PDA

View Full Version : possible wareout infection



murphy
2005-12-12, 22:12
Hi - looking at a number of other posts I think I might have been infected by the wareout malware

this is my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 20:07:41, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\program files\sony\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Neil\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\sony\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gabber] AppMasterCenter.exe
O4 - HKLM\..\Run: [FLKPT] syspanel.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmhso.exe] C:\WINDOWS\system32\dmhso.exe
O4 - HKCU\..\Run: [SysEntry] ABCXYZ.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DCC_send] Kargo.exe
O4 - HKCU\..\Run: [abrek] syspanel.exe
O4 - Startup: DLHelperEXE.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146

and trying to be a bit proactive I ran FixWareout.exe too - this is what it came back with...



Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\dvhmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
C:\WINDOWS\SYSTEM32\CSJTC.EXE
C:\WINDOWS\SYSTEM32\DMHVD.EXE

Misc files

Checking for older varients covered by the Rem3 tool


any help would be much appreciated - over to you...

LonnyRJones
2005-12-13, 05:38
Hi

Yes that was wareout and company

can you delete these files ?
C:\WINDOWS\SYSTEM32\CSJTC.EXE
C:\WINDOWS\SYSTEM32\DMHVD.EXE
Be carefull, if any doubt leave them they are inactive and will not couse harm. your antivirus might offer to delete them when you get close.

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
O4 - HKLM\..\Run: [gabber] AppMasterCenter.exe
O4 - HKLM\..\Run: [FLKPT] syspanel.exe
O4 - HKLM\..\Run: [dmhso.exe] C:\WINDOWS\system32\dmhso.exe
O4 - HKCU\..\Run: [SysEntry] ABCXYZ.exe
O4 - HKCU\..\Run: [DCC_send] Kargo.exe
O4 - HKCU\..\Run: [abrek] syspanel.exe
O4 - Startup: DLHelperEXE.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146'

Optional fix's >
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\sony\qttask.exe" -atboottime
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note: If there are connection problems >
(These instruction's are basicly for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems


Replace HijackThis v1.97.7 with the current version and post a new log

murphy
2005-12-13, 20:41
OK I did what you asked...

I deleted
C:\WINDOWS\SYSTEM32\CSJTC.EXE

but this file didn't exist
C:\WINDOWS\SYSTEM32\DMHVD.EXE

I updated to 1.99.1 and got rid of everything you said in HJT - here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 18:32:39, on 13/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Neil\My Documents\Downloads\Neil's Security Folder\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


how does that look now?

murphy
2005-12-13, 21:14
Once I'd done the above, I also updated my spybotSD installation and this is the report...
(I allowed spybot to "fix these problems")

CoolWWWSearch.Oemsyspnp: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1106520001-4036164967-2552189465-1005\Software\Microsoft\Internet Explorer\Main\Cache_Update_Time

Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Pipas.A: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-09 Includes\Cookies.sbi (*)
2005-12-09 Includes\Dialer.sbi (*)
2005-12-09 Includes\Hijackers.sbi (*)
2005-12-09 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-09 Includes\Malware.sbi (*)
2005-12-09 Includes\PUPS.sbi (*)
2005-12-09 Includes\Revision.sbi (*)
2005-12-09 Includes\Security.sbi (*)
2005-12-09 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi (*)

LonnyRJones
2005-12-13, 21:20
Looks fine, good work.

Have SpyBot fix those problems, You can fix or ignore the security center
"Windows Security Center.AntiVirusOverride:"

Update suns java
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.

Let us know of any problems

murphy
2005-12-13, 21:59
that seems to have done the trick - thanks for all your help

I will dance at your wedding - If my sister wasn't already married I would introduce her to you.

nasty little bugger that wasn't it? - I don't suppose you could tell which "variant" I had? I was just looking at...

http://cwshredder.net/cwshredder/cwschronicles.html

LonnyRJones
2005-12-13, 22:08
I havent seen a writeup that covers all of that infection
More info
http://www.avira.com/en/threats/TR_Dldr_Agent_tc_4_details.html
http://securityresponse.symantec.com/avcenter/venc/data/pf/trojan.flush.f.html

Happy surfing

tashi
2005-12-17, 22:41
As the problem appears to be resolved this topic will be archived.
If you need the thread reopened please pm me.

