Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help!


  • Please log in to reply
20 replies to this topic

#1 lorenzo_CA

lorenzo_CA

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 04 July 2005 - 01:42 PM

Please help. My browser locks up after about two sites. It really got bad after updating to Windows XP SP2.

Here is the log. Thanks!

Lorenzo

Logfile of HijackThis v1.99.1
Scan saved at 11:23:08 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmsgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\nbthlp.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\b.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\ZyXEL\G102\Gcc.exe
C:\Program Files\ZyXEL\G102\OdHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Documents and Settings\lorenzo\Desktop\HijackThis.exe

O1 - Hosts: 204.9.190.180 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 204.9.190.180 www3.aibgbonline.co.uk
O1 - Hosts: 204.9.190.180 www.bank.alliance-leicester.co.uk
O1 - Hosts: 204.9.190.180 login.iblogin.com
O1 - Hosts: 204.9.190.180 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 204.9.190.180 inet.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.cahoot.com
O1 - Hosts: 204.9.190.180 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 204.9.190.180 ww.hsbc.co.uk
O1 - Hosts: 204.9.190.180 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 204.9.190.180 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 204.9.190.180 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ww3.online.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ob2.nationet.com
O1 - Hosts: 204.9.190.180 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 204.9.190.180 ww1.nwolb.com
O1 - Hosts: 204.9.190.180 ww1.onlinebanking.iombank.com
O1 - Hosts: 204.9.190.180 ww1.www.rbsdigital.com
O1 - Hosts: 204.9.190.180 welcome.smile.co.uk
O1 - Hosts: 204.9.190.180 login.365online.com
O1 - Hosts: 204.9.190.180 wvw.citizensbankonline.com
O1 - Hosts: 204.9.190.180 esecure.regionsnet.com
O1 - Hosts: 204.9.190.180 rollb.associatedbank.com
O1 - Hosts: 204.9.190.180 upb.unionplanters.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 inet.southtrustonlinebanking.com
O1 - Hosts: 204.9.190.180 logon.personal.wamu.com
O1 - Hosts: 204.9.190.180 login.compassweb.com
O1 - Hosts: 204.9.190.180 logon.firstmeritib.com
O1 - Hosts: 204.9.190.180 login.ccfcuonline.org
O1 - Hosts: 204.9.190.180 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.lasallebank.com
O1 - Hosts: 204.9.190.180 wvw.totallyfreebanking.com
O1 - Hosts: 204.9.190.180 www.online.wellsfargo.com
O1 - Hosts: 204.9.190.180 ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: 204.9.190.180 accounts4.keybank.com
O1 - Hosts: 204.9.190.180 logon.bankone.com
O1 - Hosts: 204.9.190.180 www.secure.tdbanknorth.com
O1 - Hosts: 204.9.190.180 www.secure.mvnt4.com
O1 - Hosts: 204.9.190.180 ww.mynfbonline.com
O1 - Hosts: 204.9.190.180 login.forumcuonline.com
O1 - Hosts: 204.9.190.180 www.eds.usersonlnet.com
O1 - Hosts: 204.9.190.180 www.onlineid.bankofamerica.com
O1 - Hosts: 204.9.190.180 wvw.e-gold.com
O1 - Hosts: 204.9.190.180 pcbs.peoples.com
O1 - Hosts: 204.9.190.180 www.global1.onlinebank.com
O1 - Hosts: 204.9.190.180 ww2.mybranch.lafcu.com
O1 - Hosts: 204.9.190.180 login.webbanking.comerica.com
O1 - Hosts: 204.9.190.180 web.banking.firsttennessee.com
O1 - Hosts: 204.9.190.180 logon.members1st.org
O1 - Hosts: 204.9.190.180 www.cib.ibanking-services.com
O1 - Hosts: 204.9.190.180 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 204.9.190.180 wvw.paypal.com
O1 - Hosts: 204.9.190.180 www.signin.ebay.com
O1 - Hosts: 204.9.190.180 www.bvi.bancodevalencia.es
O1 - Hosts: 204.9.190.180 extrant.banesto.es
O1 - Hosts: 204.9.190.180 banesnt.banesto.es
O1 - Hosts: 204.9.190.180 activia.caixagalicia.es
O1 - Hosts: 204.9.190.180 www.bancae.caixapenedes.com
O1 - Hosts: 204.9.190.180 login.caixasabadell.net
O1 - Hosts: 204.9.190.180 oii.cajamadrid.es
O1 - Hosts: 204.9.190.180 login.cajamar.es
O1 - Hosts: 204.9.190.180 login.ccm.es
O1 - Hosts: 204.9.190.180 ww.unicaja.es
O1 - Hosts: 204.9.190.180 ww.bayernlb.de
O1 - Hosts: 204.9.190.180 ww2.berliner-volksbank.de
O1 - Hosts: 204.9.190.180 ww7.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 portal09.commerzbanking.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 www.meine.deutsche-bank.de
O1 - Hosts: 204.9.190.180 ww2.dresdner-privat.de
O1 - Hosts: 204.9.190.180 ww.e-banking.helaba.de
O1 - Hosts: 204.9.190.180 ww.hsh-nordbank.de
O1 - Hosts: 204.9.190.180 www.my.hypovereinsbank.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 www.banking.lbbw.de
O1 - Hosts: 204.9.190.180 lrp.sparkasse-banking.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-niedersachsen.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.norisbank.de
O1 - Hosts: 204.9.190.180 www.banking.postbank.de
O1 - Hosts: 204.9.190.180 ww.bics.fr
O1 - Hosts: 204.9.190.180 www.co.caixabank.fr
O1 - Hosts: 204.9.190.180 ww.creditmutuel.fr
O1 - Hosts: 204.9.190.180 internetbank.intesabci.it
O1 - Hosts: 204.9.190.180 ww.extensive.bancalombarda.it
O1 - Hosts: 204.9.190.180 wvw.csebanking.it
O1 - Hosts: 204.9.190.180 www.mybank.bybank.it
O1 - Hosts: 204.9.190.180 ww.isideonline.it
O1 - Hosts: 204.9.190.180 ww3.sella.it
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevyy32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINDOWS\System32\nbthlp.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [bASU] C:\WINDOWS\dyfudm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Cgaakn.exe
O4 - HKLM\..\Run: [afyv] C:\WINDOWS\afyv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KYM Control Settings] phqghum.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\b.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKLM\..\RunServices: [KYM Control Settings] phqghum.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-102 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G102\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120355379392
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B70C329-400B-4CBC-A6DE-6DDA562E7493}: NameServer = 64.105.132.250 64.105.166.122
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 05 July 2005 - 01:59 PM

