Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Search similar:

Forums → Software and Operating Systems →

Security → HJT Log - Infected with NCM Search etc.

uniqs
312

« LSA Shell error ...XP? Help! • HJT Log: Too much to list.. »

LordSick @t-dialin.net	LordSick Anon 2004-Sep-12 12:05 pm HJT Log - Infected with NCM Search etc. Hi there, IE always shows the NCM Search (URL = http://195.225.176.14/def.html) as initial page and my sytem seems to slow down sometimes. I have run F-Secure on my system and 2 of the Online AV-Tools until no viruses were be found. CWShredder shows no more infection, but Spybot & Ad-Aware can't solve some problems. Spybot identifies the following. DSO Exploit: (1 entrie) Data source object exploit HKEY_USERS\S-1-5-21-725345543-1606980848-1343024091-1000\Software\Microsoft\Windows\CurrentV ersion\Internet Settings\Zones\0\1004!=W=3 Common hijacker: (2 entries) Prefix change HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\URL\Prefixes\www!=http:// Prefix change HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\URL\DefaultPrefix\!=http:// AdAware identifies: Windows Object Recognized! Type : RegData Data : explorer.exe monitor.exe Category : Vulnerability Comment : Shell Possibly Compromised Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows nt\currentversion\winlogon Value : Shell Data : explorer.exe monitor.exe Windows Object Recognized! Type : RegData Data : http://195.225.176.14/pre.pl? Category : Vulnerability Comment : URL Prefix Possibly Compromised Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\url\defaultprefix Value : Data : http://195.225.176.14/pre.pl? Windows Object Recognized! Type : RegData Data : http://195.225.176.14/pre.pl? Category : Vulnerability Comment : URL Prefix Possibly Compromised Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\url\prefixes Value : www Data : http://195.225.176.14/pre.pl? If I try to delete the entries identified by Spybot & AdAware they always show up on the next scan after reboot. My HJT-Log is: Logfile of HijackThis v1.98.2 Scan saved at 17:25:02, on 12.09.2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe C:\Programme\F-Secure\Anti-Virus\FSGK32.EXE C:\Programme\F-Secure\Anti-Virus\fssm32.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Programme\F-Secure\Common\FSMA32.EXE C:\Programme\F-Secure\Common\FSMB32.EXE C:\Programme\F-Secure\Common\FCH32.EXE C:\Programme\F-Secure\Common\FNRB32.EXE C:\Programme\F-Secure\Common\FAMEH32.EXE C:\Programme\F-Secure\Common\FIH32.EXE C:\Programme\F-Secure\Anti-Virus\fsav32.exe C:\WINNT\Explorer.EXE C:\WINNT\Mixer.exe C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe C:\Programme\F-Secure\Common\FSM32.EXE C:\Programme\AIM95\aim.exe C:\WINNT\monitor.exe C:\Programme\Microsoft Office\Office\WINWORD.EXE C:\WINNT\msagent\AgentSvr.exe C:\Programme\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: Shell=Explorer.exe monitor.exe F3 - REG:win.ini: run= O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Programme\Jetico\BCWipe\BCWipeTM.exe" startup O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\\winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure\Common\FSM32.EXE" /splash O4 - HKCU\..\Run: [AIM] C:\Programme\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [monitor] monitor.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: TOPTIP Web Editor - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Dokumente und Einstellungen\Sick@MFSE\Desktop\toptip\webeditor.toptip.net\toptip.exe O9 - Extra 'Tools' menuitem: TOPTIP Web Editor - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Dokumente und Einstellungen\Sick@MFSE\Desktop\toptip\webeditor.toptip.net\toptip.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe O13 - DefaultPrefix: http://195.225.176.14/pre.pl? O13 - WWW Prefix: http://195.225.176.14/pre.pl? O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2B2C85-1193-4010-A4DB-5E4FFC879CB6}: NameServer = 192.168.100.2 O17 - HKLM\System\CS1\Services\Tcpip\..\{3D2B2C85-1193-4010-A4DB-5E4FFC879CB6}: NameServer = 192.168.100.2 O17 - HKLM\System\CS2\Services\Tcpip\..\{3D2B2C85-1193-4010-A4DB-5E4FFC879CB6}: NameServer = 192.168.100.2 Thanks in advance for your help
	actions · 2004-Sep-12 12:05 pm ·
John2g Qui Tacet Consentit Premium Member join:2001-08-10 England	John2g Premium Member 2004-Sep-12 12:41 pm Have HJT fix these entries. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »195.225.176.14/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »195.225.176.14/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »195.225.176.14/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »195.225.176.14/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »195.225.176.14/ie R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »195.225.176.14/ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = »195.225.176.14/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = »195.225.176.14/ O13 - DefaultPrefix: »195.225.176.14/pre.pl? O13 - WWW Prefix: »195.225.176.14/pre.pl?
	actions · 2004-Sep-12 12:41 pm ·
CalamityJane Premium Member join:2002-08-27 Eustis, FL	CalamityJane to LordSick Premium Member 2004-Sep-12 6:55 pm to LordSick You also need to fix these entries: Fix this item if you are not running a proxy and did not set this yourself R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: Shell=Explorer.exe monitor.exe F3 - REG:win.ini: run= O4 - HKCU\..\Run: [monitor] monitor.exe O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= ....................... Reboot your PC Run Adaware again, and let it fix any bad files found. ........................ Do an onine file scan here: Jotti's malware scan 2.24 »virusscan.jotti.dhs.org/ on this file: monitor.exe Copy the report you are given at the end and post it back here, please. Also post a fresh HijackThis log
	actions · 2004-Sep-12 6:55 pm ·

Forums → Software and Operating Systems → Security	« LSA Shell error ...XP? Help! • HJT Log: Too much to list.. »