Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT logs help


  • Please log in to reply
7 replies to this topic

#1 Jeepnutz

Jeepnutz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 12 November 2004 - 09:04 AM

Hi, new member. Need some help deciphering what I need to fix on this persons PC. Yesterday, McAfee VirusScan Enterprise 8.0.1 found a piece of Malware titled Proxy-OSS.dll. Did a google on the file osmim.dll and found out it was MarketScore scumware. Several sites suggested I use a utility called LSPFIX.exe to remove the osmim.dll and delete any certificates in IE for Netsetter or Marketscore as well as clean up any registry entries for the same. I thought I cleaned everthing up. rebooted the machine and it was fine for the rest of the day. This A.M. I get a voice mail from the user that its back. So I ran HJT and here's what I got:

Logfile of HijackThis v1.98.2
Scan saved at 8:37:29 AM, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TISERVICEMONITOR.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
\Mainsrv\cmsnav\navplus.exe
C:\Documents and Settings\mjones\Desktop\HijackThis.exe

O1 - Hosts: 12.35.186.2 ttinfo.tippertie.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tippertie.com
O17 - HKLM\Software\..\Telephony: DomainName = tippertie.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tippertie.com

Any help would be appreciated. Thanks in advance.

BC AdBot (Login to Remove)

 


m

#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:18 AM

Posted 12 November 2004 - 09:46 AM

Hi there Jeepnutz

I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Be sure to close all browser windows, including this one before clicking the Fix button.

O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot


Reboot your computer into Safe Mode and delete the following files:

Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe


Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:12:18 AM

Posted 12 November 2004 - 10:16 AM

:thumbsup: to BC
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#4 Jeepnutz

Jeepnutz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 15 November 2004 - 11:28 AM

Thanks for the help, raw. Followed your instructions and here's my new log:

Logfile of HijackThis v1.98.2
Scan saved at 11:22:31 AM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Documents and Settings\mjones\Desktop\HijackThis.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TISERVICEMONITOR.EXE

O1 - Hosts: 12.35.186.2 ttinfo.tippertie.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tippertie.com
O17 - HKLM\Software\..\Telephony: DomainName = tippertie.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tippertie.com

What next?
Oh and thanks for the welcome JEservices.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 AM

Posted 18 November 2004 - 09:20 PM

Please be patient. Raw will help you when he becomes available

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:18 AM

Posted 18 November 2004 - 09:27 PM

Please use Add/Remove programs to remove ClockSync. There are other programs that will sync your clock without spyware.Reboot and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 booboo2005

booboo2005

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 30 November 2004 - 03:11 PM

I jusr joined this community today and the reason is bacause I have McAfee as a virus protection program. Today it listed about 5 unwanted programs.... One of which is this Proxy-OSS.dll and it is located in WINNT\system32\osmim.dll

How do I get rid of it cause it tells me I cannot change or remove Osmim.dll cause it is needed! :thumbsup:

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 AM

Posted 30 November 2004 - 05:07 PM

booboo2005, please do not post your problems in other peoples topics. It can get confusing when that happens. If you need help then please follow these instructions:

Create a directory on your hardrive, to save HijackThis.exe, called c:\hijackthis. This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Download the latest version, from here.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum. Do not fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users