p00ter_nerdWort Wort Wort join:2003-09-02 East Berlin, PA |
please check my loghere it is, thanks: (from hijack this, I need to know if I have some malware)
Logfile of HijackThis v1.96.4 Scan saved at 7:24:03 PM, on 9/2/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cisvc.exe C:\OfficeScan NT\ntrtscan.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\OfficeScan NT\pccntmon.exe C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\BacsTray.exe C:\PROGRA~1\ADELPH~2\SMARTB~1\MotiveSB.exe C:\OfficeScan NT\tmlisten.exe C:\OfficeScan NT\ofcdog.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe C:\WINDOWS\System32\VetMsgNT.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Adelphia eSupport Assistant\bin\mpbtn.exe C:\OfficeScan NT\pccntupd.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Opera7\opera.exe C:\Documents and Settings\Ben\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazenet.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blazenet.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eznsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [bacstray] BacsTray.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~2\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe O4 - Global Startup: Adelphia eSupport Assistant.lnk = C:\Program Files\Adelphia eSupport Assistant\bin\matcli.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Trashcan (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU) O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://antivirus.ygsc.com/officescan/ClientInstall/WinNTChk.cab O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/setupini.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/setup.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/RemoveCtrl.cab |
|
p00ter_nerd |
please help. Whatever my issue is it's impairing me from getting on certain sites. |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to p00ter_nerd
Did you change the security settings in your web browser?
What are you symtoms?
Has it always been that way?
What changed around when the symptoms started to occur? |
|
|
to p00ter_nerd
Hi p00ter_nerd and welcome to BBR/DSLReports Security Forum! I checked over your list and do not see anything that jumps out, but I am not an expert at this log. Let's see if any of the true experts here have time to look and see if they can find anything |
|
p00ter_nerdWort Wort Wort join:2003-09-02 East Berlin, PA |
to keith2468
keith, I didn't change anything and it has always been this way ever since I got Adelphia.
I can ping to google, mail.yahoo.com, and many other sites, but I cannot surf them. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to p00ter_nerd
Tell us more about your problem...which sites...do you have roadrunner ?
There is no apparent problem up there that I can see but you do have some Idexing Services and Processes running that some claim eat up cpu cycles. |
|
Name Game |
to p00ter_nerd
This is a new one for me ???
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe |
|
satburn Premium Member join:2003-06-03 Columbia, MO |
satburn
Premium Member
2003-Sep-2 8:20 pm
I was looking at that myself, I hope it isn't what it implies.... a gui for disabling services from running at startup. That could be the root of his problem.
Otherwise I agree with you, he could disable the office "baggage" but otherwise nothing is jumping out.... |
|
|
|
to Name Game
said by Name Game: This is a new one for me ???
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
Well, I checked out one that looks related. I questioned: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.eznsearch.com[?] which redirects to » www.yahoo.com/ if that is any help |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI
|
to p00ter_nerd
Well p00ter_nerd, I read all your threads at the other forums here at DSLR and the ones at Wilders....now humor me...click on these links and tell me where they bring you... Thanks here are the LINKS » mail.yahoo.com/» www.google.com/» www.mail.yahoo.com/ |
|
Name Game |
to CalamityJane
said by CalamityJane:
said by Name Game: This is a new one for me ???
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
Well, I checked out one that looks related. I questioned: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.eznsearch.com[?]
which redirects to »www.yahoo.com/ if that is any help
HMMM I would dump that puppy and or find out more about it..I think it is junk |
|
Name Game |
to p00ter_nerd
BTW you stated in another post that mail.yahoo.com's ip is: 216.129.127.60
well if i put the IP directly in my browser address bar.. I do not get yahoo mail |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to p00ter_nerd
Those links take me to Yahoo and Google. The thing is, "Hijack This" is telling you filenames, paths and directory entries. You can call a program anything, and a familiar name is a good choice. Especially in such a long list. It would be useful if you had a scan before the problem, then you'd have something to compare against. Have you checked your hosts or lmhosts file? It can override the IP addresses associated with domain names. You can use SpyBot S&D (advanced interface) to do that. More user friendly tools for spyware detection are: SpyBot » security.kolla.deAd-Aware » www.lavasoftusa.com/Good luck. Let us know what you decide to do and what you find. |
|
|
Tis a mystery! He started at Wilders and then in the Adelphia Forum here at DSLR, and did already have both Adaware & Spybot installed and scanned, but he needed to rule out any malware....and so far nobody is seeing any. See here for the history:\ » www.wilderssecurity.com/ ··· id=12999» very frustrated...... : ( |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to p00ter_nerd
Hi Kieth,
In other thread he has told people that he has both of those programs..and they are up to date..and they found nothing.
But if he can click on those links also and get to the two places he thought were not possible..then I know what his problem is at this time. |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to p00ter_nerd
How about the files HOSTS and LMHOSTS.
Do you see entries in there for google or yahoo? |
|
EGeezer Premium Member join:2002-08-04 Midwest
1 recommendation |
to p00ter_nerd
Eznsearch, eznorun.exe et. al. look extraneous. The web page for eznsearch redirects to Yahoo for me too, but here's the html source by URL and by IP address; My guess is that it's a defunct "helper" search app of a site that's no longer operating. If it were my system, I'd back up the registry and do a bit of cleanup. ***************** 09/02/03 22:03:38 Browsing » www.eznsearch.com/Fetching » www.eznsearch.com/ ... GET / HTTP/1.1 Host: www.eznsearch.com Connection: close HTTP/1.1 301 Moved Permanently Date: Wed, 03 Sep 2003 02:03:31 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Location: » www.yahoo.com/Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 127 301 Moved Permanently Moved Permanently The document has moved here.
