sp.html + about:blank

[Prospero]

Have browser hijack/spyware on my PC. Have used various programs to get rid - Spybot seearch & Destroy - Adaware 6.1 - Hijack This - to no avail.
Have saved ginstall.dll from \local settings\temp directory. Think this is related to hijack. Has also renamed notepad.exe to notepad.exe.bak. Similarly has removed file associations to Media Player. Other files have appeared in Temp directory. Some of the ginstall.dll listing from notepad is posted below - looks suspicious to me. I am not an expert in programming, by the way.

olstrcpyA ulstrlenA SWritePrivateProfileStringA ÿ GetPrivateProfileStringA � FreeLibrary Sleep 
GetProcAddress á GetLastError y
LoadLibraryExA ò
SetErrorMode “
MultiByteToWideChar 
GetShortPathNameA �
MoveFileExA rlstrcpynA  CompareFileTime ö
SetFileAttributesA  CloseHandle ù
SetFileTime ë
SetCurrentDirectoryA % CreateDirectoryA Â GetCurrentDirectoryA x
LoadLibraryA Ú GetFileSize + CreateFileA ¸
ReadFile ø
SetFilePointer OWriteFile 1VirtualAlloc 3VirtualFree b ExitProcess  CompareStringA >WaitForSingleObject 7 CreateProcessA flstrcatA š
OpenMutexA u FindClose y FindFirstFileA Y
HeapFree 
GetProcessHeap S
HeapAlloc o FileTimeToSystemTime n FileTimeToLocalFileTime Ý GetFullPathNameA 8
GetVersionExA Ä GetCurrentProcess E DeleteFileA é GetModuleFileNameA ë GetModuleHandleA | FindNextFileA Á
RemoveDirectoryA Ž
MoveFileA " CopyFileA Û GetFileTime 0
GetTickCount = CreateThread Ä
ResumeThread SuspendThread Ö GetExitCodeThread !
GetSystemTime Î GetDriveTypeA å GetLogicalDriveStringsA 
GetSystemDirectoryA <
GetWindowsDirectoryA Ó GetEnvironmentVariableA ï
SetEndOfFile Ÿ GetCommandLineA Ì GetDiskFreeSpaceA KERNEL32.dll â
SetForegroundWindow * EndDialog IwsprintfA $ CharToOemA
SetWindowTextA ˆ
MessageBoxA KwvsprintfA ¹
ReleaseDC æ GetDC 5
GetWindowTextA Á EnumWindows Æ FindWindowA Æ
SendMessageA £ DrawTextA Ü GetClientRect 0
GetWindowLongA SetWindowLongA ¯ EndPaint BeginPaint } DefWindowProcA «
RegisterClassA g
LoadCursorA Ä
SendDlgItemMessageA 7UpdateWindow H
InvalidateRect í GetDlgItemTextA SetWindowPos e
LoadBitmapA
GetSysColor Å FillRect !
GetSysColorBrush  CharLowerA Ä ExitWindowsEx † DestroyWindow 3
GetWindowRect ë GetDlgItem Þ
SetDlgItemTextA ShowWindow #
GetSystemMetrics £
PostMessageA « EnableWindow X
IsDlgButtonChecked ì GetDlgItemInt Ó
SetClassLongA k
LoadIconA Š DialogBoxParamA R CreateWindowExA Ù GetClassNameA á
SetFocus ]
IsWindowEnabled  CallWindowProcA _
IsWindowVisible ( CharUpperA USER32.dll <
SelectObject , CreateFontIndirectA ÿ GetTextMetricsA ý GetTextFaceA î GetStockObject F DeleteObject c
SetTextColor ,
Rectangle @ CreateSolidBrush 7 CreatePen B
SetBkColor C
SetBkMode c ExtTextOutA a
SetTextAlign C DeleteDC
BitBlt  CreateCompatibleDC  AddFontResourceA =
SelectPalette % CreateDIBitmap )
RealizePalette 5 CreatePalette GDI32.dll GetOpenFileNameA comdlg32.dll  RegCloseKey á RegQueryValueExA Ù RegOpenKeyExA ì RegSetValueExA Æ RegCreateKeyExA É RegDeleteKeyA Î RegEnumKeyExA Ë RegDeleteValueA
AdjustTokenPrivileges q LookupPrivilegeValueA ° OpenProcessToken ADVAPI32.dll T ShellExecuteA ; SHGetPathFromIDList , SHBrowseForFolder : SHGetMalloc SHELL32.dll ‚ OleUninitialize k OleInitialize . CoUninitialize  CoCreateInstance  CoInitialize ole32.dll OLEAUT32.dll
VerQueryValueA GetFileVersionInfoA
GetFileVersionInfoSizeA VERSION.dll


Have followed recommendations given in other postings but keeps coming back. This could happen to you! Anyone know how I can get rid before I have to reformat my hard drive?

