Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
After too many hours to count and running adware6, search/destroy, and pest patrol...I still have i-lookup syscpy.exe and probably other exploits. Below is the highjackthis log
Logfile of HijackThis v1.97.3
Scan saved at 8:17:03 PM, on 10/27/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\RAYSWNNT\System32\smss.exe
C:\RAYSWNNT\system32\winlogon.exe
C:\RAYSWNNT\system32\services.exe
C:\RAYSWNNT\system32\lsass.exe
C:\RAYSWNNT\system32\svchost.exe
C:\RAYSWNNT\system32\LEXBCES.exe
C:\RAYSWNNT\system32\spoolsv.exe
C:\RAYSWNNT\system32\LEXPPS.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\RAYSWNNT\System32\svchost.exe
C:\RAYSWNNT\System32\nvsvc32.exe
C:\RAYSWNNT\system32\regsvc.exe
C:\RAYSWNNT\system32\MSTask.exe
C:\RAYSWNNT\system32\ZoneLabs\vsmon.exe
C:\RAYSWNNT\Explorer.exe
C:\RAYSWNNT\System32\WBEM\WinMgmt.exe
C:\RAYSWNNT\system32\svchost.exe
C:\RAYSWNNT\SOUNDMAN.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\RAYSWNNT\System32\LXSUPMON.exe
C:\Program Files\QuickTime\qttask.exe
C:\RAYSWNNT\System32\syscpy.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\RAYSWNNT\System32\RUNDLL32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\RAYSWNNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://i-lookup.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ray\Application Data\Mozilla\Profiles\default\6j8q9579.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\RAYSWNNT\System32\windec32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\RAYSWNNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\RAYSWNNT\System32\windec32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\RAYSWNNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [NeroCheck] C:\RAYSWNNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\RAYSWNNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\RAYSWNNT\System32\LXSUPMON.exe RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Syscpy] C:\RAYSWNNT\System32\syscpy.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\RAYSWNNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabYour help is much appreciated.
O4 - HKLM\..\Run: [Syscpy] C:\RAYSWNNT\System32\syscpy.exe
Firewall-bypassing, proxied spam relayer. "Even lets the remote spammers use the victim's machine to type it all in and send; a whole SMTP system in one trojan"
You probably want to get rid of that line.
0 
Thanks...was kinda certain those items should be removed but wasn't sure if reg entries were the only items needed to be deleted.
0
You should also delete the file C:\RAYSWNNT\System32\syscpy.exe. Post back if you are still having problems.
0
Also....
here is the startup log created by hijack this.StartupList report, 10/27/2003, 8:57:35 PM
StartupList version: 1.52
Started from : C:\highjackthis\startup\StartupList.exe
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================Running processes:
C:\RAYSWNNT\System32\smss.exe
C:\RAYSWNNT\system32\winlogon.exe
C:\RAYSWNNT\system32\services.exe
C:\RAYSWNNT\system32\lsass.exe
C:\RAYSWNNT\system32\svchost.exe
C:\RAYSWNNT\system32\LEXBCES.exe
C:\RAYSWNNT\system32\spoolsv.exe
C:\RAYSWNNT\system32\LEXPPS.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\RAYSWNNT\System32\svchost.exe
C:\RAYSWNNT\System32\nvsvc32.exe
C:\RAYSWNNT\system32\regsvc.exe
C:\RAYSWNNT\system32\MSTask.exe
C:\RAYSWNNT\system32\ZoneLabs\vsmon.exe
C:\RAYSWNNT\Explorer.exe
C:\RAYSWNNT\System32\WBEM\WinMgmt.exe
C:\RAYSWNNT\system32\svchost.exe
C:\RAYSWNNT\SOUNDMAN.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\RAYSWNNT\System32\LXSUPMON.exe
C:\Program Files\QuickTime\qttask.exe
C:\RAYSWNNT\System32\syscpy.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\RAYSWNNT\System32\RUNDLL32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\RAYSWNNT\System32\wuauclt.exe
C:\highjackthis\startup\StartupList.exe---------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users.RAYSWNNT\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\RAYSWNNT\system32\userinit.exe,---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunSynchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.exe C:\RAYSWNNT\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SoundMan = SOUNDMAN.exe
NeroCheck = C:\RAYSWNNT\system32\NeroCheck.exe
AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
PrinTray = C:\RAYSWNNT\System32\spool\DRIVERS\W32X86\2\printray.exe
LXSUPMON = C:\RAYSWNNT\System32\LXSUPMON.exe RUN
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Syscpy = C:\RAYSWNNT\System32\syscpy.exe
PestPatrol Control Center = C:\Program Files\PestPatrol\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunNvMediaCenter = RUNDLL32.exe C:\RAYSWNNT\System32\NVMCTRAY.DLL,NvTaskbarInit
---------------------