Please confirm that you have run the following scans or run them now. Save any logs that you generate - we may need them later. Also, please provide me with a description of the problem you are experiencing. Before you ask for help read this.

Anti-spyware

Please download, update and run (one at a time of course!) Spybot Search & Destroy v1.4and Ad-aware SE v1.06. Fix whatever they suggest.

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


Anti-trojan
Please download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.


Anti-virus

Also, run this pc through the Panda Scan Online virus scanner.
Online Virus Scanners FAQ


Next, please reboot & post a fresh HijackThis log. If you have any problems with one part of this instruction make a note of it and continue onto the next section. Let me know any problems in your next post.

#3 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 07 July 2005 - 01:30 PM

The problem is that every time I connect to the Internet, normally via my DSL connection, the connection gets knocked down within the first 10 seconds or so of connecting to a site. This also happens when I connect over any broadband connection. I have not tried by phone yet.


I also get a process called Slinstaller try to run, but it can't find the .exe due to my AVG killing that one (partially it sounds like).

Per your instructions I have run Ad-Aware, Spy Bot and A-squared, all with the latest updates. I tried to run Panda but the connection did not stay up long enough to run the online utility. Instead I did an update to AVG and ran a full scan on my system. Ad-Aware found 25 data miners and 3 malwares all of which were removed. Spybot foud a 4 or 5 problems which were removed. AVG found no prolems, but it did say a few programs were "Changed", but I don't know what that means.

I believe these problems started happening after I did some Microsoft XP updates. It got the worst after doing XP SP2 updates. I also read about a similar problem and Microsoft issued a patch to fix it. I installed the patch, but it did not help at all.

Here is my Hijack Log. I did not try to fix anything and I have not turned off any processes with MSCOnfig.

Thanks for your help.

Bill


Logfile of HijackThis v1.99.1
Scan saved at 11:03:13 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmsgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\nbthlp.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\b.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\ZyXEL\G102\Gcc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZyXEL\G102\OdHost.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Documents and Settings\lorenzo\Desktop\HijackThis.exe

