#1
|
|||
|
|||
![]()
I have been infected with Trojan Horse Norton has detected it and says file seasg.exe is a file that is causing me problems (constant sending stuff) I have found it but cant move or delete it , it says "file locked" is there ANY way I can get rid of this file? i.e unlock it to delete it?
Please HELP!!!! |
#3
|
|||
|
|||
![]()
Many thanks Scoobs it worked
I am on broadband is it normal to "send" more information than "receive" I have now been on 44 minutes sent 12,001,568 and received 2,997,345 I am confused Any help appreciated. |
#4
|
|||
|
|||
![]()
certainly not normal for me. my stats are just about opposite to yours?
|
#6
|
|||
|
|||
![]()
or somebody is downloading from your puter behind your back?
make sure your files are not for sharing? |
#7
|
|||
|
|||
![]()
Sorry had to post in two files would not accept one long file it said to many smilies!
Logfile of HijackThis v1.98.2 Scan saved at 20:37:08, on 18/08/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE C:\Program Files\Caere\OmniPagePro10.0\opware32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\program files\Evidence Eliminator\ee.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe C:\program files\BigFix\BigFix.exe C:\Palm\hotsync.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\snlogsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe Last edited by Scoobs; 18-August-2004 at 20:52. |
#8
|
|||
|
|||
![]()
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/ O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178 Last edited by Scoobs; 18-August-2004 at 20:52. |
#9
|
|||
|
|||
![]()
You have a few infections but we need to deal with your trojan infection first.
The malicious file is C:\Windows\System\snlogsvc.exe Did you download, update and run TDS-3 as I suggested in another thread? If not, do this first. Then we'll set about removing any other malware. When posting HJT! logs, please use the "Post Reply" button rather than the "Quick Reply" feature. Now you will see that you have a few options available to you. Uncheck "Automatically Parse URLs" and check "Disable Smilies". Now your log entries will be legible and they'll fit into a single post. As soon as you've cleaned your trojan infection, reboot, rerun HJT! and post a fresh log here. As this is a RAT, you would be very wise to change any passwords etc that you have entered. This type of software is capable of logging keystrokes and mouse clicks which means that your security has been completely compromised. It's obvious from your traffic reports that someone is downloading from you or using you as a zombie. Before removing the trojan, run Netstat to find the IP and report the intruder to the relevant authorities. Yet another triumph for Norton AV... NOT! Last edited by Zer02004; 19-August-2004 at 00:06. |
#11
|
|||
|
|||
![]()
I had run TDS-3 before reading your last email and it came up with the following..
Live Trojan Found (in process memory) DCOM RCP report Exploit C:\windows\system32\snlogsvc.exe I deleted this under TDS-3 unfortunately before running NETSTAT Logfile of HijackThis v1.98.2 Scan saved at 05:57:41, on 19/08/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE C:\Program Files\Caere\OmniPagePro10.0\opware32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\program files\Evidence Eliminator\ee.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\WINDOWS\System32\ctfmon.exe C:\program files\BigFix\BigFix.exe C:\WINDOWS\System32\rundll32.exe C:\Palm\hotsync.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/ O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178 |
#12
|
|||
|
|||
![]()
Something has improved, since the offending file was removed (although it seems to be constantly sending out stuff) the status shows.... after 1hr 14mins sent 808,878 received 3,326,812
and this morning....after 39 mins sent 199,432 received 239,905 |
#13
|
|||
|
|||
![]()
Rerun HJT! and hit the config button. In the fields provided, enter your preferred home page etc; mine are as follows:
Default Start Page - http://www.the-scream.co.uk/forums Default Search Page - http://www.google.co.uk Default Search Assistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm Default Search Customise - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm Now go back to the main screen and have it fix the items marked in red: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/ O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178 Reboot into safe mode, find and delete the following files: snlogsvc.exe Reboot as normal, rerun HJT! and post another log. |
#14
|
|||
|
|||
![]()
Hi Zero,
All suggestions done and it still seems to be uploading?, many thanks for your patience and help this is the latest hijack this Logfile of HijackThis v1.98.2 Scan saved at 15:13:40, on 19/08/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE C:\Program Files\Caere\OmniPagePro10.0\opware32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\program files\Evidence Eliminator\ee.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe C:\program files\BigFix\BigFix.exe C:\Palm\hotsync.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178 |
#15
|
|||
|
|||
![]()
Your log looks clean but there are a few entries which if removed, will improve performance.