Apache/1.3.27 Server at eznsearch.com Port 80 0 ****************** However, retrieving the page by the IP address gives; ****************** 09/02/03 22:01:09 Browsing » 65.61.155.169/Fetching » 65.61.155.169/ ... GET / HTTP/1.1 Host: 65.61.155.169 Connection: close HTTP/1.1 200 OK Date: Wed, 03 Sep 2003 02:01:03 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Last-Modified: Mon, 04 Aug 2003 11:53:49 GMT ETag: "874056-937-3f2e494d" Accept-Ranges: bytes Content-Length: 2359 Connection: close Content-Type: text/html Coming Soon - A new website hosted by GlobalHost.com IMG SRC="http://globalhost.com/images/logo2.gif" >This is the GlobalHost Server Administrator default page. If you are seeing this page it means:
1) hosting for this domain is not configured or 2) there's no such domain setup on this Server. If you need more information on resolving these issues visit these links: How to set up a new domain in your Server Administrator How to configure Hosting for your domain in the Server Administrator Email '); document.write('support'); document.write('@'); document.write('globalhost.com'); document.write(''); //--> ************************ Cheers, EG |
|
p00ter_nerdWort Wort Wort join:2003-09-02 East Berlin, PA |
no, I don't
and BTW, someone said earlier about mail.yahoo.com, and www.google.com, and www.mail.yahoo.com. I CANNOT GET into any of them.
Someone else asked what the virus I had was. It was a p2p worm with many names. Mine happened to be: brittney_spears_game.exe
hope this helps |
|
p00ter_nerd |
my "no I don't" was to kieth BTW |
|
p00ter_nerd |
ezn was just a piece of crap "extra" that came with my dial up. (before I got Adelphia)
I don't think that it's relavent to the problem. |
|
EGeezer Premium Member join:2002-08-04 Midwest |
to p00ter_nerd
Well, since you're sure the extra stuff doesn't affect your system, not much else to look for.
It acts like a DNS lookup related problem.
A malfunctioning helper/hijacker could affect DNS lookups.
A wrong set of DNS lookup tables could cause the problem.
A misconfigured firewall or firewall ACL could cause the problem.
Misconfigured browser settings can cause the problem.
Popup killers and proxies can cause the problem.
Thinking through What changed about the time the problem started will trigger some ideas in your head.
Myself, I prefer cleaning out the "crap" first. It does no good, often contributes to problems and obfuscates root causes. But then, it's not my system that's unable to connect ...
Cheers,
EG |
|
|
to p00ter_nerd
IDServe gives the following results for that 216.129.127.60 IP, so whatever it is isn't working from what I can tell. I ran NeoTrace also on that IP and came up with 100% no connection.
Initiating server query ... Looking up the domain name for IP: 216.129.127.60 (The domain name for the specified IP address could not be found.) Connecting to the server on standard HTTP port: 80 No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed. Query complete.
. |
|
|
to p00ter_nerd
My guess is he just made a typo on the address. mail.yahoo.com is at 216.109.127.60 not 216.129.127.60. If he confirms this is a typo, then we'd know that is not the problem. |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB
1 recommendation |
to p00ter_nerd
Also, you have tried repairing your Internet Explorer, right? You access that function from add/remove programs, select MSIE, and ask it to do a repair. ---------------------------- Here's a thread on your virus, actually a back-door worm: » www.softwaretipsandtrick ··· did=5281Norton popes up a box .. Norton Antivirus has detected and removed a virus from your computer Object name c:documents and settings\all users\britney_spears_game.exe Virus name: W32.spyboy.worm action taken: The file was auomatically deleted ----------------------- It is a very long thread, they are having trouble deleting it. It may be that it was a new variant at that time and the AV signatures or instructions weren't updated for it yet. It is late and I don't have time now, but you should probably read the thread if you haven't already. ----------------------- You might want to review to ensure you followed all the deletion instructions here: » securityresponse.symante ··· orm.html----------------------- If this spybot worm allows hackers to write files to your system, and if they actually have, any file could be anything. You know the rename command -- well so do hackers.Using familiar names for malware is a well-known trick. So is substituting familiar modules with malware modules that have extra functions added. These are old widely published techniques dating back before there was a Windows, and used for hacking what newbies think of as the invicible non-M$ operating system, Unix. There are ways to detect these substitutions, but there are also ways to avoid those detection techniques. You cannot definitively tell program contents from program names. And why file compares and CRC checks work most of the time, there are ways to escape them that are sometimes employed. The safest course would be to reformat your hard drive, in accordance with the instructions of your computer maker (sometimes they have special hidden partitions that must be preserved), and re-install the OS. If the data on your computer isn't supercritical or very confidential, you may feel secure with lesser measures. The decision is yours. It isn't a clear-cut decision, it partly depends on what you use your computer for. You might try running some anti-trojan programs. You can get a free month trial of tds3 from Diamond CS in Australia. » tds.diamondcs.com.au/Good luck. I'm off to bed. [text was edited by author 2003-09-03 01:57:35] |
|