O1 - Hosts: 204.9.190.180 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 204.9.190.180 www3.aibgbonline.co.uk
O1 - Hosts: 204.9.190.180 www.bank.alliance-leicester.co.uk
O1 - Hosts: 204.9.190.180 login.iblogin.com
O1 - Hosts: 204.9.190.180 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 204.9.190.180 inet.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.cahoot.com
O1 - Hosts: 204.9.190.180 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 204.9.190.180 ww.hsbc.co.uk
O1 - Hosts: 204.9.190.180 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 204.9.190.180 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 204.9.190.180 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ww3.online.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ob2.nationet.com
O1 - Hosts: 204.9.190.180 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 204.9.190.180 ww1.nwolb.com
O1 - Hosts: 204.9.190.180 ww1.onlinebanking.iombank.com
O1 - Hosts: 204.9.190.180 ww1.www.rbsdigital.com
O1 - Hosts: 204.9.190.180 welcome.smile.co.uk
O1 - Hosts: 204.9.190.180 login.365online.com
O1 - Hosts: 204.9.190.180 wvw.citizensbankonline.com
O1 - Hosts: 204.9.190.180 esecure.regionsnet.com
O1 - Hosts: 204.9.190.180 rollb.associatedbank.com
O1 - Hosts: 204.9.190.180 upb.unionplanters.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 inet.southtrustonlinebanking.com
O1 - Hosts: 204.9.190.180 logon.personal.wamu.com
O1 - Hosts: 204.9.190.180 login.compassweb.com
O1 - Hosts: 204.9.190.180 logon.firstmeritib.com
O1 - Hosts: 204.9.190.180 login.ccfcuonline.org
O1 - Hosts: 204.9.190.180 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.lasallebank.com
O1 - Hosts: 204.9.190.180 wvw.totallyfreebanking.com
O1 - Hosts: 204.9.190.180 www.online.wellsfargo.com
O1 - Hosts: 204.9.190.180 ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: 204.9.190.180 accounts4.keybank.com
O1 - Hosts: 204.9.190.180 logon.bankone.com
O1 - Hosts: 204.9.190.180 www.secure.tdbanknorth.com
O1 - Hosts: 204.9.190.180 www.secure.mvnt4.com
O1 - Hosts: 204.9.190.180 ww.mynfbonline.com
O1 - Hosts: 204.9.190.180 login.forumcuonline.com
O1 - Hosts: 204.9.190.180 www.eds.usersonlnet.com
O1 - Hosts: 204.9.190.180 www.onlineid.bankofamerica.com
O1 - Hosts: 204.9.190.180 wvw.e-gold.com
O1 - Hosts: 204.9.190.180 pcbs.peoples.com
O1 - Hosts: 204.9.190.180 www.global1.onlinebank.com
O1 - Hosts: 204.9.190.180 ww2.mybranch.lafcu.com
O1 - Hosts: 204.9.190.180 login.webbanking.comerica.com
O1 - Hosts: 204.9.190.180 web.banking.firsttennessee.com
O1 - Hosts: 204.9.190.180 logon.members1st.org
O1 - Hosts: 204.9.190.180 www.cib.ibanking-services.com
O1 - Hosts: 204.9.190.180 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 204.9.190.180 wvw.paypal.com
O1 - Hosts: 204.9.190.180 www.signin.ebay.com
O1 - Hosts: 204.9.190.180 www.bvi.bancodevalencia.es
O1 - Hosts: 204.9.190.180 extrant.banesto.es
O1 - Hosts: 204.9.190.180 banesnt.banesto.es
O1 - Hosts: 204.9.190.180 activia.caixagalicia.es
O1 - Hosts: 204.9.190.180 www.bancae.caixapenedes.com
O1 - Hosts: 204.9.190.180 login.caixasabadell.net
O1 - Hosts: 204.9.190.180 oii.cajamadrid.es
O1 - Hosts: 204.9.190.180 login.cajamar.es
O1 - Hosts: 204.9.190.180 login.ccm.es
O1 - Hosts: 204.9.190.180 ww.unicaja.es
O1 - Hosts: 204.9.190.180 ww.bayernlb.de
O1 - Hosts: 204.9.190.180 ww2.berliner-volksbank.de
O1 - Hosts: 204.9.190.180 ww7.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 portal09.commerzbanking.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 www.meine.deutsche-bank.de
O1 - Hosts: 204.9.190.180 ww2.dresdner-privat.de
O1 - Hosts: 204.9.190.180 ww.e-banking.helaba.de
O1 - Hosts: 204.9.190.180 ww.hsh-nordbank.de
O1 - Hosts: 204.9.190.180 www.my.hypovereinsbank.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 www.banking.lbbw.de
O1 - Hosts: 204.9.190.180 lrp.sparkasse-banking.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-niedersachsen.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.norisbank.de
O1 - Hosts: 204.9.190.180 www.banking.postbank.de
O1 - Hosts: 204.9.190.180 ww.bics.fr
O1 - Hosts: 204.9.190.180 www.co.caixabank.fr
O1 - Hosts: 204.9.190.180 ww.creditmutuel.fr
O1 - Hosts: 204.9.190.180 internetbank.intesabci.it
O1 - Hosts: 204.9.190.180 ww.extensive.bancalombarda.it
O1 - Hosts: 204.9.190.180 wvw.csebanking.it
O1 - Hosts: 204.9.190.180 www.mybank.bybank.it
O1 - Hosts: 204.9.190.180 ww.isideonline.it
O1 - Hosts: 204.9.190.180 ww3.sella.it
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevyy32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINDOWS\System32\nbthlp.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [bASU] C:\WINDOWS\dyfudm.exe
O4 - HKLM\..\Run: [afyv] C:\WINDOWS\afyv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KYM Control Settings] phqghum.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\b.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKLM\..\RunServices: [KYM Control Settings] phqghum.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-102 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G102\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120355379392
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 07 July 2005 - 05:21 PM

Ok we'll do this manually then.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

