|
|
|
Win32:Zlob-BN trojan infecting my computer
|
|
|
asbj0rn
Newbie
|
26. May 2006 @ 04:33 |
Link to this message
|
|
Hi! I need help from you guys, I cant manage to remove this trojan from my computer! I will download the Hijack program and post my log here soon. please help me!
|
|
Advertisement
|
|
|
|
|
asbj0rn
Newbie
|
26. May 2006 @ 04:41 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 14:37:38, on 26.05.2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nssd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\watchlog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\dcomcfg.exe
C:\WINNT\System32\WatchTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programfiler\Card Reader\shwicon.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINNT\System32\internat.exe
C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Hjt\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\System32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe
O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe
-.-.-.-.-.-.-.-.-.--.-..-
.-.-.-.-.-.-.-.-.-.-.-.-.
SmitFraudFix v2.48
Scan done at 14:42:16,26, fr 26.05.2006
Run from C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix
OS: Microsoft Windows 2000 [Versjon 5.00.2195]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
C:\WINNT\system32\dcomcfg.exe FOUND !
C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\regperf.exe FOUND !
C:\WINNT\system32\simpole.tlb FOUND !
C:\WINNT\system32\stdole3.tlb FOUND !
C:\WINNT\system32\ts.ico FOUND !
C:\WINNT\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1
C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min gjeldende hjemmeside"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
Newbie
|
26. May 2006 @ 05:58 |
Link to this message
|
|
You really need to apply the latest security pack to your Windows 2000 machine. Running service pack 2 leaves you wide open to a variety of risks.
For the infection do this:
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a brand new hijackthis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background
This message has been edited since posting. Last time this message was edited on 26. May 2006 @ 05:59
|
Member
1 product review
|
26. May 2006 @ 06:10 |
Link to this message
|
|
If you'd like me two cents here they are............
You could always try AVG free, Norton Internet Security 2006,etc.
If that doesn't work try the F10 button (which restores everything your computer was shipped with). Any thing from there someone else will have to advise you (I am just a computer greek not an expert).
|
Newbie
|
26. May 2006 @ 06:21 |
Link to this message
|
|
No reason to install any AV programs yet...later though it is advisable.
F10? Not sure what you are talking about there.
|
|
asbj0rn
Newbie
|
26. May 2006 @ 06:49 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 16:47:17, on 26.05.2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nssd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\watchlog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\WatchTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programfiler\Card Reader\shwicon.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINNT\System32\internat.exe
C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
C:\Hjt\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe
O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe
-.-.-.-.
.--.-.-.-
SmitFraudFix v2.48
Scan done at 16:36:53,66, fr 26.05.2006
Run from C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix
OS: Microsoft Windows 2000 [Versjon 5.00.2195]
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINNT\system32\dcomcfg.exe Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\regperf.exe Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\ts.ico Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
hmmm.. it actually seemes clean now!
|
Newbie
|
26. May 2006 @ 07:04 |
Link to this message
|
Its not clean.
First,
Download this program:
http://www.safer-networking.org/files/sfp.zip
Highlight the files listed below in bold and right-click and selecting copy.
C:\WINNT\System32\nssd.exe
Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.
Then press the Continue button.
I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.
Rename this file to yourmembername.cab (for example grinler.cab).
Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.
Then,
Did you purposely install the two poker games Expekt.com and Bodog Poker? If not include these in the entries below to fix:
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe
Next,
Do you know what this is?
O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe
Finally,
Please download LSP-Fix from the following link and save it to a location you can find later if necessary.
http://www.bleepingcomputer.com/files/lspfix.php
To remove New.net. please go to Start | Settings | Control Panel | Add/Remove Programs, look for and remove New.Net. If you can't find it, then please go http://www.newdotnet.com and follow the removal instructions in Procedure 4 at the bottom of the page.
Print out these instructions and then close all windows including Internet Explorer.
Then I want you to fix some of those entries. Please do the following:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
http://www.bleepingcomputer.com/forums/tutorial62.html
Run HijackThis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
Reboot your computer into Safe mode. Instructions here:
http://www.bleepingcomputer.com/forums/tutorial61.html
Then delete these files or directories (Do not be concerned if they do not exist)
C:\Programfiler\NewDotNet\
Reboot your computer to go back to normal mode and post a new log.
If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.
|
|
asbj0rn
Newbie
|
26. May 2006 @ 08:48 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 18:47:54, on 26.05.2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nssd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\watchlog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programfiler\Card Reader\shwicon.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINNT\System32\internat.exe
C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
C:\Hjt\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firda.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe
O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe
O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe
pokerclients are okey, and teleplanTWS is a old system I dont need anymore, but It is not defined as a risk.
I think the system is working fine now!
|
Newbie
|
26. May 2006 @ 09:34 |
Link to this message
|
|
One last thing. Do you know what this is? I find it highly suspicious after looking at it, yet I can not determine its nature.
O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe
This message has been edited since posting. Last time this message was edited on 26. May 2006 @ 09:34
|
|
asbj0rn
Newbie
|
26. May 2006 @ 09:44 |
Link to this message
|
|
no, I am not sure what it is. Do you think it could be harmfull to run the .exe file? I guess I'll just do nothing, since my system seemes stable now.
|
|
Advertisement
|
|
|
Newbie
|
26. May 2006 @ 20:12 |
Link to this message
|
|
If you do not know what it is, I would disable the service so it is no longer running.
|
|