Shell & screensaver key from C:\RAYSWNNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*---------------------
Enumerating Browser Helper Objects:(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
ohb - C:\RAYSWNNT\System32\windec32.dll - {18B79968-1A76-4953-9EBB-B651407F8998}---------------------
Enumerating Download Program Files:
[axscanner]
CODEBASE = http://www.pestscan.com/scanner/axscanner.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSD6.OSD[axscannerruntime]
CODEBASE = http://www.pestscan.com/scanner/axscannerruntime.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSD28F.OSD[mscomctl]
CODEBASE = http://www.pestscan.com/scanner/mscomctl.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSD22F.OSD[msvcp71]
CODEBASE = http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSDF3B.OSD[msvcr71]
CODEBASE = http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSDF55.OSD[ppctlcab]
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
OSD = C:\RAYSWNNT\Downloaded Program Files\OSD3D8.OSD[Shockwave ActiveX Control]
InProcServer32 = C:\RAYSWNNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[HeartbeatCtl Class]
InProcServer32 = C:\RAYSWNNT\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab[Shockwave Flash Object]
InProcServer32 = C:\RAYSWNNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab---------------------
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\RAYSWNNT\system32\NETSHELL.dll
WebCheck: C:\RAYSWNNT\System32\webcheck.dll
SysTray: stobject.dll---------------------
End of report, 6,107 bytes
Report generated in 0.079 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
I can't believe the trojan and adware software didnt find these..not even the subscription software detected them.
0
I missed this one. Fix this line too:
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\RAYSWNNT\System32\windec32.dll
I hope your last log isn't what you have running after you made the changes.
0
The line is in there twice. Fix this line too:
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\RAYSWNNT\System32\windec32.dll
0
Thanks All,
i-lookup and syscpy are gone. The start menue I posted was before changes were made to the system. Guess its time to buy a firewall/router.
0
The windec32.dll file is linked to I-Lookup ToolBar.
I-Lookup is a homepage hijacking program that changes
the IE homepage & search pages resulting in many pop-up ads.
An Uninstaller can be found on this page:
http://www.pchell.com/support/click2findnow.shtml
0
Registration and WHOIS Service Provided By: directNIC.com
Intercosmos Media Group, Inc. provides the data in the directNIC.com
Registrar WHOIS database for informational purposes only. The information
may only be used to assist in obtaining information about a domain name's
registration record.
directNIC makes this information available "as is," and does not guarantee
its accuracy.Registrant:
Aztec Marketing S.A.
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, Costa Rica ---
CR
+011.5062968075
Fax:+011.5062722279
Domain Name: I-LOOKUP.COMAdministrative Contact:
Admin, Domain rlarag at amnet.co.cr
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, Costa Rica ---
CR
+011.5062968075
Fax:+011.5062722279
Technical Contact:
Admin, Domain rlarag at amnet.co.cr
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, Costa Rica ---
CR
+011.5062968075
Fax:+011.5062722279
Record last updated 04-22-2003 01:32:19 PM
Record expires on 04-08-2006
Record created on 04-08-1999Domain servers in listed order:
NS0.DIRECTNIC.COM 204.251.10.100
NS1.DIRECTNIC.COM 206.251.177.2
By submitting a WHOIS query, you agree you will use this data only for
lawful purposes. You also agree that, under no circumstances, will you use
this data to: a) allow, enable, or otherwise support the transmission by
email, telephone, or facsimile of mass, unsolicited, commercial advertising
or solicitations to entities other than the data recipient's own existing
customers; or to (b) enable high volume, automated, electronic processes
that send queries or data to the systems of any Registry Operator or
ICANN-Accredited registrar.
The compilation, repackaging, dissemination, or other use of this WHOIS
data is expressly prohibited without the prior written consent of
directNIC.com.
directNIC.com reserves the right to terminate your access to its WHOIS
database in its sole discretion, including without limitation, for
excessive querying of the database or for failure to otherwise abide by
this policy.
directNIC reserves the right to modify these terms at any time.
NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY.
LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY.
0  |
 Yahoo search disabled
|
Huh? How come?
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