O1 - Hosts: 204.9.190.180 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 204.9.190.180 www3.aibgbonline.co.uk
O1 - Hosts: 204.9.190.180 www.bank.alliance-leicester.co.uk
O1 - Hosts: 204.9.190.180 login.iblogin.com
O1 - Hosts: 204.9.190.180 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 204.9.190.180 inet.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.cahoot.com
O1 - Hosts: 204.9.190.180 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 204.9.190.180 ww.hsbc.co.uk
O1 - Hosts: 204.9.190.180 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 204.9.190.180 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 204.9.190.180 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ww3.online.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ob2.nationet.com
O1 - Hosts: 204.9.190.180 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 204.9.190.180 ww1.nwolb.com
O1 - Hosts: 204.9.190.180 ww1.onlinebanking.iombank.com
O1 - Hosts: 204.9.190.180 ww1.www.rbsdigital.com
O1 - Hosts: 204.9.190.180 welcome.smile.co.uk
O1 - Hosts: 204.9.190.180 login.365online.com
O1 - Hosts: 204.9.190.180 wvw.citizensbankonline.com
O1 - Hosts: 204.9.190.180 esecure.regionsnet.com
O1 - Hosts: 204.9.190.180 rollb.associatedbank.com
O1 - Hosts: 204.9.190.180 upb.unionplanters.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 inet.southtrustonlinebanking.com
O1 - Hosts: 204.9.190.180 logon.personal.wamu.com
O1 - Hosts: 204.9.190.180 login.compassweb.com
O1 - Hosts: 204.9.190.180 logon.firstmeritib.com
O1 - Hosts: 204.9.190.180 login.ccfcuonline.org
O1 - Hosts: 204.9.190.180 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.lasallebank.com
O1 - Hosts: 204.9.190.180 wvw.totallyfreebanking.com
O1 - Hosts: 204.9.190.180 www.online.wellsfargo.com
O1 - Hosts: 204.9.190.180 ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: 204.9.190.180 accounts4.keybank.com
O1 - Hosts: 204.9.190.180 logon.bankone.com
O1 - Hosts: 204.9.190.180 www.secure.tdbanknorth.com
O1 - Hosts: 204.9.190.180 www.secure.mvnt4.com
O1 - Hosts: 204.9.190.180 ww.mynfbonline.com
O1 - Hosts: 204.9.190.180 login.forumcuonline.com
O1 - Hosts: 204.9.190.180 www.eds.usersonlnet.com
O1 - Hosts: 204.9.190.180 www.onlineid.bankofamerica.com
O1 - Hosts: 204.9.190.180 wvw.e-gold.com
O1 - Hosts: 204.9.190.180 pcbs.peoples.com
O1 - Hosts: 204.9.190.180 www.global1.onlinebank.com
O1 - Hosts: 204.9.190.180 ww2.mybranch.lafcu.com
O1 - Hosts: 204.9.190.180 login.webbanking.comerica.com
O1 - Hosts: 204.9.190.180 web.banking.firsttennessee.com
O1 - Hosts: 204.9.190.180 logon.members1st.org
O1 - Hosts: 204.9.190.180 www.cib.ibanking-services.com
O1 - Hosts: 204.9.190.180 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 204.9.190.180 wvw.paypal.com
O1 - Hosts: 204.9.190.180 www.signin.ebay.com
O1 - Hosts: 204.9.190.180 www.bvi.bancodevalencia.es
O1 - Hosts: 204.9.190.180 extrant.banesto.es
O1 - Hosts: 204.9.190.180 banesnt.banesto.es
O1 - Hosts: 204.9.190.180 activia.caixagalicia.es
O1 - Hosts: 204.9.190.180 www.bancae.caixapenedes.com
O1 - Hosts: 204.9.190.180 login.caixasabadell.net
O1 - Hosts: 204.9.190.180 oii.cajamadrid.es
O1 - Hosts: 204.9.190.180 login.cajamar.es
O1 - Hosts: 204.9.190.180 login.ccm.es
O1 - Hosts: 204.9.190.180 ww.unicaja.es
O1 - Hosts: 204.9.190.180 ww.bayernlb.de
O1 - Hosts: 204.9.190.180 ww2.berliner-volksbank.de
O1 - Hosts: 204.9.190.180 ww7.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 portal09.commerzbanking.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 www.meine.deutsche-bank.de
O1 - Hosts: 204.9.190.180 ww2.dresdner-privat.de
O1 - Hosts: 204.9.190.180 ww.e-banking.helaba.de
O1 - Hosts: 204.9.190.180 ww.hsh-nordbank.de
O1 - Hosts: 204.9.190.180 www.my.hypovereinsbank.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 www.banking.lbbw.de
O1 - Hosts: 204.9.190.180 lrp.sparkasse-banking.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-niedersachsen.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.norisbank.de
O1 - Hosts: 204.9.190.180 www.banking.postbank.de
O1 - Hosts: 204.9.190.180 ww.bics.fr
O1 - Hosts: 204.9.190.180 www.co.caixabank.fr
O1 - Hosts: 204.9.190.180 ww.creditmutuel.fr
O1 - Hosts: 204.9.190.180 internetbank.intesabci.it
O1 - Hosts: 204.9.190.180 ww.extensive.bancalombarda.it
O1 - Hosts: 204.9.190.180 wvw.csebanking.it
O1 - Hosts: 204.9.190.180 www.mybank.bybank.it
O1 - Hosts: 204.9.190.180 ww.isideonline.it
O1 - Hosts: 204.9.190.180 ww3.sella.it
O4 - HKLM\..\Run: [bASU] C:\WINDOWS\dyfudm.exe
O4 - HKLM\..\Run: [afyv] C:\WINDOWS\afyv.exe
O4 - HKLM\..\Run: [KYM Control Settings] phqghum.EXE
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
***********************************************************************

Reboot and post a new log please. :thumbsup:

#5 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 07 July 2005 - 07:34 PM

Here it is.

Thank again.

Logfile of HijackThis v1.99.1
Scan saved at 5:29:40 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmsgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\nbthlp.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\b.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\ZyXEL\G102\Gcc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZyXEL\G102\OdHost.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Documents and Settings\lorenzo\Desktop\HijackThis.exe

