Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent attack -about:blank & sp.html


  • This topic is locked This topic is locked
6 replies to this topic

#1 LetMeUp

LetMeUp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 20 August 2004 - 01:46 PM

:thumbsup: Hi Guys,
I am just frustrated beyond belief - thought I could take care of this - nothing seems to have worked
I got attacked sometime between July 24 and July 25. I have ben battling this things ever since!
I am currently using:
* Norton Anti-Virus
* Ad-adware
* cwshredder 1.59 (never able to get update, if there is one)
* SpywareBlaster
* SpywareBaster
* BHODeamon
and
* HijackThis.

The problems are as follows:

FIRST SYMPTOM: ATTEMPTED BROWSER HIJACKING
I still have the persistent about:blank attempt appearing, but it now being mostly caught by
BHODeamon and SypBot Resident -which warns me of the attempted changes and allows for me to deny them!
when this goes off (about every 3-5 hours)
the BHOdeamon catches a dynamically uniquely-named dll (30 kb) when it appears
when this is attempted, it leaves the telltale files:
sp.html 8 kb and
daeea6b4.tmp 16 kb
in the:
c:\Document and Setting\Owner\Local setting\temp\sp.html and
c:\Document and Setting\Owner\Local setting\temp\daeea6b4.tmp
c:\Document and Setting\Owner\Local setting\temp\~DFF98D.tmp <- this looks suspicious,but I don't know

C:\WINDOWS\system32\daeea6b4.tmp
C:\WINDOWS\system32\<dynamically named>.dll also appears here and only can be deleted with all IEs are shutdown

C:\WINDOWS\temp\sp.html
C:\WINDOWS\temp\daeea6b4.tmp <= these ones will be left, here after EVERY tool does it things, but deleting

THIS manually does not halt the problem.

SECOND SYMPTOM:
Ever since this attack, the Memory has gone amuck, with
Explorer process eating a lot of real and Virtual memory, and
the IExplorer doing the same and
OFTEN one of the svchost processes getS really large too.



NEXT SYMPTOM:
At BootUP, since the July attack, the
nview.dll and nwiz.dll issue runtime errors messages saying that something is missing.


NEXT to LAST SYMPTOM:
in C:\windows\Downloaded Program files
The Java Runtime Environment file 1.3.1.09 (for Netscape Navigator???) is damaged.
The strange this, I don't use Netscape, on IE


FINAL ISSUE:
This one seems to the most nefarious of them all - from the Security Event viewer, I saw this:
From my event log. I did not issue this.

========================================
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 7/25/2004
Time: 4:05:54 AM
User: NT AUTHORITY\SYSTEM
Computer: OFFICEADMIN
Description:
Audit Policy Change:
New Policy:
SuccessFailure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: OFFICEADMIN$
Domain Name: MSHOME
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

========================================
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 518
Date: 7/25/2004
Time: 4:05:54 AM
User: NT AUTHORITY\SYSTEM
Computer: OFFICEADMIN
Description:
An notification package has been loaded by the Security Account Manager. This package will be notified of any

account or password changes.
Notification Package Name: scecli

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
========================================

HWAT IS GOING ON HERE!!??? Is there a hijacked tag along process that is sending information who knows

where??

HELP...


HERE is HijackThis Log.
Let me know where the


Logfile of HijackThis v1.98.2
Scan saved at 5:50:10 PM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\SPYWAR~2\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Admin_Tools\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Admin_Tools\BHODemon 2\BHODemon.exe
C:\Program Files\Admin_Tools\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mail.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bleepingcomputer.com/forums/ind...showtutorial=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mail.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.treasuredmemoriesmedia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.treasuredmemoriesmedia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ADMIN_~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NAVSHEXT.DLL
O2 - BHO: (no name) - {E345FC57-9E6C-42D2-A9CD-506A288DC311} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\SpyWareTools\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\SPYWAR~2\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Admin_Tools\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\Admin_Tools\BHODemon 2\BHODemon.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) -

http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab


why is R3 - Default URLSearchHook is missing ??

why is O2 - BHO: (no name) - {E345FC57-9E6C-42D2-A9CD-506A288DC311} - (no file) empty?
I don't know what this is.
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

PLEASE HELP...