[snapdragin]

Hi Prospero,

Please rescan with Hijackthis and copy and paste the entire contents of the log here in this thread.

Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

Regards,

snap

[Prospero]

Thanks Snap

Will post listing from Hijack This after I get back on the computer later today.



Prospero

[Prospero]

OK Heres the log file from HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 19:39:28, on 01/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Downloads\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ic24.net/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...060.0219212963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab

PS I've uninstalled the Sun Java program so I currently have no java running.

Thanks

Prospero

[snapdragin]

Hi Prospero,

I am not seeing any signs of CWS infection in your log.

I'm afraid I don't know what the coding in the 'ginstall.dll' means, but you could upload the copy you saved for a scan at Kaspersky and see what Kaspersky says about it.

Some variants of CWS does effect the Windows Media Player and Notepad, so if you have not done so already, download and run CWShredder.
Make sure ALL browsers and any open windows are closed before running CWShredder.
Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

There's a few items we can clean up with hijackthis.
Place a check beside the following items.
Close all windows except HijackThis, and click *Fix checked

(This is optional, but it is a known resource hog and recommended to be fixed)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

(if you did not set this yourself, then fix it too)
O14 - IERESET.INF: START_PAGE_URL=http://www.ic24.net/

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.exe


****

Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

Do a follow up scan with Spybot S&D and AdAware6. Make sure you have the latest versions and they have been brought up-to-date.

Spybot Search&Destroy:
Bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

1. Put a check inside the items listed for download and install them.
2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

Ad-Aware6:
Bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

Follow these instructions for setting up Ad-Aware for a full scan:
How To Perform a "Full Scan" with Ad-Aware6.

You can replace the Windows Media Player and Notepad by downloading new copies from here: here.

And here are some steps to follow to help tighten your security and prevent future infection:
Why did I get infected in the first place?

Give you computer a few days and reboots, and if the problem looks like it has returned, then come back to this thread and post a new log.

Regards,

snap

[Prospero]

Thanks Snap

I won't be able to get back on my computer until Saturday, so I'll try these out then. Thanks for your help.

Regards

Prospero

[Prospero]

OK here we go again.
Have downloaded and run CWShredder. This reported:

CWS.Searchx
6 infected IE registry values

It also queried the file \windows\asx3test.exe in connection with CWS.Control3, which I did not delete as it seems to be a valid file.

I ran Adaware and this found the following:

Vendorossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
Last Activity:03-07-2004
Risk LevelMedium
Commentossible browser hijack attempt
Descriptionossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Vendorossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
Last Activity:03-07-2004
Risk LevelMedium
Commentossible browser hijack attempt
Descriptionossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

After deleting these, I then ran Spybot Search and destroy, CWShredder and Hijack this. Nothing found in all cases.

I then reinstalled Windows media player.

I notice that the following file has reappeared in my \local settings\temp folder:

c1b6a80e.tmp


Is this a problem?

Otherwise it looks like I'm clear. Thanks for all your help.

Prospero

[Prospero]

Just after I posted this reply, the file GLB1A2B.EXE reappeared in my temp folder, so I think I'm still infected.

Prospero

[Prospero]

Update
Ran CWShredder in safe mode & got the following.

You have a variant of the Coolwebsearch trojan (CWS.Smartsearch.2) that has attempted to close CWShredder. To counter this, CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted.

The program also reported asx3test.exe as possibly being part of CWS.Control.3

Nothing else found. Nothing found by Adaware 6 or Spybot S&D.

A search of the registry revealed the following settings under
HKCU\Software\Microsoft\Search Assistant\ACMru\5603
(also listed under HK_USERS):

(Default) REG_SZ (value not set)
000 REG_SZ asx3test
001 REG_SZ *.*
002 REG_SZ wmplayer
003 REG_SZ notepad
004 REG_SZ logon
005 REG_SZ glb1a2b
006 REG_SZ ncjmcfa
007 REG_SZ jusched
008 REG_SZ notepad.exe
009 REG_SZ cult
010 REG_SZ PFAL*.doc
011 REG_SZ jusched.exe
012 REG_SZ noah
013 REG_SZ base5
014 REG_SZ cab5
015 REG_SZ autoexec
016 REG_SZ xvid
017 REG_SZ nve21
018 REG_SZ fxstiff.dll
019 REG_SZ ie*.bmp
020 REG_SZ 22ani
021 REG_SZ ic24

Also listing of *\5604:

ult) REG_SZ (value not set)
000 REG_SZ explorer.exe
001 REG_SZ cab5
002 REG_SZ config
003 REG_SZ nero

Does this confirm my suspicion that the program was using the Sun Java <check for updates> facility as part of it's evil work? (jusched.exe)
Hope this helps.