O1 - Hosts: 204.9.190.180 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 204.9.190.180 www3.aibgbonline.co.uk
O1 - Hosts: 204.9.190.180 www.bank.alliance-leicester.co.uk
O1 - Hosts: 204.9.190.180 login.iblogin.com
O1 - Hosts: 204.9.190.180 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 204.9.190.180 inet.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.barclays.co.uk
O1 - Hosts: 204.9.190.180 iibank.cahoot.com
O1 - Hosts: 204.9.190.180 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 204.9.190.180 ww.hsbc.co.uk
O1 - Hosts: 204.9.190.180 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 204.9.190.180 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 204.9.190.180 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ww3.online.lloydstsb.co.uk
O1 - Hosts: 204.9.190.180 ob2.nationet.com
O1 - Hosts: 204.9.190.180 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 204.9.190.180 ww1.nwolb.com
O1 - Hosts: 204.9.190.180 ww1.onlinebanking.iombank.com
O1 - Hosts: 204.9.190.180 ww1.www.rbsdigital.com
O1 - Hosts: 204.9.190.180 welcome.smile.co.uk
O1 - Hosts: 204.9.190.180 login.365online.com
O1 - Hosts: 204.9.190.180 wvw.citizensbankonline.com
O1 - Hosts: 204.9.190.180 esecure.regionsnet.com
O1 - Hosts: 204.9.190.180 rollb.associatedbank.com
O1 - Hosts: 204.9.190.180 upb.unionplanters.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 inet.southtrustonlinebanking.com
O1 - Hosts: 204.9.190.180 logon.personal.wamu.com
O1 - Hosts: 204.9.190.180 login.compassweb.com
O1 - Hosts: 204.9.190.180 logon.firstmeritib.com
O1 - Hosts: 204.9.190.180 login.ccfcuonline.org
O1 - Hosts: 204.9.190.180 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 204.9.190.180 www.onlinebanking.lasallebank.com
O1 - Hosts: 204.9.190.180 wvw.totallyfreebanking.com
O1 - Hosts: 204.9.190.180 www.online.wellsfargo.com
O1 - Hosts: 204.9.190.180 ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: 204.9.190.180 accounts4.keybank.com
O1 - Hosts: 204.9.190.180 logon.bankone.com
O1 - Hosts: 204.9.190.180 www.secure.tdbanknorth.com
O1 - Hosts: 204.9.190.180 www.secure.mvnt4.com
O1 - Hosts: 204.9.190.180 ww.mynfbonline.com
O1 - Hosts: 204.9.190.180 login.forumcuonline.com
O1 - Hosts: 204.9.190.180 www.eds.usersonlnet.com
O1 - Hosts: 204.9.190.180 www.onlineid.bankofamerica.com
O1 - Hosts: 204.9.190.180 wvw.e-gold.com
O1 - Hosts: 204.9.190.180 pcbs.peoples.com
O1 - Hosts: 204.9.190.180 www.global1.onlinebank.com
O1 - Hosts: 204.9.190.180 ww2.mybranch.lafcu.com
O1 - Hosts: 204.9.190.180 login.webbanking.comerica.com
O1 - Hosts: 204.9.190.180 web.banking.firsttennessee.com
O1 - Hosts: 204.9.190.180 logon.members1st.org
O1 - Hosts: 204.9.190.180 www.cib.ibanking-services.com
O1 - Hosts: 204.9.190.180 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 204.9.190.180 wvw.paypal.com
O1 - Hosts: 204.9.190.180 www.signin.ebay.com
O1 - Hosts: 204.9.190.180 www.bvi.bancodevalencia.es
O1 - Hosts: 204.9.190.180 extrant.banesto.es
O1 - Hosts: 204.9.190.180 banesnt.banesto.es
O1 - Hosts: 204.9.190.180 activia.caixagalicia.es
O1 - Hosts: 204.9.190.180 www.bancae.caixapenedes.com
O1 - Hosts: 204.9.190.180 login.caixasabadell.net
O1 - Hosts: 204.9.190.180 oii.cajamadrid.es
O1 - Hosts: 204.9.190.180 login.cajamar.es
O1 - Hosts: 204.9.190.180 login.ccm.es
O1 - Hosts: 204.9.190.180 ww.unicaja.es
O1 - Hosts: 204.9.190.180 ww.bayernlb.de
O1 - Hosts: 204.9.190.180 ww2.berliner-volksbank.de
O1 - Hosts: 204.9.190.180 ww7.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 portal09.commerzbanking.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.huntington.com
O1 - Hosts: 204.9.190.180 www.meine.deutsche-bank.de
O1 - Hosts: 204.9.190.180 ww2.dresdner-privat.de
O1 - Hosts: 204.9.190.180 ww.e-banking.helaba.de
O1 - Hosts: 204.9.190.180 ww.hsh-nordbank.de
O1 - Hosts: 204.9.190.180 www.my.hypovereinsbank.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-berlin.de
O1 - Hosts: 204.9.190.180 www.banking.lbbw.de
O1 - Hosts: 204.9.190.180 lrp.sparkasse-banking.de
O1 - Hosts: 204.9.190.180 ww3.homebanking-niedersachsen.de
O1 - Hosts: 204.9.190.180 www.onlinebanking.norisbank.de
O1 - Hosts: 204.9.190.180 www.banking.postbank.de
O1 - Hosts: 204.9.190.180 ww.bics.fr
O1 - Hosts: 204.9.190.180 www.co.caixabank.fr
O1 - Hosts: 204.9.190.180 ww.creditmutuel.fr
O1 - Hosts: 204.9.190.180 internetbank.intesabci.it
O1 - Hosts: 204.9.190.180 ww.extensive.bancalombarda.it
O1 - Hosts: 204.9.190.180 wvw.csebanking.it
O1 - Hosts: 204.9.190.180 www.mybank.bybank.it
O1 - Hosts: 204.9.190.180 ww.isideonline.it
O1 - Hosts: 204.9.190.180 ww3.sella.it
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevyy32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINDOWS\System32\nbthlp.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\b.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKLM\..\RunServices: [KYM Control Settings] phqghum.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-102 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G102\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120355379392
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B70C329-400B-4CBC-A6DE-6DDA562E7493}: NameServer = 64.105.132.250 64.105.166.122
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 07 July 2005 - 07:38 PM

Umm.. did you reboot? Did you have your browser closed? Almost everything is still there? Did you get any error messages? :thumbsup:

#7 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 08 July 2005 - 02:42 AM

It's possible, but I can swear I did all that the first time. But just in case, I re-did all that again and here is what happened...

Upon fixing the remaining items again (all other windows closed) and rebooting, the host entries did go away and the last remaining .exe file reference went away. However I forgot to open the log file, so I just re-ran the Hijack listing using the log file option button. Then when it ran, out of nowhere the 01 hosts entries re-appeared, however the .exe file did not reappear.

Hope that made sense.

So it looks like all of the .exe references are all gone, but the host file entries keep coming back.

Any thoughts???