BC AdBot (Login to Remove)

 


#2 ShelbyMan

ShelbyMan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 20 August 2004 - 03:07 PM

Hi LetMeUp!

1st Re-scan your system for viruses online here:
TrendOnline Scanner

2nd Navigate in Windows Explorer and check to see if you have 2 "Program Files" folders.
There should NOT be a "PROGRA~1" folder. Did you specify this location when installing the programs?
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\SPYWAR~2\PANICW~1\POP-UP~1\PSFree.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -C:\PROGRA~1\ADMIN_~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\SPYWAR~2\PANICW~1\POP-UP~1\PSFree.exe"

3rd-Let HijackThis Fix these 2 items"

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E345FC57-9E6C-42D2-A9CD-506A288DC311} - (no file)

4th-Shutdown These app's (via task bar or the system tray), and re-run a HiJackThis Log with NO unncessary app's runnung!!
All these app's see to be running when you are runningn HijackThis!
BHO demon
SpyBot
Popup Stopper
Adobe
Messenger
Internet Explorer


This is a valid item:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 PM

Posted 20 August 2004 - 06:01 PM

ShelbyMan we prefer that only people in the HJT team can offer Hijackthis log support. If you are interested in the team, you can PM me.
Those progra~1 entries are valid. Hijackthis and programs sometimes install or display the program files directory like that.

Just fix these entries:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E345FC57-9E6C-42D2-A9CD-506A288DC311} - (no file)

The radio one you can leave

#4 LetMeUp

LetMeUp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 20 August 2004 - 06:36 PM

Well :thumbsup:
Hi ShelbyMan, ET AL.
more problems:
IE gets error and shutsdown everytime I try to run the scan from TrendOnline Scanner. Any Other suggestions?

I only have one (1) C:\Program Files directory and these items are where they are supposed to be. I cannot account for the Win 95-esque contraction of these longer names, but this is a winXP box.

I had HJT removed the 2 items
but the
O2 - BHO: (no name) - {Differnt number} - (no file)
came back - had HJT remove it again.

i have tried to shutdown most of the things below, but can't find
* ADOBE item

**** CANNOT PERMANENTLY KILL
msmsgs.exe <<- why is this messenger application so persistent?

There are many running current processes that I don't know if killing them directly will cripple them later on (i.e. norton's things)

I had to re-run afew of the other ANTI- TOOLS, and then HJT,

Note the daeea6b4.tmp file was still in a few places, but I have deleted these too.


Here is the newer HJT this log

==================
Logfile of HijackThis v1.98.2
Scan saved at 7:17:22 PM, on 8/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mail.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bleepingcomputer.com/forums/ind...showtutorial=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mail.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.treasuredmemoriesmedia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.treasuredmemoriesmedia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ADMIN_~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton

Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\SpyWareTools\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\SPYWAR~2\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Admin_Tools\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\Admin_Tools\BHODemon 2\BHODemon.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) -

http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab


What is content purity and does that cause any problems, I used ONCE along time ago and found some interesting things to avoid! but never used it since.

NVIEWS and nwiz are still having related libraries failures.

I don't know what
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
is doing OR how it got there

Now what Shelby, OR others?
Please LetMeUp.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 PM

Posted 21 August 2004 - 08:27 PM

I would not worry about the progra~1 stuff. THis is not uncommon.

I do not see anything wrong. You may want to download and install firefox and use that to go to the online scanning sites.

#6 LetMeUp

LetMeUp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 August 2004 - 09:34 AM

:thumbsup: So far nothing seems to work,
Even using all the tools currently at hand - and I am getting a few more, I am still have this parasite do me harm.

I have a constant drain on memory and WHO KNOWS what else is being effected!

Questions:
1 - Would recoverying to a time before the most recent attack (July 24-25) actually obviated this problem? Or once a nefarious thing here, it's here to stay??

2 - IF I HAVE TO REFORMAT, HP claims that this system HP514n can do this, without a system disk - IS THIS SO??
I REALLY don't want to do...
What is the best way to ease the re-installation of ALL the apps, desktops, etc that I have on this system?

Please help.
LetMeUp

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 PM

Posted 26 August 2004 - 12:17 PM

Do this:

Please run two online virus scans:

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/


Then reboot and post a new log

Also let us know if its working better and what the scans found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users