windows-patch.info

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi There,

    Don't know how I did it but i'm hit again bij a RAT or something

    Just now I got a windows mesenger screen telling me to goto www.windows-patch.info to install a severe security patch. (Not likely)

    Here's my hjt:

    Logfile of HijackThis v1.97.7
    Scan saved at 0:46:58, on 29-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\ProcessGuard\dcsuserprot.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\ftp\security\regprot\regprot\regprot.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Weather Watcher\ww.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\ProcessGuard\procguard.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\United Devices\UD.EXE
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WUTemp\com_microsoft.837001_XP_SP1Only_WinSE_84421_Express\WINDOWSXP-KB837001-X86-NLD-express.EXE
    d:\4699115ae26f4aacbe20f4e2f3d762\update\update.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nos.nl/nieuws/nieuws/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 194.109.6.83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
    O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [windbs] winxtc.exe
    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [windbs] winxtc.exe
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
    O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
    O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ANWB (HKLM)
    O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: www.anwb.nl
    O15 - Trusted Zone: http://www.devolkskrant.nl
    O15 - Trusted Zone: http://groups.msn.com
    O15 - Trusted Zone: http://www.nosnieuws.nl
    O15 - Trusted Zone: nl.sitestat.com
    O15 - Trusted Zone: www.tspeedtest.nl
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
    O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - http://gemal.dk/browserspy/capicom.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.6169675926
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fraha.instantlogic.com/XUpload.ocx
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F630A6F3-F89E-4374-99CC-28A8AA003208} - http://sls.switchpoint.com/Connect/switchpoint/5.1/Starter.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    Thanks again!

    Regards

    Frans
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Fraha,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [windbs] winxtc.exe
    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [windbs] winxtc.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab

    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab

    Then reboot and find:
    hkey.exe
    winxtc.exe

    You know how and where to send them, right? ;)
    Can't help but wonder how these got past Regprot though. o_O

    Regards,

    Pieter
     
  3. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hello Pieter and again Thanks for your work on my logs.

    All is well again, the files where already send to DCS before I wrote the first MSG.
    See also my MSG in the private TDS forum on how this could happen.

    If you want to know more, PM me!

    Frans
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.