Regards

Prospero

[snapdragin]

Hi Prospero,

jusched.exe is a valid file (belongs with Sun Java), if it was jusched32.exe, then it would belong to a CWS variant.

Can you upload those files to (individually) for a scan at Kaspersky. Please post back what the scan says about them.

c1b6a80e.tmp
GLB1A2B.EXE
asx3test.exe

I'm not too worried about the .tmp files since they are in the temp folder and not running, and the files in the temp folder do have some strange names given to them. But the asx3test.exe file I an unsure of. I searched for some more information on that and some have said delete it and the person has had no ill effect, and in another log where it was deleted, the person did have a bad effect. So for now don't delete the asx3test.exe file until we find out more about it.

Could you post a new hijackthis log please, and we'll have another look at it.

Regards,

snap

[snapdragin]

Ok, took me a few minutes to look up in my registry, and see what was listed there under HKCU\Software\Microsoft\Search Assistant\ACMru\5603

This is not easy for me to explain because I am no registry expert, but this is your "Search Assistant" and it will show different files that you have looked up. Because I was looking up similar files, I also have some of the one's listed under my 5603 folder that you have listed, along with a few more files that are known baddies, but I do not have those files on my system. They are just entered under that registry key because they were 'searched'.

Hope that helps explain it a bit better and puts your mind at ease. But I can ask one of our Experts to look into your thread just as a second opinion to make very sure we haven't missed anything. Ok?

Regards,

snap

[snapdragin]

Prospero, could you check the version of CWShredder you are using?
Make sure you have the most recent version, which is 1.59.01

If you don't have that version, then you can download CWShredder v.1.59.01 from here: http://www.wilderssecurity.com/showthread.php?t=14086

snap

[Prospero]

Hi There Snap

Have run files through at Kapersky but nothing found.
Am using latest version of CWShredder.

AV software reports Troj/StartPa-BM in HijackThis backup files.

Will investigate this further and get back to you.

The c1b6a80e.tmp file seems to disappear at the same time the GLB1A2B.exe file appears.

Latest HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 04:07:05, on 04/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Downloads\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...060.0219212963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab

Regards


Prospero

[Prospero]

Hi Snap

Good News.

The latest update of my anti-virus software has picked up the Troj/StartPa-BM virus in a file called \System32\ppnpgb.dll so I've deleted this file.

For some reason, the anti-virus software did not pick up the virus when I did a scan.

It was only when I started up Internet Explorer this morning that the virus was spotted.

Will have to speak to the anti-virus people for further information, and to see if this is a variant of Cool Websearch.

Will keep you posted on the outcome.

Regards

Prospero

[Prospero]

The problem is still recurring.

Here is the response from my anti-virus people (soph*s) - judge for yourself.

"Hi *****

although we have decided to classify this as a Trojan there is a very
fine between it and some other adware applications. Currently it is
our policy not to detect adware as it very often tells the user
exactly what it will do and requires a EULA to be agreed to. It can
also be simply uninstalled through Control Panel-Add/Remove Programs.

Regards "

etc

Can't find anything in the Control Panel-Add/Remove Programs, also, it was installed without my permission, and without an EULA.

What you think that?

Regards

Prospero

Added:

PS I can send you a copy of the infected .dll if you like. I've saved it as a zipped file with a .zi_ extension.

[snapdragin]

Hi Prospero,

I can kind of understand why your antivirus vendor would say that, and quite a few very nasty spyware/malware files are now behaving more like viruses and trojans, so they end up getting a name with 'troj' in them.

Could you download the latest version of Hijackthis v1.98.0 from http://www.wilderssecurity.com/showthread.php?t=12516

Unzip it to it's own folder, scan, and post a new log here. Maybe we'll see the dll this time in the log.

Regards,

snap

[Prospero]

Snap - here's the latest Hijackthis log:

Logfile of HijackThis v1.98.0
Scan saved at 18:17:15, on 12/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Downloads\Hijack This\HijackThis1980hf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab

Prospero

[Prospero]

No further progress to date.

However, I have noted the following events in the Event Viewer are occuring regularly since the start of the infection:


Event System
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.


VSS
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.


Userenv
Windows saved user ****\**** registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.


Does this mean anything to anybody?

Regards

Prospero