Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS highjacking


  • This topic is locked This topic is locked
15 replies to this topic

#1 Glen41Bo191

Glen41Bo191

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 20 July 2004 - 01:23 AM

Hi guys,
from what I read on the web, I think I have been infected by CWS (CoolWebSearch). I ran SpySweeper, Ad-Aware6.0 and SpyBotS&D1.3 without success to eradicate it. I also ran CWS Shredder without success.
The symptoms are :
- modification of IE start page
- modification of IF search page
- modification of IE default start page
- modification of IF default search page
those modification point to res://agywb.dll/index.html#96676 which is titled "Home Search"
- lauch of pop-up windows (independant window from IE, titled Only the Best)
All this happends when I start either the explorer, either IE (which is in fact more or less the same).

I tried some manual actions to eradicate it but I must miss something at some point so it keeps re-appearing. You will find hereafter the HJT log from this morning, I do not plan to change anything so I will follow your kind advices. I am running SpyBot to mask the effects but I do not like the idea that it is still there and I want to get rid of it. The HJT log was taken with the default start page corrected by SpyBot and the pop-up window left open.

I don't know if it is related but I have a program that is not running anymore (Primavera Project Planner), it says "Cannot find SHELL.DLL" when trying to start, uninstall or re-install this program. Once again, I do not know if this is related. Let's get rid of CWS first, we'll see after for this point.

Your help is very much appreciated.

===================================================

Logfile of HijackThis v1.98.0
Scan saved at 08:17:58, on 20/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\netlv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ipms32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Notes\NLNOTES.EXE
C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe
C:\Notes\naldaemn.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thank you,
G41

BC AdBot (Login to Remove)

 


#2 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 20 July 2004 - 02:28 AM

Here is the HJT log file when desactivating SpyBot S&D and running IE.
Thank you in advance for your help.
G41

Logfile of HijackThis v1.98.0
Scan saved at 09:26:56, on 20/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\netlv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ipms32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Notes\NLNOTES.EXE
C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe
C:\Notes\naldaemn.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 20 July 2004 - 08:49 AM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

netlv.exe
ipms32.exe

Step 3:
I now need you to delete the following files:

C:\WINNT\netlv.exe
C:\WINNT\system32\ipms32.exe
The file from the services above.
C:\WINNT\system32\agywb.dll
C:\WINNT\system32\mfcmq32.dll

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe



Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://agywb.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


#4 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 20 July 2004 - 02:35 PM

Grinler, :thumbsup:
thank you for your help but ... I cannot find the Network Security Service you mention so I did not proceed. I'm running windows 2000 SP4. I went into the services list but I cannot see the one you refer to.
Any help ?
Thank you,
G41

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 20 July 2004 - 05:41 PM

Ok good. Do this. Download this file and save it to your desktop. Then double click on the file. When it produces its output, please paste it as a repsonse to this post.

Attached Files



#6 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 21 July 2004 - 12:38 AM

Grinler,
Here you go ! I know, it is in French ! this is my company computer (my home computer is with windows 2000 english version). The description is different but the service file names should be identical.
Thank you for your help,
G41

==================================================

These are the Current Active Services:

ALTIRIS CLIENT SERVICE
C:\Program Files\Altiris\AClient\AClient.exe -service

ATI HOTKEY POLLER
C:\WINNT\System32\Ati2evxx.exe

AVSYNC MANAGER
"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"

