Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log. Tibs, Buldog, etc


  • Please log in to reply
8 replies to this topic

#1 JoeLambert

JoeLambert

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 14 January 2005 - 08:57 AM

I thought I posted this already but it didn't seem to make it. This is my first time so I must have messed up.
My system was hijacked near the beginning of January. The dialer pops up all the time if I'm not on line, multiple instances, I get sent to buldog search when I do go online. Plus I get the WebPageViewer (I think that' what it's called) folder, the smut shortcuts, other junk downloaded, windows explorer locks up (not IE), task manager crashes, etc. I've switched to FireFox and I've tried AdAware, SpyBot, PC-cillin, SpywareBlaster, and a few other things in both a nomal boot and safemode. The tools find tibs, but fail to clear it. I've tried a couple on-line scanners too. I've booted via msconfig and tried turning off selective services, but it's hard to tell when the spyware isn't running because it takes longer at times. Any help would be great because the only thing I have left is to reformat and rebuild.

Thanks,
Joe Lambert

Here's my log...

Logfile of HijackThis v1.99.0
Scan saved at 11:14:40 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\rasautou.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
D:\Applications\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onebox.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onebox.com
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSAgent] C:\WINDOWS\hhnt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netscape Update Service - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:06 AM

Posted 14 January 2005 - 09:43 PM

No need to rebuild (I hate doing that anyway..the malware writers win )

The first thing that you need to do is to put HJT into your root drive, otherwise the backups that it makes will not be saved.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O4 - HKCU\..\Run: [MSAgent] C:\WINDOWS\hhnt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


***********************************************************************

Then reboot and delete C:\WINDOWS\hhnt.exe.

Let me know how that works. :thumbsup:

#3 JoeLambert

JoeLambert
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 18 January 2005 - 10:25 PM

Thank you very much for the help so far, I could use a little more. :thumbsup: I ran HijackThis and posted a log. I received a reply and performed the requested steps with NO windows up and no applications running. However, when I rebooted, the dialer dialog was still launched after a few minutes. And when I'm on-line my browser (which is FireFox) is still redirected (after a few minutes on-line) and is sent to http://buldog-stats.com/adv/alt.html. If I ignore the dialer, another one will pop up. This thing is driving me crazy, PC-cillin, Adaware, SpyBot, etc. can't get rid of it. I ran HijackThis again and created a new log. If anyone can take a look at it that would be great.

Thank you,
Joe Lambert

Logfile of HijackThis v1.99.0
Scan saved at 9:40:09 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Netscape Internet Service\dialer.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onebox.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onebox.com
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netscape Update Service - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 AM

Posted 19 January 2005 - 08:08 PM

The reason why you are not getting help is that you keeping post your replies in a new topic instead of as a reply to this topic. Please stick to the same topic.

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:06 AM

Posted 19 January 2005 - 08:20 PM

Thanks Grinler..good catch. :flowers:

Hi Joe... I'm a little confused. What do you mean by dialers? Do you mean that you are getting pop-up ads? Or you are getting redirected to web sites that you don't want?

Let's try something...actually, you have an infection i have never seen before, well I have seen it, but not in this form.

Open IE, then click on Tools>Internet Options>Security>Trusted Sites>Sites. If you see
*.windupdates.com in there, delete them. If you can't find it, let me know, and we will do it a different way.

Also, run the following free online scan just to make sure that there is nothing on there that your AV is not picking up.
TrendMicro

Let me know how that goes. :thumbsup:

#6 JoeLambert

JoeLambert
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 19 January 2005 - 10:23 PM