Glad we could help. :)

murphy
2005-12-18, 17:35
Hi - when I connected to the internet today I found that my homepage was set to http://uk.msn.com

I think this is again something to do with CoolWebSearch imitating MSN. Also, these two entries that we had previously fixed have since re-appeared in my HiJackThis scan


O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146

LonnyRJones
2005-12-18, 19:20
Hi

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Do not rename any files yet

murphy
2005-12-18, 22:01
I've attached the silent runner file.


also - this is the result from Blacklight

12/18/05 19:54:28 [Info]: BlackLight Engine 1.0.29 initialized
12/18/05 19:54:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/18/05 19:54:28 [Note]: 7019 4
12/18/05 19:54:28 [Note]: 7005 0
12/18/05 19:54:38 [Note]: 7006 0
12/18/05 19:54:38 [Note]: 7011 1288
12/18/05 19:54:39 [Note]: FSRAW library version 1.7.1013
12/18/05 19:56:23 [Note]: 7007 0

LonnyRJones
2005-12-19, 01:11
That looks fine, Now a new hijackthis log please

murphy
2005-12-19, 18:58
Logfile of HijackThis v1.99.1
Scan saved at 16:53:41, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Neil\My Documents\Downloads\Neil's Security Folder\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

LonnyRJones
2005-12-19, 21:06
Hi

Repeat these steps
While all browsers are closed with Hiajckthis fix these items
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
============
Go start run type cmd and hit OK type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
(These instruction's are basicly for home users.)
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems

murphy
2005-12-19, 22:49
OK I followed those steps...

1. I fixed the two entries in HJT
2. From Windows IP Configuration, I "successfully flushed the DNS Resolver Cache"
3. I changed my TCP/IP settings to obtain the DNS Servers Automatically
the radio button was set to "Use the following DNS server"
Preferred DNS Server 85.255.115.45
Alternate DNS Server 85.255.112.146

I then rebooted - and I took another HJT log (see attachment)

what now Lonny?

murphy
2005-12-19, 22:51
latest HJT log

murphy
2005-12-19, 22:56
Actually - after making the above two posts I ran another system scan with HJT again and unfortunately the two rogue entries are back...

O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 194.74.65.69 62.6.40.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 194.74.65.69 62.6.40.178

LonnyRJones
2005-12-19, 23:06
Hi

Thats an entirley differant address, is this familur ?
194.74.65.0 - 194.74.65.255'
Private Circuit Customer Networks
BTnet Support
154 St Albans Rd
Sandridge
St Albans
Hertfordshire

murphy
2005-12-19, 23:12
I'm using BT Business Broadband to connect to the Internet - so that looks like a "friendly" DNS.

how did you find that out? - I tried to google the IP address 194.74.65.69 62.6.40.178 but didn't get BT!

LonnyRJones
2005-12-19, 23:18
Try samespade :p
http://www.samspade.org/t/whois?a=core1-pos10-0.birmingham.mdip.bt.net;server=auto
Might need to split the address into two parts when searching
194.74.65.69
62.6.40.178

murphy
2005-12-19, 23:29
does this mean my PC is now sweet-smelling and lovely again?

BTW - I've downloaded all the tools/firewall etc recommended by your site to prevent this happening again.

LonnyRJones
2005-12-19, 23:36
Hi

I believe your good to go
Take care
regards
Lonny

murphy
2005-12-20, 00:04
I think we might have spoken too soon...

I just rebooted and my homepage has been reset to http://uk.msn.com/ again.

the homepage address in Internet Options is now...
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

( this is despite having blocked the home page using the option in SpyWareBlaster.)

LonnyRJones
2005-12-20, 01:36
You live in Europe correct ? That address is ok

murphy
2005-12-20, 01:57
yes I live in the UK - If you think we're sorted then I'm happy - it just worried me that I'd locked my homepage (onto Google) using SpyWareBlaster, but somehow that had been overwritten.

LonnyRJones
2005-12-20, 02:45
murphy
If there are no other problems or questions ? we are finished.

murphy
2005-12-20, 10:20
thanks for all your help Lonny - you can close this thread now.

LonnyRJones
2005-12-21, 01:46
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let me know.