Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NASTY PARASITE


  • This topic is locked This topic is locked
1 reply to this topic

#1 kanbun

kanbun

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 04 September 2004 - 10:39 AM

Here's what happens.

Occasionally (including at startup) an ad window will pop up on my screen
and this window is an IE window. In addition to not having activated IE in
any way and keeping in mind that at this point no browser has yet been
opened by me, I have popup stopper software running at startup that is
separate from the stopper that runs in my default browser (Firefox). The
popup stopper software catches some of these windows before they completely
open, again often times when there is no browser (Firefox) opened by me.
Finally, regardless of when this happens, IE does not show in the Windows
Task Manager????

I regularly scan my system with Ad-Aware, Spybot, CWShredder, HiJackThis,
etc. No matter, this phenomenon continues. I also use Webroot, which is a
windows cleaning software, and if I run this it almost always indicates that
IE is running. Win Messenger is disabled, so it's not coming from there.

The most popular little window that I get is something called Diet Patch.
This little SOB makes a regular appearance. If it's spyware, the software
that I use isn't getting it, because it appears even if I haven't used a
browser. And, when it appears, IE does not show up in Windows Task Manager.
I am stumped.

I suspect some kind of spyware or malware even though I regularly run the
aforementioned programs. Regardless, it is apparent that IE is activated
either at startup or by some other mechanism beyond my control.

Here's the latest HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 10:21:51 AM, on 9/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txktr.dll/sp.html#27758
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txktr.dll/sp.html#27758
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\txktr.dll/sp.html#27758
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txktr.dll/sp.html#27758
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txktr.dll/sp.html#27758
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\txktr.dll/sp.html#27758
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.foxnews.com
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rh801glg.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rh801glg.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0 Pro\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {741F449C-9060-015F-109F-D04403FDE843} - C:\WINDOWS\system32\ntkc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\FlashGet\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Adobe\Acrobat 6.0 Pro\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Adobe\Acrobat 6.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [apizb.exe] C:\WINDOWS\system32\apizb.exe
O4 - HKLM\..\Run: [d3h] C:\documents and settings\owner\local settings\temp\d3h.exe
O4 - HKLM\..\Run: [dj] C:\documents and settings\owner\local settings\temp\dj.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\IpuFmd.exe
O4 - HKLM\..\Run: [y] c:\documents and settings\owner\local settings\temp\y.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ieyq.exe] C:\WINDOWS\system32\ieyq.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Homepage Guard] "C:\Homepage Guard\HGuard\Guard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 6.0 Pro\Distillr\acrotray.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\NETANT~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\NETANT~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: Download All by FlashGet - C:\FlashGet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\FlashGet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\NETANT~1\NetAnts\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\NETANT~1\NetAnts\NetAnts.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet\flashget.exe


Here's the startup list:
StartupList report, 9/4/2004, 10:20:45 AM
StartupList version: 1.52.2
Started from : C:\Hijack This\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Adobe\Acrobat 6.0 Pro\Distillr\acrotray.exe
eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Office XP\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HPHUPD05 = c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer = VTTimer.exe
AlcxMonitor = ALCXMNTR.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
apizb.exe = C:\WINDOWS\system32\apizb.exe
d3h = C:\documents and settings\owner\local settings\temp\d3h.exe
dj = C:\documents and settings\owner\local settings\temp\dj.exe
2P6WFAX43ZHE7C = C:\WINDOWS\System32\IpuFmd.exe
y = c:\documents and settings\owner\local settings\temp\y.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\Quicktime\qttask.exe" -atboottime
ieyq.exe = C:\WINDOWS\system32\ieyq.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RecordNow! =
NVIEW = rundll32.exe nview.dll,nViewLoadHook
Window Washer = C:\Program Files\Webroot\Washer\wwDisp.exe
Homepage Guard = "C:\Homepage Guard\HGuard\Guard.exe"
PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Adobe\Acrobat 6.0 Pro\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\ntkc.dll - {741F449C-9060-015F-109F-D04403FDE843}
(no name) - C:\FlashGet\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - C:\Adobe\Acrobat 6.0 Pro\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: SpSubLSP.dll (file MISSING)
Protocol #2: SpSubLSP.dll (file MISSING)
Protocol #3: SpSubLSP.dll (file MISSING)
Protocol #4: SpSubLSP.dll (file MISSING)
Protocol #5: SpSubLSP.dll (file MISSING)
Protocol #11: SpSubLSP.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,954 bytes
Report generated in 0.062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


I would appreciate any suggestions.

Thanks.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 PM

Posted 05 September 2004 - 04:19 PM

The first thing I need you to do is download the file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users