|
|
|
trust cleaner help please!
|
|
|
groomjac
Newbie
|
6. February 2007 @ 11:30 |
Link to this message
|
hi guys im new to the boards so hello everyone. im at work and when i try to do a google search sometimes this trust cleaner ad pops up and when i search on ebay. any help is apprecciated i included a log file from hijack this thanks.
Logfile of HijackThis v1.99.1
Scan saved at 4:13:22 PM, on 2/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe
C:\WINNT\system32\iprntctl.exe
S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\proquota.exe
C:\Program Files\dqs\WinSPC\WinSPC32.exe
C:\Documents and Settings\MCDEPOSIT1\Desktop\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing)
O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll
O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON
O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.co...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file)
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
|
|
Advertisement
|
 |
|
|
Senior Member
|
6. February 2007 @ 12:33 |
Link to this message
|
the "net installer" seems suspicious to me, also use Firefox instead of ie prblm solved
[
|
Senior Member
|
6. February 2007 @ 12:33 |
Link to this message
|
This is bad. trustincontext.dll is the main parasite but I also see the ClientMan dropper, which is a backdoor trojan/dropper. I also see your DNS system is completely compromised, hence the .MARS domains. I think one of the other files might be operating as a DNS redirector kind of line the NEW.NET malware does. You can try deleting all the below items (a few are unrelated to this but are unneeded e.g. qttask.exe). You should run Spybot, ccleaner, AVG Anti-spyware (Ewido), etc. To clean up the DNS hijack, go into Network Connections, LAN (or whatever you use to connect), select TCP/IP, Properties, then Advanced and delete anything and everything pertaining to DNS.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing)
O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll
O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
-Do you believe you own your computer and shouldn't be told what you can run and do? Then say *NO* to Microsoft Vista!
-Since half the questions here involve media problems, here ya go: Only use Verbatim or Taiyo-Yuden discs (get your TYs from Rima.com, not Supermediastore or meritline). Forget the rest, no matter what "brand" they sell under. Always burn at 4x speed regardless of the speed rating of this discs or your drive. If you have burn problems with these then you have to update your drive's firmware. For double-layer discs, only use Verbatim DVD+R DL and burn them at 2.4x speed.
|
|
ddp
Moderator
|
6. February 2007 @ 14:09 |
Link to this message
|
|
moved to correct forum
|
|
groomjac
Newbie
|
7. February 2007 @ 15:24 |
Link to this message
|
|
dunker thanx for reply i think i have fixed it by another post on this site in another forum but heres a new hijack log if you dont care to look thanx for all the help
|
|
groomjac
Newbie
|
7. February 2007 @ 15:27 |
Link to this message
|
Originally posted by groomjac:
dunker thanx for reply i think i have fixed it by another post on this site in another forum but heres a new hijack log if you dont care to look thanx for all the help
sorry
Logfile of HijackThis v1.99.1
Scan saved at 8:25:07 PM, on 2/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\proquota.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe
C:\WINNT\system32\iprntctl.exe
S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe
C:\Program Files\dqs\WinSPC\WinSPC32.exe
C:\Program Files\Quick View Plus\Program\qvp32.exe
h:\New Folder\HijackThis_v1.99.1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file)
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
|
Senior Member
|
9. February 2007 @ 02:22 |
Link to this message
|
Sorry for taking so long to get back. Your system appears to still be infected, and I wouldn't be surprised if there's a rootkit in there. Try renaming your HijackThis.exe file to something else with a .exe extension, as rootkits can use this to identify if HijackThis is being run and hide themselves, and post a log. Likewise, you may also want to try running a somewhat older (and renamed) version afterwards, as rootkits can identify HjT by other means.
I see AutoCodeDate.exe and WinSPC32.exe still running, which is likely the trojan itself. The DNS situation is still screwed up too, which is potentially the most serious threat. The following is also not a good sign:
O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
Try removing those again, or using a product that can tackle these. FYI, as a rule of thumb, avoid paid anti-spyware software except Ewido (AVG Anti-Spyware) and Webroot Spysweeper. I also see you have Norton Anti-Virus, which is probably one of the worst products around. Try uninstalling that and using AVG, Avira Antivir, or Avast! which are also free for home use.
Incidentally, I noticed you have WinZIP installed:
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
WinZIP and other compression programs need to be kept up-to-date as they suffer lots of security problems, so make sure you have the latest version of that.
-Do you believe you own your computer and shouldn't be told what you can run and do? Then say *NO* to Microsoft Vista!
-Since half the questions here involve media problems, here ya go: Only use Verbatim or Taiyo-Yuden discs (get your TYs from Rima.com, not Supermediastore or meritline). Forget the rest, no matter what "brand" they sell under. Always burn at 4x speed regardless of the speed rating of this discs or your drive. If you have burn problems with these then you have to update your drive's firmware. For double-layer discs, only use Verbatim DVD+R DL and burn them at 2.4x speed.
|
|
Advertisement
|
|
|
|
groomjac
Newbie
|
9. February 2007 @ 15:55 |
Link to this message
|
|
Dunker thanx for all the help. I am on a work pc and the autocodedater and the spc programs are for quality checks here at work. The trust cleaner doesnt pop up any more and everything seems to be ok thanks for all your help.
|
|