Oops, sorry about posting new topics, I'm new here, it won't happen again. I'll explain my problem in a little more detail. What I mean by dialer is this... I use NetScape as my dialup ISP. When I turn on the computer and just let it set (not go on-line), after a few minutes the NetScape connect dialog pops up by itself (this is not normal). If I ignore it (don't close it) and just let the computer sit longer, in a short while another instance of the NetScape connect dialog is launched and now there's two of them, etc., etc. I've run PC-cillin and it finds DIAL_PLDIAL.A and claims to remove it when I tell it to fix the problems. However, the problem still happens. I got rid of Tibs, but as soon as I go on-line all kinds of bleep starts getting downloaded again and I have to remove them again. Mozilla FireFox keep going to buldog, tibs came back but PC-cillin said it removed it again. I've also used AdAware, SpyBot and I downloaded the TrendMicro housecall but it states that it can't find the "plugins" directory of my NetScape install and won't load. Anytime I'm on-line, there are bunches of little spyware bastards loading all over the place and I have to keep fighting them off, like the "please wait while we prepare your download" or "...plugin". :thumbsup: One thing that's interesting though... and I don't know if this is my fault from all the deleting and removing I've been doing, but... when I launch Windows Explorer it locks up while it's coming up. I have to use TaskManager to kill it, which brings down the start button and so forth, so I then use TaskManger to launch a new instance of Windows Explorer. Also, at times, if I leave TaskManager running, out of the blue it will crash, even when it's minimized.

I launched IE and went to Open IE, then clicked on Tools>Internet Options>Security>Trusted Sites>Sites, it reads "No sites are in this zone."

Latest Log... ( I have to remove buldog again and reboot)

Thanks for all the help so far,
Joe Lambert


Logfile of HijackThis v1.99.0
Scan saved at 10:18:33 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\rasautou.exe
C:\Program Files\Netscape Internet Service\css.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\UltraEdit\uedit32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onebox.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onebox.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9854C0-AE21-48E4-8686-3EF1EF78EB16}: NameServer = 205.188.146.145
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netscape Update Service - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:06 AM

Posted 19 January 2005 - 10:58 PM

Ok, that makes much more sense. I wasn't sure if we were confusing terms, and now I understand much better. For some reason, your dial-up got reset to dial out automatically whenever an application requested it, and by your description, it is some sort of malware. Interestingly enough, it is not showing in your log. Well, it was, but I don't see it in there anymore.

TrendMicro's scan doesn't work well with Mozilla, it needs to be run from IE, but lets put that on hold for just a bit. And I would ask you to be patient with trying to fix things on your own. I don't want to do something that may not play well with something that you are doing and break your system.

Also, you are not showing the typical symptoms related to this infection, so...hmmm.

Ok, first, let's see if there is anything in your Add/Remove programs that shouldn't be there. Go to Start>Control Panel>Add/Remove programs, and uninstall any of these (if they exist):
Active alert
ISTsvc
Internet Optimizer
Search Extender
Shopping Wizard
Sidefind
Slotchbar
The Bullseye Network
Uninstall 180searchassistant
Webrebates
Win AdTools

It may prompt about whether or not you are sure you want to remove this program. Always read it carefully and choose the option that states you want to remove all components of this program.

*******

I'm a little fuzzy on this part, as it has been quite awhile since I have used dial-up, but I think this is right:

Go to the Control Panel on the Start Menu and select Network and Internet Connections. Under Network Connections, click on the Advanced menu, then on Dial-Up Preferences and then on the Autodial tab.

Click to clear the check mark in the "Enable autodial by location" box, but check the "Always ask me before autodialing" box. Click to select the "Disable autodial while I am logged on" option before clicking on OK and closing the Network Connections dialogue box.

I seem to remember a checkbox somewhere that mentions autodial when an application requests it, but like I said, I am a little fuzzy there.

********

Let's try HJT again.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onebox.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onebox.com
***********************************************************************

Reboot, and let's see what happens. We may have to dig deeper, but we must be making progress. The trusted sites went away. :thumbsup:

#8 JoeLambert

JoeLambert
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 27 January 2005 - 10:11 AM

