Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2000 / Search42 Hijack


  • Please log in to reply
5 replies to this topic

#1 Moonglum Clampflower

Moonglum Clampflower

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:11:16 PM

Posted 18 May 2005 - 05:30 PM

Hi all,

I have a problem with a Search42 Trojan (which I think Sophos call agent-DO). Sophos guidelines failed to fix it and I have come here to plead for assistance.

My machine is a Windows 2000 server on a pentium 450 PC which is up to date with windows updates. I am running Zonealarm / Sophos Anti Virus (for what it's worth). I have followed your guidelines and run Spybot and Adaware. My Hijack log is as follows. Look forward to hearing from you soon.

Best regards

Moon.


Logfile of HijackThis v1.99.1
Scan saved at 21:00:21, on 18/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy II\TeaTimer.exe
d:\Drivers and Utilities\Trojan Killers\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiralspider.demon.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINNT\system\fontweb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy II\TeaTimer.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O20 - Winlogon Notify: fontweb - C:\WINNT\system\fontweb.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:16 PM

Posted 19 May 2005 - 12:03 AM

Hello Moonglum Clampflower and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download Process Explorer by Sysinternals and unzip it to your desktop. Do not run it yet.

Download Pocket Killbox and unzip it to your desktop. Do not run it yet.

Step #2

Open Notepad and copy/paste the text in the quotebox below into the new document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


Save the document to your desktop as fixvundo.reg and close Notepad.

Step #3

The rest of this fix must be done in safe mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Locate procexp.exe on your desktop and double-click on it to start the program.
  • In the top section of the Process Exlporer screen double-click on WinLogon.exe to bring up the WinLogon.exe Properties Dialog.
    • Click on the Threads tab at the top.
    • Locate each instance of fontweb.dll, click once on the instance and then click the Kill button.
    • If you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
    • After you have killed all of the files shown above under WinLogon click Ok.
  • Next, double-click on Explorer.exe.
    • Click on the Threads tab at the top.
    • Locate each instance of fontweb.dll, click once on the instance and then click the Kill button.
    • If you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
    • After you have killed all of the files shown above under Explorer click Ok.
Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINNT\system\fontweb.dll
O20 - Winlogon Notify: fontweb - C:\WINNT\system\fontweb.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Locate the fixvundo.reg on your desktop and right-click on it. Choose Merge from the popup menu and answer Yes or Ok to any further prompts.

Step #7

Locate KillBox.exe on your desktop and double-click on it to start the program.
  • Click Delete on Reboot.
  • Paste the line below into the top Full Path of File to Delete box.
    • C:\WINNT\system\fontweb.dll
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Delete on Reboot prompt.
  • Click Yes at the Delete next Reboot prompt.
  • If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Step #8

OK. After your computer has rebooted normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:11:16 PM

Posted 19 May 2005 - 03:17 PM

Many many thanks for your quick reply. Looking very good :thumbsup: My log file is as below and the process went as you described. The only oddities is that certain words like RESET in your sentences are sometimes double underlined in green. When you hover over it, it tells you you can buy resets from Ebay! Most odd. Another plague?

All the best

Moon :flowers:


Logfile of HijackThis v1.99.1
Scan saved at 21:06:00, on 19/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\rsvp.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
d:\Drivers and Utilities\Trojan Killers\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiralspider.demon.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy II\TeaTimer.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:16 PM

Posted 19 May 2005 - 06:55 PM

Hi Moonglum Clampflower. The underlining can occur on certian websites because that is how the site is set up. Does this underlining occur on all sites that you visit? If so, then we will need to dig a little deeper and see what we can find.

Other than that, the log looks clean now. Good job!

Let me know about the above and any other problems you are currently seeing.

Cheers.

OT

Edited by OldTimer, 19 May 2005 - 06:56 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:11:16 PM

Posted 20 May 2005 - 04:53 PM

Most odd, can't see any of the green underlines anymore. :thumbsup: I'll keep an eye out and let you know. Thanks once again for your invaluable help. Much appreciated.

Cheers

Moon. :flowers:

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:16 PM

Posted 20 May 2005 - 05:16 PM

Hi Moonglum Clampflower. Glad to hear it. We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall and a good antivirus application like the ones you are currently using. It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users