Lorenzo_CA

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:36 AM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmsgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\nbthlp.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\b.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZyXEL\G102\Gcc.exe
C:\Program Files\ZyXEL\G102\OdHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\lorenzo\Desktop\HijackThis.exe

O1 - Hosts: (null) onlineaccounts2.abbeynational.co.uk
O1 - Hosts: (null) www3.aibgbonline.co.uk
O1 - Hosts: (null) www.bank.alliance-leicester.co.uk
O1 - Hosts: (null) login.iblogin.com
O1 - Hosts: (null) ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: (null) inet.barclays.co.uk
O1 - Hosts: (null) iibank.barclays.co.uk
O1 - Hosts: (null) iibank.cahoot.com
O1 - Hosts: (null) www3.coventrybuildingsociety.co.uk
O1 - Hosts: (null) ww.hsbc.co.uk
O1 - Hosts: (null) login.ebank.offshore.hsbc.co.je
O1 - Hosts: (null) ww3.online-offshore.lloydstsb.com
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ob2.nationet.com
O1 - Hosts: (null) ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: (null) ww1.nwolb.com
O1 - Hosts: (null) ww1.onlinebanking.iombank.com
O1 - Hosts: (null) ww1.www.rbsdigital.com
O1 - Hosts: (null) welcome.smile.co.uk
O1 - Hosts: (null) login.365online.com
O1 - Hosts: (null) wvw.citizensbankonline.com
O1 - Hosts: (null) esecure.regionsnet.com
O1 - Hosts: (null) rollb.associatedbank.com
O1 - Hosts: (null) upb.unionplanters.com
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) inet.southtrustonlinebanking.com
O1 - Hosts: (null) logon.personal.wamu.com
O1 - Hosts: (null) login.compassweb.com
O1 - Hosts: (null) logon.firstmeritib.com
O1 - Hosts: (null) login.ccfcuonline.org
O1 - Hosts: (null) ww3.etimebanker.bankofthewest.com
O1 - Hosts: (null) www.onlinebanking.lasallebank.com
O1 - Hosts: (null) wvw.totallyfreebanking.com
O1 - Hosts: (null) www.online.wellsfargo.com
O1 - Hosts: (null) ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: (null) accounts4.keybank.com
O1 - Hosts: (null) logon.bankone.com
O1 - Hosts: (null) www.secure.tdbanknorth.com
O1 - Hosts: (null) www.secure.mvnt4.com
O1 - Hosts: (null) ww.mynfbonline.com
O1 - Hosts: (null) login.forumcuonline.com
O1 - Hosts: (null) www.eds.usersonlnet.com
O1 - Hosts: (null) www.onlineid.bankofamerica.com
O1 - Hosts: (null) wvw.e-gold.com
O1 - Hosts: (null) pcbs.peoples.com
O1 - Hosts: (null) www.global1.onlinebank.com
O1 - Hosts: (null) ww2.mybranch.lafcu.com
O1 - Hosts: (null) login.webbanking.comerica.com
O1 - Hosts: (null) web.banking.firsttennessee.com
O1 - Hosts: (null) logon.members1st.org
O1 - Hosts: (null) www.cib.ibanking-services.com
O1 - Hosts: (null) www.miwebbusbank.ebanking-services.com
O1 - Hosts: (null) wvw.paypal.com
O1 - Hosts: (null) www.signin.ebay.com
O1 - Hosts: (null) www.bvi.bancodevalencia.es
O1 - Hosts: (null) extrant.banesto.es
O1 - Hosts: (null) banesnt.banesto.es
O1 - Hosts: (null) activia.caixagalicia.es
O1 - Hosts: (null) www.bancae.caixapenedes.com
O1 - Hosts: (null) login.caixasabadell.net
O1 - Hosts: (null) oii.cajamadrid.es
O1 - Hosts: (null) login.cajamar.es
O1 - Hosts: (null) login.ccm.es
O1 - Hosts: (null) ww.unicaja.es
O1 - Hosts: (null) ww.bayernlb.de
O1 - Hosts: (null) ww2.berliner-volksbank.de
O1 - Hosts: (null) ww7.homebanking-berlin.de
O1 - Hosts: (null) portal09.commerzbanking.de
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) www.meine.deutsche-bank.de
O1 - Hosts: (null) ww2.dresdner-privat.de
O1 - Hosts: (null) ww.e-banking.helaba.de
O1 - Hosts: (null) ww.hsh-nordbank.de
O1 - Hosts: (null) www.my.hypovereinsbank.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) www.banking.lbbw.de
O1 - Hosts: (null) lrp.sparkasse-banking.de
O1 - Hosts: (null) ww3.homebanking-niedersachsen.de
O1 - Hosts: (null) www.onlinebanking.norisbank.de
O1 - Hosts: (null) www.banking.postbank.de
O1 - Hosts: (null) ww.bics.fr
O1 - Hosts: (null) www.co.caixabank.fr
O1 - Hosts: (null) ww.creditmutuel.fr
O1 - Hosts: (null) internetbank.intesabci.it
O1 - Hosts: (null) ww.extensive.bancalombarda.it
O1 - Hosts: (null) wvw.csebanking.it
O1 - Hosts: (null) www.mybank.bybank.it
O1 - Hosts: (null) ww.isideonline.it
O1 - Hosts: (null) ww3.sella.it
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevyy32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINDOWS\System32\nbthlp.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\b.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-102 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G102\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120355379392
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

#8 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 08 July 2005 - 02:45 AM

One other note... notice that the host entries that came back now resolve to null. Before they went to 204.9.190.180. I was going to see where that IP address goes, but I'm afraid it would re-infect my machine again if went there.

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 08 July 2005 - 09:59 AM

The page they go to is down.. (I already checked it out :thumbsup: )

I think we need to try and reset your hosts file, and I need a sample of one of the files on your system so I can take a peek. To be perfectly honest, you have a peculiar mix of symptoms...

