possible wareout infection

[murphy]

I've attached the silent runner file.


also - this is the result from Blacklight

12/18/05 19:54:28 [Info]: BlackLight Engine 1.0.29 initialized
12/18/05 19:54:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/18/05 19:54:28 [Note]: 7019 4
12/18/05 19:54:28 [Note]: 7005 0
12/18/05 19:54:38 [Note]: 7006 0
12/18/05 19:54:38 [Note]: 7011 1288
12/18/05 19:54:39 [Note]: FSRAW library version 1.7.1013
12/18/05 19:56:23 [Note]: 7007 0

[LonnyRJones]

That looks fine, Now a new hijackthis log please

[murphy]

Logfile of HijackThis v1.99.1
Scan saved at 16:53:41, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Neil\My Documents\Downloads\Neil's Security Folder\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[LonnyRJones]

Hi

Repeat these steps
While all browsers are closed with Hiajckthis fix these items
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 85.255.115.45 85.255.112.146
============
Go start run type cmd and hit OK type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
(These instruction's are basicly for home users.)
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems

[murphy]

OK I followed those steps...

1. I fixed the two entries in HJT
2. From Windows IP Configuration, I "successfully flushed the DNS Resolver Cache"
3. I changed my TCP/IP settings to obtain the DNS Servers Automatically
the radio button was set to "Use the following DNS server"
Preferred DNS Server 85.255.115.45
Alternate DNS Server 85.255.112.146

I then rebooted - and I took another HJT log (see attachment)

what now Lonny?

[murphy]

latest HJT log

[murphy]

Actually - after making the above two posts I ran another system scan with HJT again and unfortunately the two rogue entries are back...

O17 - HKLM\System\CCS\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 194.74.65.69 62.6.40.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B6A80B-D1AF-4D70-8773-D0D51567200E}: NameServer = 194.74.65.69 62.6.40.178

[LonnyRJones]

Hi

Thats an entirley differant address, is this familur ?
194.74.65.0 - 194.74.65.255'
Private Circuit Customer Networks
BTnet Support
154 St Albans Rd
Sandridge
St Albans
Hertfordshire

[murphy]

I'm using BT Business Broadband to connect to the Internet - so that looks like a "friendly" DNS.

how did you find that out? - I tried to google the IP address 194.74.65.69 62.6.40.178 but didn't get BT!

[LonnyRJones]

Try samespade :p
http://www.samspade.org/t/whois?a=co...et;server=auto
Might need to split the address into two parts when searching
194.74.65.69
62.6.40.178