Firstly though, do you actually need all the programs that you are running? BigFix for example is one such program. Take a look at your Add/Remove Programs applet and see if there's anything there that you don't need. Do you use the MS Office StartBar? Check the options in MS Messenger and on't allow it to start at boot. You will upload some data - That's natural. If you're still worried, run another Netstat command and post the outcome here. Ensure that you are online but with nothing connected and make sure that you use -a switch with the command: netstat -a |
#16
|
|||
|
|||
![]()
Active Connections
Proto Local Address Foreign Address State TCP your-obbuq8xnm4:epmap your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:microsoft-ds your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:1025 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:1026 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3155 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3220 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3223 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:5000 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:netbios-ssn your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3218 origin2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3220 support2.microsoft.com:http ESTABLISHED TCP your-obbuq8xnm4:3221 origin2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3222 go.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3223 207.46.248.254:http ESTABLISHED TCP your-obbuq8xnm4:3224 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3225 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3226 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3227 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3228 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3229 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3230 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3231 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3232 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3233 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3234 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3235 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3236 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3237 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:3238 support2.microsoft.com:http TIME_WAIT TCP your-obbuq8xnm4:10858 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3001 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3002 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3003 your-obbuq8xnm4:0 LISTENING TCP your-obbuq8xnm4:3006 your-obbuq8xnm4:0 LISTENING UDP your-obbuq8xnm4:microsoft-ds *:* UDP your-obbuq8xnm4:isakmp *:* UDP your-obbuq8xnm4:3007 *:* UDP your-obbuq8xnm4:3014 *:* UDP your-obbuq8xnm4:3017 *:* UDP your-obbuq8xnm4:ntp *:* UDP your-obbuq8xnm4:netbios-ns *:* UDP your-obbuq8xnm4:netbios-dgm *:* UDP your-obbuq8xnm4:1900 *:* UDP your-obbuq8xnm4:3019 *:* UDP your-obbuq8xnm4:3235 *:* UDP your-obbuq8xnm4:7249 *:* UDP your-obbuq8xnm4:27027 *:* UDP your-obbuq8xnm4:ntp *:* UDP your-obbuq8xnm4:1900 *:* UDP your-obbuq8xnm4:3025 *:* UDP your-obbuq8xnm4:3192 *:* UDP your-obbuq8xnm4:3213 *:* |
#17
|
|||
|
|||
![]()
It's best if you run this test with no connections made to anything. That way, if you are secretly uploading to someone, it would be instantly recognisable.
However, nothing jumps out at me but you do have several ports open and listening. I'll have a look later to see what these may be for. You also have NetBios running over TCP. That should be disabled. You really need to get yourself a firewall and set it up properly. |
#18
|
|||
|
|||
![]()
I have a second computer running Windows 98 networked is this what netbios is for? its sharing my Mitsubishi monitor, I only use this machine for running The Oxford English Dictionary ( I do a lot of writing) which will not operate under XP. I do not have the second PC set up for the internet, I do not require it, would it solve some of my problems if I ceased to have the second PC coupled up?
I am sure I am running XP firewall is this satifactory? or what would you suggest? Many thanks for all your kind help and assistance. |
#19
|
|||
|
|||
![]()
As I've just posted in another thread, the XP firewall did absolutely nothing to prevent or even warn you about your trojan "phoning home" so it's ineffectiveness has just been proved!
With regards to Netbios over TCP, open the advanced settings window for your actual internet connection and disable Netbios over TCP: ![]() |
#20
|
|||
|
|||
![]()
Try Microsoft Excel password unlocker tool which smartly pull out lost Excel file password & unlock Excel file. Excel password recovery software works superbly when crack Excel file password. This software easily unlock Excel file without wasting your valuable time.
|
#21
|
|||
|
|||
![]()
How about a file that cannot be open on your USB? Any suggestions?
|
![]() |
Tags |
bbc, broadband, computer, context menu, email, feature, files, google, hijack, hijackthis, internet, lock, messenger, security, settings, sharing, software, speed, speedtouch, thomson, tiscali, tools, trojan, unlock, web, windows, zero, zombie |
Thread Tools | |
Display Modes | |
|
|