Hijacker's got me ...and more!

Discussion in 'adware, spyware & hijack cleaning' started by jambalayageorge, Jan 15, 2004.

Thread Status:
Not open for further replies.
  1. jambalayageorge

    jambalayageorge Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    6
    Location:
    Westerly, RI USA
    I am wrestling with some problems that I was hoping someone can help me with. While surfing on 1/9/2004, I was victimized by a hijacker who changes my start page on me. I ran Spybot - Search and Destroy, Spyware Blaster, and Norton Antivirus 2004, but the problem remains. I can see the file. It is called "winlogon.exe" in C:\D & S\All Users\Start Menu\Programs\Startup. It has resisted all my attempts to delete it, change it, or move it. I downloaded and ran HijackThis. Looking over the log file, I can see remnants of some previous problems which I thought were dealy with, namely, (1) pubplace.dll is one of the main players in Adware.Winshow which Norton AV supposedly took care of; (2) comctl_32.exe is from a previous trojan problem which I thought was solved; and (3) there is a reference to the yahoo toolbar which I always had my doubts about. My machine is very slow on start-up and shut down. I am sending a HijackThis log file from 1/14/04. I can also supply Zone Alarm Pro firewall log files if needed. Thanks in advance for any help that can be provided.....jambalayaGeorge

    Logfile of HijackThis v1.97.7
    Scan saved at 6:48:42 PM, on 1/14/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\DRIVERS\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\Documents and Settings\George Vinal\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://auto.ie.searchforge.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://auto.ie.searchforge.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/
    R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\pubplace.dll (file missing)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 www.sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 www.easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 www.free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [comctl32] C:\WINNT\comctl_32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
    O4 - Global Startup: winlogon.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://admin.pressplay.com/duet/registration/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.15.60.103/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.2153935185
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://3268816.offshoreclicks.com/dialup_files/99950551.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{54AF0E27-6F34-4206-BE52-87A995277E60}: NameServer = 68.9.16.30,68.13.16.30
    O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jambalayageorge,

    Please download and run CWShredder

    That should bring your computer up to speed again.

    Then download a free trial of TDS3 from here:
    http://tds.diamondcs.com.au/index.php?page=home
    Update as described here:
    http://tds.diamondcs.com.au/index.php?page=update
    When that is ready click System Testing > Full sytem scan

    Please post the results of the scan.

    I suspect this: C:\WINNT\comctl_32.exe to be a trojan.

    Regards,

    Pieter
     
  3. jambalayageorge

    jambalayageorge Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    6
    Location:
    Westerly, RI USA
    Many thanks for the quick response. I will do as recommended and report back...jambalayaGeorge
     
  4. jambalayageorge

    jambalayageorge Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    6
    Location:
    Westerly, RI USA
    The following problems were addressed:
    (1) CW Shredder removed the "winlogon.exe" hijacker;
    (2) HJT removed comctl_32.exe and remnants of the yahoo toolbar;
    (3) I upgraded windows to SP4

    I am relieved to be rid of the hijacker. Thank you! I still have some serious doubts about the Borland Interbase Server. I can't figure out what program it is associated with. All I can do is turn it on and turn it off. It is blocked from accessing the net by my firewall software. When it is allowed, it dutifully makes a connection hourly. I am including an updated HJT log file and a Zone Alarm Pro log file.
    Thanks, jambalayaGeorge

    Logfile of HijackThis v1.97.7
    Scan saved at 6:44:46 AM, on 1/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\DRIVERS\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Documents and Settings\George Vinal\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://admin.pressplay.com/duet/registration/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.15.60.103/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.2153935185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{54AF0E27-6F34-4206-BE52-87A995277E60}: NameServer = 68.9.16.30,68.13.16.30

    - Reduced image size to narrow thread width - LWM
     

    Attached Files:

  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jambalayageorge,

    That is a clean HijackThis log.

    IB Guardian is a simple program which watches the IB server process
    and restarts it if it's not running (e.g., because it crashed).

    I don't know if you constantly need the program, so the following is optional:
    You can stop ibguard.exe by going into the Control Panel and opening
    InterBase Manager. Then, hit the Stop button to stop the InterBase Server.

    Regards,

    Pieter
     
  6. jambalayageorge

    jambalayageorge Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    6
    Location:
    Westerly, RI USA
    Pieter,
    From the ZAP log file, 68.9.16.30 comes back to :

    2K3SERVERB.BTIRECORDS.COM
    NS2.IVORYWEB.COM
    BTIDNS.BTIRECORDS.COM
    2K3SERVER1.BTIRECORDS.COM
    NS1.DELPHIANGROUP.COM
    DNS2.THECONRADTS.COM

    and 127.0.0.1 returns to dotster.com. Do you hzave any idea why my machine should want to connect to themo_O?

    Thanks again, jambalayaGeorge
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jambalayageorge,

    I'm by no means a firewall expert but, looking at your log 68.9.16.30 is your DNS server and 127.0.0.1 is your own computer.

    I'll ask one of our firewall wizards to have a look.

    Regards,

    Pieter
     
  8. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Somebody called a wizard :D

    Pieter is right. 68.9.16.30 belongs to http://www.cox.com/ which I guess is your Internet Service Provider. Port 53 is DNS and 127.0.0.1 is your own computer (local host).

    DNS stands for Domain Name Service. The service transfers internet links into IP addresses. For example if you type into your browser www.wilderssecurity.com the DNS server will transfer this address into the IP address 64.91.255.104.

    wizard
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi jambalayaGeorge,

    One question, are you still blocking "Services and Controller App" with ZA or were you just doing that temporarily to see where it was connecting to?

    On Windows 2000 you should allow Services and Controller App access out to the network. "services.exe" on W2K performs many network based functions and blocking it can cause Internet access problems. At the very least you should add your ISP's DNS servers to the ZA Trusted Zone and then allow Services and Controller App access out to the Trusted Zone.

    Let us know if you need help setting that up.
     
  10. jambalayageorge

    jambalayageorge Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    6
    Location:
    Westerly, RI USA
    I was just blocking Services and Controller App because I wasn't sure what the Borland Interbase server was doing. After toggling the server on and off, I realized that it is the database engine for an electronic price book file in another directory. That's why the destination IP is my own computer - "Hello, is anybody home?" Even though I have been using a computer for years, I still get somewhat confused when I "look under the hood". I will remove the block on Services and Controller Apps.

    Anyway, I have my machine back from the hijacker, I got a trojan cleaned up and I have updated to Win 2K SP4. A thousand THANK YOUS to everyone who helped me! ;) jambalayaGeorge
     
Thread Status:
Not open for further replies.