Well gentlemen, I do thank you for all your help... but I finally gave in; I rebuilt my system last night. I do want to share additional information with you in hopes that it may help someone in the future. I performed a search inside every file on my system using UltraEdit (nice editor) searching for "tibs" and "buldog." I'm a software engineer and I work at a medical systems corporation, so I'm very familiar with hex editors, searching inside of files, etc. I design embedded code, so I'm not familiar with high-level Windows programming and the architecture of the Windows file system and where it stores every little piece of data. Anyway, I performed the searches and got quite a few hits. I then went through my system and killed the files that were found that looked suspicious. Of course I didn't remove all files with hits because there actually is a real acronym for tibs such as " Teradactyl - TIBS (True Incremental Backup System)." After doing this I ran all the scans for the various tools and the system was clean. I also rebooted a number of times and the system remained clean, the dialer never launched again, and so forth. I also performed a registry search and eliminated any instances of "tibs," "buldog," etc. Everything looked good. However, as soon as I went on-line, I was still redirected, I was still hijacked and it started all over again. I will include information from the "tibs" search (I don't have the results for the "buldog" search), the actual search results are huge and contain binary data (the contents of the files near where hits were found) so I can't post the entire search results. Again, thank you very much for your help, we can't win them all, and what doesn't kill us makes us stronger.


Joe Lambert


**** Removed Files ****
sharedaccess.ini
rasphone.pbk
Statistics.ini
logon.exe
winlogos.exe
tools.exe
toolbar.exe
nsserv.exe
HF73J3OM.tmp
HHNT.EXE-16FC6032.pf
autA768.tmp.htm


**** Searching for "tibs" ****
Hits were found in...
C:\BJPrinter\CNMWINDOWS\Canon S520 Installer\Driver\CNMUI.DLL
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini
C:\Documents and Settings\Joe Lambert\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Joe Lambert\Local Settings\History\History.IE5\INDEX.DAT
C:\Documents and Settings\Joe Lambert\Local Settings\History\History.IE5\MSHist012005011020050117\index.dat
C:\Documents and Settings\Joe Lambert\Local Settings\Temporary Internet Files\Content.IE5\OHY7OHQF\124462[1].exe
C:\I386\dirapi.dll
C:\I386\gdiplus.dll
C:\I386\MSCTF.DLL
C:\I386\QuickTime.qts
C:\I386\QuickTimeImage.qtx
C:\I386\WBDBASE.DEU
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
C:\I386\COMPDATA\DRVMAIN.INF
C:\I386\LANG\IMJPNM.DI_
C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api
C:\Program Files\HijackThis\backups\backup-20050119-231451-484.dll
C:\Program Files\Lavasoft\Ad-aware 6\Logs\AdAware-log 04-01-2005 21-48-54.txt
C:\Program Files\McAfee.com\Agent\mcdeltag.exe
C:\System Volume Information\_restore...
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\ScanSoft\OmniPageSE\R_FRE.DAT
C:\Program Files\Spybot - Search & Destroy\Includes\CLSIDs.tnfo
C:\Program Files\Trend Micro\Internet Security 2005\lpt$vpn.184
C:\SP2\WindowsXP-KB835935-SP2-ENU.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\nsserv.exe
C:\WINDOWS\$NtServicePackUninstall$\msctf.dll
C:\WINDOWS\SYSTEM32\gdiplus.dll
C:\WINDOWS\SYSTEM32\pav.sig
C:\WINDOWS\SYSTEM32\QuickTime.qts
C:\WINDOWS\SYSTEM32\WBDBASE.DEU
C:\WINDOWS\SYSTEM32\ActiveScan\pav.sig
C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\dirapi.dll
C:\WINDOWS\SYSTEM32\QuickTime\Removed\QuickTimeImage.qtx
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll

**** Final HijackThis Log ****
Logfile of HijackThis v1.99.0
Scan saved at 9:40:09 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Netscape Internet Service\dialer.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netscape Update Service - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:06 AM

Posted 27 January 2005 - 12:29 PM

:flowers: Thank you. I will put that information away for future reference... you are somewhat of a rarity. Most users we get here don't have the knowledge that you do, so your input is definately helpful.

It blows that you had to rebuild your system though....I take that as a personal failure on my part, and a victory for those that write this bleep in the first place. :thumbsup:

Good luck. :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users