HighJacked again

Discussion in 'Windows Desktop Systems' started by Heeter, Feb 15, 2004.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    I love watching Enyo in action: Here is another. I think that I am getting better at picking them out, though. (I think)

    Logfile of HijackThis v1.97.7
    Scan saved at 12:44:03 PM, on 2/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    C:\Documents and Settings\Owner\Application Data\nrih.exe
    C:\WINDOWS\System32\winservn.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\AproposClient\Apropos.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129919
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129919
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us7.hpwis.com/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {B330D79B-D569-42DA-8472-358E5933FC94} - C:\WINDOWS\System32\clards.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Ohwo] C:\Documents and Settings\Owner\Application Data\nrih.exe
    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: FlashGet (HKLM)


    Heeter
     
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    you've got some nasties, and a couple trojans, what the hell do you people do?

    wupdater.exe < adware
    winservn.exe < trojan
    mmod.exe < spyware
    Save.exe < spyware
    IEDriver.exe < spyware

    Thats just in the running processes, I don't do HJT logs.
     
  3. Enyo

    Enyo Moderator

    Messages:
    1,338
    Kill and remove:

    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\WINDOWS\System32\winservn.exe
    C:\Program Files\Common files\updater\wupdater.exe

    Remove:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=129919
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=129919

    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe

    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

    Can't ID but would remove:

    O2 - BHO: (no name) - {B330D79B-D569-42DA-8472-358E5933FC94} - C:\WINDOWS\System32\clards.dll

    Kill and Verify:

    C:\Documents and Settings\Owner\Application Data\nrih.exe
    O4 - HKCU\..\Run: [Ohwo] C:\Documents and Settings\Owner\Application Data\nrih.exe


    Be sure that the files are remove as well as the entrys.

    Re-post a log when your done.
     
  4. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Apperently,

    This was a totally fresh Windows install. The printer/scanner drivers were barely in the machine when it started acting up. I personally think that some web surfing might have occured while the drivers were being installed. I will repost new log when buddy sends it later.

    Heeter