I need you to submit a file please. Go here:
http://www.bleepingcomputer.com/submit-malware.php

Paste the following into the submit box:C:\windows\system32\elitevyy32.exe

Once you have done that:

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
http://members.aol.com/toadbee/hoster.zip

Reboot and post a new log. Once I get a look at the file you submit, I will be ready to proceed. :flowers:

#10 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 10 July 2005 - 02:16 PM

Quick rely:

C:\windows\system32\elitevyy32.exe is not on my system.


I am not able to download http://members.aol.com/toadbee/hoster.zip. The location appears to be unavaible. Can you check that for me please.

Thanks.

L

#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 10 July 2005 - 02:28 PM

I just downloaded it. If you can't get it, open HJT, clci on config>misc tools>Open Hosts file manager, and then delete the following entries:
O1 - Hosts: (null) onlineaccounts2.abbeynational.co.uk
O1 - Hosts: (null) www3.aibgbonline.co.uk
O1 - Hosts: (null) www.bank.alliance-leicester.co.uk
O1 - Hosts: (null) login.iblogin.com
O1 - Hosts: (null) ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: (null) inet.barclays.co.uk
O1 - Hosts: (null) iibank.barclays.co.uk
O1 - Hosts: (null) iibank.cahoot.com
O1 - Hosts: (null) www3.coventrybuildingsociety.co.uk
O1 - Hosts: (null) ww.hsbc.co.uk
O1 - Hosts: (null) login.ebank.offshore.hsbc.co.je
O1 - Hosts: (null) ww3.online-offshore.lloydstsb.com
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ob2.nationet.com
O1 - Hosts: (null) ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: (null) ww1.nwolb.com
O1 - Hosts: (null) ww1.onlinebanking.iombank.com
O1 - Hosts: (null) ww1.www.rbsdigital.com
O1 - Hosts: (null) welcome.smile.co.uk
O1 - Hosts: (null) login.365online.com
O1 - Hosts: (null) wvw.citizensbankonline.com
O1 - Hosts: (null) esecure.regionsnet.com
O1 - Hosts: (null) rollb.associatedbank.com
O1 - Hosts: (null) upb.unionplanters.com
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) inet.southtrustonlinebanking.com
O1 - Hosts: (null) logon.personal.wamu.com
O1 - Hosts: (null) login.compassweb.com
O1 - Hosts: (null) logon.firstmeritib.com
O1 - Hosts: (null) login.ccfcuonline.org
O1 - Hosts: (null) ww3.etimebanker.bankofthewest.com
O1 - Hosts: (null) www.onlinebanking.lasallebank.com
O1 - Hosts: (null) wvw.totallyfreebanking.com
O1 - Hosts: (null) www.online.wellsfargo.com
O1 - Hosts: (null) ww2.onlinebanking.bankofoklahoma.com
O1 - Hosts: (null) accounts4.keybank.com
O1 - Hosts: (null) logon.bankone.com
O1 - Hosts: (null) www.secure.tdbanknorth.com
O1 - Hosts: (null) www.secure.mvnt4.com
O1 - Hosts: (null) ww.mynfbonline.com
O1 - Hosts: (null) login.forumcuonline.com
O1 - Hosts: (null) www.eds.usersonlnet.com
O1 - Hosts: (null) www.onlineid.bankofamerica.com
O1 - Hosts: (null) wvw.e-gold.com
O1 - Hosts: (null) pcbs.peoples.com
O1 - Hosts: (null) www.global1.onlinebank.com
O1 - Hosts: (null) ww2.mybranch.lafcu.com
O1 - Hosts: (null) login.webbanking.comerica.com
O1 - Hosts: (null) web.banking.firsttennessee.com
O1 - Hosts: (null) logon.members1st.org
O1 - Hosts: (null) www.cib.ibanking-services.com
O1 - Hosts: (null) www.miwebbusbank.ebanking-services.com
O1 - Hosts: (null) wvw.paypal.com
O1 - Hosts: (null) www.signin.ebay.com
O1 - Hosts: (null) www.bvi.bancodevalencia.es
O1 - Hosts: (null) extrant.banesto.es
O1 - Hosts: (null) banesnt.banesto.es
O1 - Hosts: (null) activia.caixagalicia.es
O1 - Hosts: (null) www.bancae.caixapenedes.com
O1 - Hosts: (null) login.caixasabadell.net
O1 - Hosts: (null) oii.cajamadrid.es
O1 - Hosts: (null) login.cajamar.es
O1 - Hosts: (null) login.ccm.es
O1 - Hosts: (null) ww.unicaja.es
O1 - Hosts: (null) ww.bayernlb.de
O1 - Hosts: (null) ww2.berliner-volksbank.de
O1 - Hosts: (null) ww7.homebanking-berlin.de
O1 - Hosts: (null) portal09.commerzbanking.de
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) www.meine.deutsche-bank.de
O1 - Hosts: (null) ww2.dresdner-privat.de
O1 - Hosts: (null) ww.e-banking.helaba.de
O1 - Hosts: (null) ww.hsh-nordbank.de
O1 - Hosts: (null) www.my.hypovereinsbank.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) www.banking.lbbw.de
O1 - Hosts: (null) lrp.sparkasse-banking.de
O1 - Hosts: (null) ww3.homebanking-niedersachsen.de
O1 - Hosts: (null) www.onlinebanking.norisbank.de
O1 - Hosts: (null) www.banking.postbank.de
O1 - Hosts: (null) ww.bics.fr
O1 - Hosts: (null) www.co.caixabank.fr
O1 - Hosts: (null) ww.creditmutuel.fr
O1 - Hosts: (null) internetbank.intesabci.it
O1 - Hosts: (null) ww.extensive.bancalombarda.it
O1 - Hosts: (null) wvw.csebanking.it
O1 - Hosts: (null) www.mybank.bybank.it
O1 - Hosts: (null) ww.isideonline.it
O1 - Hosts: (null) ww3.sella.it

Then reboot and post a new log.

