 - 10:30 AM

Followed your instructions. The following were not listed in processes running:

WinHID
wugrds.exe
navmgrd.exe
wuam.exe
wins32.exe

When I try to go to the internet now, it is defaulting to "about.blank"

New HJT log below:

Logfile of HijackThis v1.99.0
Scan saved at 10:13:03 AM, on 2/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\lxamsp32.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Tsk Mngr Hlp - Unknown - C:\WINNT\System32\wins32.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:59 AM

Posted 01 February 2005 - 07:35 PM

Hi again bobcope
We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <-- If this was not set by your adminstrator or a thrird party software have HJT fix it
O23 - Service: Tsk Mngr Hlp - Unknown - C:\WINNT\System32\wins32.exe (file missing)
Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\System32\P2P Networking\P2P Networking.exe

Reboot your computer to go back to normal mode and post a new log.

Close all Internet Explorer windows.
Open Control Panel. Click Start>Settings>Control Panel.
Double-click the Internet Options icon.
In the Internet Properties window, click the Programs tab.
Click the “Reset Web Settings…” button.
Select “Also reset my home page.” Click Yes.
Click OK.

#5 bobcope

bobcope
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 01 February 2005 - 09:29 PM

Don,

Many thanks for your help. I know it is not yet done, but it is getting better each round.

The instructions on Internet Explorer helped. The entire P2P folder is gone. Here is the latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 9:37:28 PM, on 2/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\lxamsp32.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:59 AM

Posted 03 February 2005 - 03:56 PM

Hi again bobcope

Your log looks clean, is it running better ?

#7 bobcope

bobcope
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 04 February 2005 - 06:25 AM

It is running better but I notice some peculiar things still. When I shut down, there is always a process not responding which has to be stopped manually. The process is Explorer - one of the more essential processes. I did check and there is only one copy running.

I also notice that if I check performance in Task Monitor, it always shows processor time at 100%. I tried Performance Monitor - opening that before Task Manager - and that shows normal low processor utilization. In Task Monitor, the listing of processes shows that Task Monitor itself is using 99% of processor time.

Have you any thoughts on these?

#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:59 AM

Posted 05 February 2005 - 11:05 AM

Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please

#9 bobcope

bobcope
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 05 February 2005 - 01:29 PM

I downloaded various W2K updates. After those, both problems cleared. I'm guessing that it replaced corrupted files. The machine is now working fine - thanks to your excellent advice. Let's close out this chain.

#10 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:59 AM

Posted 11 February 2005 - 07:46 PM

As your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users