EXPLORATEUR D'ORDINATEUR
C:\WINNT\System32\services.exe

CLIENT DHCP
C:\WINNT\System32\services.exe

GESTIONNAIRE DE DISQUE LOGIQUE
C:\WINNT\System32\services.exe

CLIENT DNS
C:\WINNT\System32\services.exe

JOURNAL DES ÉVÉNEMENTS
C:\WINNT\system32\services.exe

SERVEUR
C:\WINNT\System32\services.exe

STATION DE TRAVAIL
C:\WINNT\System32\services.exe

SERVICE D'APPLICATION D'ASSISTANCE TCP/IP NETBIOS
C:\WINNT\System32\services.exe

PLUG-AND-PLAY
C:\WINNT\system32\services.exe

EMPLACEMENT PROTÉGÉ
C:\WINNT\system32\services.exe

SERVICE D'EXÉCUTION PAR DÉLÉGATION
C:\WINNT\system32\services.exe

CLIENT DE SUIVI DE LIEN DISTRIBUÉ
C:\WINNT\system32\services.exe

HORLOGE WINDOWS
C:\WINNT\System32\services.exe

EXTENSIONS DU PILOTE WMI
C:\WINNT\system32\Services.exe

CRYPKEY LICENSE
crypserv.exe

SYSTÈME D'ÉVÉNEMENTS DE COM+
C:\WINNT\System32\svchost.exe -k netsvcs

MONITEUR INFRAROUGE
C:\WINNT\System32\svchost.exe -k netsvcs

CONNEXIONS RÉSEAU
C:\WINNT\System32\svchost.exe -k netsvcs

MÉDIAS AMOVIBLES
C:\WINNT\System32\svchost.exe -k netsvcs

GESTIONNAIRE DE CONNEXIONS D'ACCÈS DISTANT
C:\WINNT\System32\svchost.exe -k netsvcs

NOTIFICATION D'ÉVÉNEMENT SYSTÈME
C:\WINNT\system32\svchost.exe -k netsvcs

TÉLÉPHONIE
C:\WINNT\System32\svchost.exe -k netsvcs

MCSHIELD
"C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe"

OUVERTURE DE SESSION RÉSEAU
C:\WINNT\System32\lsass.exe

AGENT DE STRATÉGIE IPSEC
C:\WINNT\System32\lsass.exe

GESTIONNAIRE DE COMPTES DE SÉCURITÉ
C:\WINNT\system32\lsass.exe

SERVICE D'ACCÈS À DISTANCE AU REGISTRE
C:\WINNT\system32\regsvc.exe

APPEL DE PROCÉDURE DISTANTE (RPC)
C:\WINNT\system32\svchost -k rpcss

CARTE À PUCE
C:\WINNT\System32\SCardSvr.exe

PLANIFICATEUR DE TÂCHES
C:\WINNT\system32\MSTask.exe

SPOULEUR D'IMPRESSION
C:\WINNT\system32\spoolsv.exe

INFRASTRUCTURE DE GESTION WINDOWS
C:\WINNT\System32\WBEM\WinMgmt.exe

MISES À JOUR AUTOMATIQUES
C:\WINNT\system32\svchost.exe -k wugroup

REMOTE PROCEDURE CALL (RPC) HELPER
C:\WINNT\netlv.exe /s

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 21 July 2004 - 01:03 PM

Ok there is an updated version of the file that I want you to run instead. Please download this file to your desktop and extract the file from the zip onto your desktop. Then run the vbs file and post the contents of the notepad that will appear as a response to this message.

It can be downloaded from here:

http://www.computercops.biz/modules.php?na...ownload&id=2239

#8 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 21 July 2004 - 03:12 PM

Grinler,
please find hereafter the said log file. The previous posts were done while connected to my work network while this one is done while connected in local (my computer is a laptop). I don't think it makes a big difference.
Thank you for your help.
G41.

=================================================

These are the Current Active Services:

ALTIRIS CLIENT SERVICE: AClient
C:\Program Files\Altiris\AClient\AClient.exe -service

ATI HOTKEY POLLER: Ati HotKey Poller
C:\WINNT\System32\Ati2evxx.exe

AVSYNC MANAGER: AvSynMgr
"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"

EXPLORATEUR D'ORDINATEUR: Browser
C:\WINNT\System32\services.exe

CLIENT DHCP: Dhcp
C:\WINNT\System32\services.exe

GESTIONNAIRE DE DISQUE LOGIQUE: dmserver
C:\WINNT\System32\services.exe

CLIENT DNS: Dnscache
C:\WINNT\System32\services.exe

JOURNAL DES ÉVÉNEMENTS: Eventlog
C:\WINNT\system32\services.exe

SERVEUR: lanmanserver
C:\WINNT\System32\services.exe

STATION DE TRAVAIL: lanmanworkstation
C:\WINNT\System32\services.exe

SERVICE D'APPLICATION D'ASSISTANCE TCP/IP NETBIOS: LmHosts
C:\WINNT\System32\services.exe

PLUG-AND-PLAY: PlugPlay
C:\WINNT\system32\services.exe

EMPLACEMENT PROTÉGÉ: ProtectedStorage
C:\WINNT\system32\services.exe

SERVICE D'EXÉCUTION PAR DÉLÉGATION: seclogon
C:\WINNT\system32\services.exe

CLIENT DE SUIVI DE LIEN DISTRIBUÉ: TrkWks
C:\WINNT\system32\services.exe

HORLOGE WINDOWS: W32Time
C:\WINNT\System32\services.exe

EXTENSIONS DU PILOTE WMI: Wmi
C:\WINNT\system32\Services.exe

CRYPKEY LICENSE: Crypkey License
crypserv.exe

SYSTÈME D'ÉVÉNEMENTS DE COM+: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs

MONITEUR INFRAROUGE: Irmon
C:\WINNT\System32\svchost.exe -k netsvcs

CONNEXIONS RÉSEAU: Netman
C:\WINNT\System32\svchost.exe -k netsvcs

MÉDIAS AMOVIBLES: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs

GESTIONNAIRE DE CONNEXIONS D'ACCÈS DISTANT: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs

NOTIFICATION D'ÉVÉNEMENT SYSTÈME: SENS
C:\WINNT\system32\svchost.exe -k netsvcs

TÉLÉPHONIE: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs

MCSHIELD: McShield
"C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe"

OUVERTURE DE SESSION RÉSEAU: Netlogon
C:\WINNT\System32\lsass.exe

AGENT DE STRATÉGIE IPSEC: PolicyAgent
C:\WINNT\System32\lsass.exe

GESTIONNAIRE DE COMPTES DE SÉCURITÉ: SamSs
C:\WINNT\system32\lsass.exe

APPEL DE PROCÉDURE DISTANTE (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss

CARTE À PUCE: SCardSvr
C:\WINNT\System32\SCardSvr.exe

SPOULEUR D'IMPRESSION: Spooler
C:\WINNT\system32\spoolsv.exe

INFRASTRUCTURE DE GESTION WINDOWS: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe

MISES À JOUR AUTOMATIQUES: wuauserv
C:\WINNT\system32\svchost.exe -k wugroup

REMOTE PROCEDURE CALL (RPC) HELPER: ½O.#ž‚„õØ´â
C:\WINNT\netlv.exe /s

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 21 July 2004 - 03:26 PM

Use these new instructions:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called REMOTE PROCEDURE CALL (RPC) HELPER. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

netlv.exe
ipms32.exe

Step 3:
I now need you to delete the following files:

C:\WINNT\netlv.exe
C:\WINNT\system32\ipms32.exe
The file from the services above.
C:\WINNT\system32\agywb.dll
C:\WINNT\system32\mfcmq32.dll

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe



Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„õØ´â

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_½O.#ž‚„õØ´â

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY_½O.#ž‚„õØ´â) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://agywb.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


#10 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 22 July 2004 - 02:25 AM

Hi Grinley,
although every step you described could not be completed in detail, it seems that it worked (so far). No more re-direction of start page and no more nasty pop-up windows.

Please find hereafter the changes from your procedure:

- Step 1
Ok, the filename was C:\WINNT\netlv.exe /s

- Step 2
Ok, netlv.exe was already stopped from step 1

- Step 3
Ok, but C:\WINNT\system32\mfcmq32.dll could not be removed
because it was used by Windows

- Step 4
Ok, I noticed that netlv.exe did appear in a new HJT entry (as RunOnce)
so I ticked it. HJT took care of the step 3 mfcmq32.dll and deleted it.

- Step 5
__NS_Service_3 did not exist in HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\½O.#ž‚„õØ´â

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_½O.#ž‚„õØ´â did not exist

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
LEGACY___NS_Service_3 was present and still is since I could not get
permission to delete it

So I came back and deleted (I don't know it this was ok but ...)
__NS_Service_3 did not exist in HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\½O.#ž‚„õØ´â

- Step 6
It seems that latest version of About:Buster does not work as you
describe. You do not enter the url anymore. However, the url
res://agywb.dll/index.html was never found by About:Buster.
It did remove a lot of things anyway.

- Step 7
Ok

- Step 8
Ok

So far, so good, symptoms have disappeared.
Thank you very much for your assistance.
:thumbsup:
G41.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 22 July 2004 - 09:24 AM

I am sorry, but my instructions sucked. This malware has morphed a bit and i forgot to edit the fix completely. Please do me a favor and post a new log and a new outpout of the get services program i had you download earlier. There is still more leftover that i need to have you remove.

#12 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 22 July 2004 - 12:00 PM

Grinley,
please find hereafter the HJT log and the services log as requested.
Thank you,
G41.

====================================================

Logfile of HijackThis v1.98.0
Scan saved at 18:58:36, on 22/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WIN2K\SMC11GMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WIN2K\SMC11GMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

====================================================

and here is the output of the service log...

