Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - tiler


  • This topic is locked This topic is locked
19 replies to this topic

#1 tiler

tiler

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 28 December 2004 - 08:50 AM

Hello,

yesterdy my start internet page was permanently redirected to the buldog search page. I tried to resolve the problem similar to "http://www.bleepingcomputer.com/forums/t/6743/help-me-please-hhntexe/" and failed.
Now I
- installed Kerio free firewall,
- read the tutorials (Spybot, HijackThis),
- tried it with Spybot and
- post the HijackThis log to you (below).

Unfortunately the damages advanced:
- I'm not able to start Internet Explorer "Der Zugriff wurde verweigert = Access denied".
- I'm not able to start task manager - an "Access violation" occurs.

Please help me.

Tiler


Logfile of HijackThis v1.99.0
Scan saved at 14:30:01, on 28.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\WINNT\system32\rundll32.exe
F:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\WINNT\hhnt.exe
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\Programme\mozilla.org\Mozilla\mozilla.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\Install\HijackThis\HijackThis.exe
F:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - F:\Programme\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] F:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - HKCU\..\Run: [MSAgent] F:\WINNT\hhnt.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - F:\Programme\Altova\XMLSPY\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - F:\Programme\Altova\XMLSPY\spy.htm (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c15.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown - F:\Programme\mysql\bin\mysqld-max (file missing)
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c15.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown - F:\Programme\mysql\bin\mysqld-max (file missing)
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 28 December 2004 - 09:20 PM

Let's get rid if New.net first and then we'll get the rest.

Download LSPFix from http://www.cexx.org/LSPFix.exe but do not run it. This is just for backup in case you lose your connection.



Click Start -> Control Panel -> Add/Remove Programs and uninstall this program if listed.

New.net Application
or
New.net Domains


If neither is listed, download and run this tool.

http://www.new.net/support/uninstall6_38.exe



Reboot and post a new hijackthis log.

Edited by Buckeye_Sam, 28 December 2004 - 09:21 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 29 December 2004 - 03:25 PM

I did it. See the new logfile below.

tiler

java script:emoticon(':blink:')
java script:emoticon(':blink:')


Logfile of HijackThis v1.99.0
Scan saved at 21:17:10, on 29.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\WINNT\hhnt.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\Install\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - HKCU\..\Run: [MSAgent] F:\WINNT\hhnt.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - F:\Programme\Altova\XMLSPY\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - F:\Programme\Altova\XMLSPY\spy.htm (HKCU)
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c15.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown - F:\Programme\mysql\bin\mysqld-max (file missing)
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe

:flowers: :thumbsup: :trumpet:

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 29 December 2004 - 07:43 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O4 - HKCU\..\Run: [MSAgent] F:\WINNT\hhnt.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c15.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

F:\WINNT\hhnt.exe



Reboot back into normal mode.




Please run these two online scans. Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 30 December 2004 - 01:05 PM

Its frustrating -->

A) Unless I fixed all the registry entries and I removed hhnt.exe in Save Mode hhnt.
exe resurrects.

:thumbsup: I'm not able to use the online scans because plugins for Mozilla are not available or can not be installed and IExplore is prevented to start. I tried to reinstall Internet Explorer - without any change. Always I get an "access denid" message (German: "... Zugriff ... verweigert").

The new log see below.

tiler



Logfile of HijackThis v1.99.0
Scan saved at 18:51:06, on 30.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\WINNT\hhnt.exe
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\Install\HijackThis\HijackThis.exe
F:\Programme\mozilla.org\Mozilla\mozilla.exe
F:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown - F:\Programme\mysql\bin\mysqld-max (file missing)
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe

#6 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 30 December 2004 - 01:17 PM

Excuse me - IExplore did not start because it had been denied by the Kerio firewall. I fixed it and will now try the procedure again.

tiler

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 30 December 2004 - 04:05 PM

Ok, please post a new hijackthis log when you are done so that we can proceed with what's left in your log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 30 December 2004 - 04:48 PM

I was able to do the 2 scans. They found and removed some viruses. One of the files has been reported to be renamed by active scan.

The current log see below.

Please notice that hhnt.exe tried to start again after a reboot. But I prevented it by the Kerio firewall.