Oh, one last question..did you try to browse to the location of the file, or did you just paste in the file name?

#12 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 12 July 2005 - 12:22 AM

To answer your question, I tried to browse to the location, but did not find that file.

Here is the new HJT log. Looks like the hosts file has been successfully cleaned up.

Still having serious stability problems on the connection, including dial-up. Do you think this is related to XP SP2? I am considering removing it, as I just realized there is an uninstall option for SP2. Thoughts??

Thanks.

Lorenzo



Logfile of HijackThis v1.99.1
Scan saved at 10:14:23 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmsgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\nbthlp.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\b.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\ZyXEL\G102\Gcc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZyXEL\G102\OdHost.exe
C:\Documents and Settings\lorenzo\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevyy32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINDOWS\System32\nbthlp.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\b.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-102 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G102\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120355379392
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

#13 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 12 July 2005 - 09:24 AM

You still have an infection on there. SP2 sometimes causes stability problems, but that is extremely rare. I think we need to finish getting this cleaned up first before you make that determination.

That file is still showing up in the log, so it has to still be on your system. Let's try a script to see if we can find it.


Paste the entire contents into notepad:

'RegSrch.vbs - Search Registry for input string and display results.
'© Bill James - wgjames@mvps.org
' revised 20 Apr 2001 (parses regfile ~3X faster)
' revised 13 Dec 2001 (added Regedit command line switch for Win2K/WindXP)

Option Explicit
Dim oWS : Set oWS = CreateObject("WScript.Shell")
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")

Dim sSearchFor
sSearchFor = InputBox("This script will search your Registry and find all " & _
             "instances of the search string you input."  & vbcrlf & vbcrlf & _
             "This search could take several minutes, so please be patient." & _
             vbcrlf & vbcrlf & "Enter search string (case insensitive) and " & _
             "click OK...", WScript.ScriptName & " " & Chr(169) & " Bill James")

If sSearchFor = "" Then Cleanup()

Dim StartTime : StartTime = Timer

Dim sRegTmp, sOutTmp, eRegLine, iCnt, sRegKey, aRegFileLines

sRegTmp = oWS.Environment("Process")("Temp") & "\RegTmp.tmp "
sOutTmp = oWS.Environment("Process")("Temp") & "\sOutTmp" & _
          Hour(Now) & Minute(Now) & Second(Now) & ".tmp "

oWS.Run "regedit /e /a " & sRegTmp, , True '/a enables export as Ansi for WinXP

With oFSO.OpenTextFile(sOutTmp, 8, True)
  .WriteLine("REGEDIT4" & vbcrlf & "; " & WScript.ScriptName & " " & _
    Chr(169) & " Bill James" & vbcrlf & vbcrlf & "; Registry search " & _
    "results for string " & Chr(34) & sSearchFor & Chr(34) & " " & Now & _
    vbcrlf & vbcrlf & "; NOTE: This file will be deleted when you close " & _
    "WordPad." & vbcrlf & "; You must manually save this file to a new " & _
    "location if you want to refer to it again later." & vbcrlf & "; (If " & _
    "you save the file with a .reg extension, you can use it to restore " & _
    "any Registry changes you make to these values.)" & vbcrlf)

  With oFSO.GetFile(sRegTmp)
    aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
  End With

  oFSO.DeleteFile(sRegTmp)

  For Each eRegLine in aRegFileLines
    If InStr(1, eRegLine, "[", 1) > 0 Then sRegKey = eRegLine
    If InStr(1, eRegLine, sSearchFor, 1) >  0 Then
      If sRegKey <> eRegLine Then
        .WriteLine(vbcrlf & sRegKey) & vbcrlf & eRegLine
      Else
        .WriteLine(vbcrlf & sRegKey)
      End If
      iCnt = iCnt + 1
    End If
  Next

  Erase aRegFileLines

  If iCnt < 1 Then
    oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
              vbcrlf & vbcrlf & "No instances of " & chr(34) & sSearchFor & chr(34) & _
              " found.",, WScript.ScriptName & " " & Chr(169) & " Bill James", 4096
    .Close
    oFSO.DeleteFile(sOutTmp)
    Cleanup()
  End If
  .Close

End With

oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
          vbcrlf & vbcrlf & iCnt & " instances of " & chr(34) & sSearchFor & chr(34) & _
          " found." & vbcrlf & vbcrlf & "Click OK to open Results in WordPad.",, _
          WScript.ScriptName & " " & Chr(169) & " Bill James", 4096

oWS.Run "WordPad " & sOutTmp, 3, True

oFSO.DeleteFile(sOutTmp)

Cleanup()

Sub Cleanup()
  Set oWS = Nothing
  Set oFSO = Nothing
  WScript.Quit
End Sub

Save the file as "regsearch.vbs" including the quotes. Run it, and input elitevyy32.exe into the text box. Paste the results here when it gets done.

Could you also submit this file to BC, to the link I gave you before? C:\b.exe

Thanks.

#14 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 12 July 2005 - 11:59 AM

Do I need vbrun60.exe to run the script? If so, do you have a link to that .exe. Looking on the Internet they say there are trojan horses with the same name that are keyloggers, so I didn;t download it.

Thx.

L.

#15 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:56 AM

Posted 12 July 2005 - 05:40 PM

Yes you do..get them from MIcrosoft here:
http://download.microsoft.com/download/vb6.../vbrun60sp5.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users