====================================================

These are the Current Active Services:

ALTIRIS CLIENT SERVICE: AClient
C:\Program Files\Altiris\AClient\AClient.exe -service

ATI HOTKEY POLLER: Ati HotKey Poller
C:\WINNT\System32\Ati2evxx.exe

AVSYNC MANAGER: AvSynMgr
"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"

EXPLORATEUR D'ORDINATEUR: Browser
C:\WINNT\System32\services.exe

CLIENT DHCP: Dhcp
C:\WINNT\System32\services.exe

GESTIONNAIRE DE DISQUE LOGIQUE: dmserver
C:\WINNT\System32\services.exe

CLIENT DNS: Dnscache
C:\WINNT\System32\services.exe

JOURNAL DES ÉVÉNEMENTS: Eventlog
C:\WINNT\system32\services.exe

SERVEUR: lanmanserver
C:\WINNT\System32\services.exe

STATION DE TRAVAIL: lanmanworkstation
C:\WINNT\System32\services.exe

SERVICE D'APPLICATION D'ASSISTANCE TCP/IP NETBIOS: LmHosts
C:\WINNT\System32\services.exe

PLUG-AND-PLAY: PlugPlay
C:\WINNT\system32\services.exe

EMPLACEMENT PROTÉGÉ: ProtectedStorage
C:\WINNT\system32\services.exe

SERVICE D'EXÉCUTION PAR DÉLÉGATION: seclogon
C:\WINNT\system32\services.exe

CLIENT DE SUIVI DE LIEN DISTRIBUÉ: TrkWks
C:\WINNT\system32\services.exe

HORLOGE WINDOWS: W32Time
C:\WINNT\System32\services.exe

EXTENSIONS DU PILOTE WMI: Wmi
C:\WINNT\system32\Services.exe

CRYPKEY LICENSE: Crypkey License
crypserv.exe

SYSTÈME D'ÉVÉNEMENTS DE COM+: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs

MONITEUR INFRAROUGE: Irmon
C:\WINNT\System32\svchost.exe -k netsvcs

CONNEXIONS RÉSEAU: Netman
C:\WINNT\System32\svchost.exe -k netsvcs

MÉDIAS AMOVIBLES: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs

GESTIONNAIRE DE CONNEXIONS D'ACCÈS DISTANT: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs

NOTIFICATION D'ÉVÉNEMENT SYSTÈME: SENS
C:\WINNT\system32\svchost.exe -k netsvcs

TÉLÉPHONIE: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs

MCSHIELD: McShield
"C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe"

OUVERTURE DE SESSION RÉSEAU: Netlogon
C:\WINNT\System32\lsass.exe

AGENT DE STRATÉGIE IPSEC: PolicyAgent
C:\WINNT\System32\lsass.exe

GESTIONNAIRE DE COMPTES DE SÉCURITÉ: SamSs
C:\WINNT\system32\lsass.exe

APPEL DE PROCÉDURE DISTANTE (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss

SPOULEUR D'IMPRESSION: Spooler
C:\WINNT\system32\spoolsv.exe

INFRASTRUCTURE DE GESTION WINDOWS: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe

MISES À JOUR AUTOMATIQUES: wuauserv
C:\WINNT\system32\svchost.exe -k wugroup

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 PM

Posted 22 July 2004 - 02:15 PM

Well its gone. Post a last log please.

#14 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 23 July 2004 - 04:09 AM

:thumbsup: Grrrrrrrrrrrrrrr !!!
Grinley,
it seems that I still have some traces left over ... in the first R1 ...
Is it dangerous ?
Thank you,
G41.

===================================================

Logfile of HijackThis v1.98.0
Scan saved at 11:08:03, on 23/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system\W32MKDE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.finance.yahoo.com/p?v&k=eupf_3&d=v1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#15 Glen41Bo191

Glen41Bo191
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 23 July 2004 - 01:37 PM

Grinler,
in fact there is still a trace but only when I am logged on my work network. I did the fix when I was in local. So I think I will run HJT and fix the R1, then maybe run the Hoster to set everything right in this configuration.
You will find hereafter the log when logged in local on my machine.
Thank you for your precious help.
G41

(Sorry I misspelled your name in my two previous posts)

=================================================

Logfile of HijackThis v1.98.0
Scan saved at 20:30:45, on 23/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WIN2K\SMC11GMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WIN2K\SMC11GMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users