My task manager is blocked partly (-> "access violation").

What to do now?

tiler


Logfile of HijackThis v1.99.0
Scan saved at 22:38:05, on 30.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
F:\Programme\Internet Explorer\iexplore.exe
F:\WINNT\System32\mdm.exe
F:\Install\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown - F:\Programme\mysql\bin\mysqld-max (file missing)
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 31 December 2004 - 07:45 AM

Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Exit Adaware.




Reboot your computer into Safe Mode


Delete this files if it still exists:

F:\WINNT\hhnt.exe




Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

Click on the Advanced button on the left and select:

* Include additional process information
* Include additional file information
* Include environment information

Click the Tweak button and select:

* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

* Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer back into normal mode.




Please post a new hijackthis log and let me know how things are working.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 31 December 2004 - 12:32 PM

Many thanks until here. It was a lot of work. But unfortunately we are not ready.

I did it all. Ad-Aware was able to remove a lot of dangerous objects. But hhnt.exe is still alive. Aleways it resurrects and syshost is suggested to start it. I prevented it again by Kerio.

tiler

#11 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 31 December 2004 - 12:33 PM

Here is the new log:


Logfile of HijackThis v1.99.0
Scan saved at 18:25:18, on 31.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\Install\VirusScan\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 31 December 2004 - 01:26 PM

Are you sure that it's syhost.exe and not svchost.exe?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 31 December 2004 - 02:03 PM

Yes it is f:\winnt\system32\securer\syshost.exe.

svchost.exe seems to be not active - Kerio does not have any entry for it! Instead Kerio logs only activities of syshost.exe.

At the same time the taskmanager shows svchost.exe twice but no syshost.exe.


tiler

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 31 December 2004 - 03:23 PM

Download Killbox:
http://www.bleepingcomputer.com/files/killbox.php


Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox. Put a mark next to "Delete on Reboot" and click the red button with the white X on it after each.

It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted both file names, at which time you should answer "Yes".

f:\winnt\system32\securer\syshost.exe
F:\WINNT\hhnt.exe


Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 tiler

tiler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 01 January 2005 - 10:06 AM

It seems to be working fine. There is no more activity of that kind I observed the last days. Many thanks. :thumbsup:

What kind of virus did I have and why did all the tools not were able to detect it?

How do I have to secure IExplore / W2K to be prepared for the next attack?

tiler


Logfile of HijackThis v1.99.0
Scan saved at 15:57:53, on 01.01.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Programme\AVPersonal\AVGUARD.EXE
F:\Programme\AVPersonal\AVWUPSRV.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\Explorer.EXE
F:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
F:\WINNT\system32\atiptaxx.exe
F:\PROGRA~1\PHILIP~1\VProperty.exe
F:\Programme\ScanSoft\OmniPageSE\opware32.exe
F:\Programme\Microsoft Hardware\Keyboard\type32.exe
F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
F:\Programme\AVPersonal\AVGNT.EXE
F:\Programme\T-DSL SpeedManager\SpeedMgr.exe
F:\WINNT\system32\internat.exe
F:\Programme\Palm\HOTSYNC.EXE
F:\Programme\T-DSL SpeedManager\tsmsvc.exe
F:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
F:\Programme\Internet Explorer\iexplore.exe
F:\WINNT\System32\mdm.exe
F:\Programme\TotalCmd\TOTALCMD.EXE
F:\Install\VirusScan\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] F:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [Omnipage] F:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Anir Mouse] F:\PROGRA~1\3MMOUS~1\AmsServe.Exe
O4 - HKLM\..\Run: [securer] F:\WINNT\system32\securer\syshost.exe
O4 - HKLM\..\Run: [AVGCtrl] "F:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Admilli Service] F:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "F:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [lycosInside] F:\Programme\lycos\Lyc_SysTray.exe
O4 - Startup: HotSync Manager.lnk = F:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with &XML Spy - F:\Programme\Altova\XMLSPY\spy.htm
O12 - Plugin for .mid: F:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: F:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: F:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: F:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F0A23A5-29D2-4A74-80EA-96203A91DF8F}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service - Symantec Corporation - F:\Programme\Symantec\Symantec pcAnywhere\awhost32.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - F:\Programme\T-DSL SpeedManager\tsmsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users