dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1254
p00ter_nerd
Wort Wort Wort
join:2003-09-02
East Berlin, PA

p00ter_nerd

Member

please check my log

here it is, thanks: (from hijack this, I need to know if I have some malware)

Logfile of HijackThis v1.96.4
Scan saved at 7:24:03 PM, on 9/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\OfficeScan NT\pccntmon.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\BacsTray.exe
C:\PROGRA~1\ADELPH~2\SMARTB~1\MotiveSB.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Adelphia eSupport Assistant\bin\mpbtn.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Ben\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazenet.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blazenet.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~2\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
O4 - Global Startup: Adelphia eSupport Assistant.lnk = C:\Program Files\Adelphia eSupport Assistant\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://antivirus.ygsc.com/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://antivirus.ygsc.com/officescan/clientinstall/RemoveCtrl.cab
p00ter_nerd

p00ter_nerd

Member

please help. Whatever my issue is it's impairing me from getting on certain sites.

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to p00ter_nerd

Premium Member

to p00ter_nerd
Did you change the security settings in your web browser?

What are you symtoms?

Has it always been that way?

What changed around when the symptoms started to occur?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to p00ter_nerd

Premium Member

to p00ter_nerd
Hi p00ter_nerd and welcome to BBR/DSLReports Security Forum!

I checked over your list and do not see anything that jumps out, but I am not an expert at this log.

Let's see if any of the true experts here have time to look and see if they can find anything
p00ter_nerd
Wort Wort Wort
join:2003-09-02
East Berlin, PA

p00ter_nerd to keith2468

Member

to keith2468
keith, I didn't change anything and it has always been this way ever since I got Adelphia.

I can ping to google, mail.yahoo.com, and many other sites, but I cannot surf them.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to p00ter_nerd

Premium Member

to p00ter_nerd
Tell us more about your problem...which sites...do you have roadrunner ?

There is no apparent problem up there that I can see but you do have some Idexing Services and Processes running that some claim eat up cpu cycles.
Name Game

Name Game to p00ter_nerd

Premium Member

to p00ter_nerd
This is a new one for me ???

O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe

satburn
Premium Member
join:2003-06-03
Columbia, MO

satburn

Premium Member

I was looking at that myself, I hope it isn't what it implies.... a gui for disabling services from running at startup. That could be the root of his problem.

Otherwise I agree with you, he could disable the office "baggage" but otherwise nothing is jumping out....

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to Name Game

Premium Member

to Name Game
said by Name Game:
This is a new one for me ???

O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe

Well, I checked out one that looks related. I questioned:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.eznsearch.com[?]

which redirects to »www.yahoo.com/ if that is any help

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to p00ter_nerd

Premium Member

to p00ter_nerd
Well p00ter_nerd,
I read all your threads at the other forums here at DSLR and the ones at Wilders....now humor me...click on these links and tell me where they bring you...

Thanks

here are the LINKS

»mail.yahoo.com/

»www.google.com/

»www.mail.yahoo.com/
Name Game

Name Game to CalamityJane

Premium Member

to CalamityJane
said by CalamityJane:
said by Name Game:
This is a new one for me ???

O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe

Well, I checked out one that looks related. I questioned:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.eznsearch.com[?]

which redirects to »www.yahoo.com/ if that is any help

HMMM I would dump that puppy and or find out more about it..I think it is junk
Name Game

Name Game to p00ter_nerd

Premium Member

to p00ter_nerd
BTW you stated in another post that mail.yahoo.com's ip is: 216.129.127.60

well if i put the IP directly in my browser address bar.. I do not get yahoo mail

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to p00ter_nerd

Premium Member

to p00ter_nerd
Those links take me to Yahoo and Google.

The thing is, "Hijack This" is telling you filenames, paths and directory entries.

You can call a program anything, and a familiar name is a good choice.

Especially in such a long list. It would be useful if you had a scan before the problem, then you'd have something to compare against.

Have you checked your hosts or lmhosts file? It can override the IP addresses associated with domain names.

You can use SpyBot S&D (advanced interface) to do that.

More user friendly tools for spyware detection are:
SpyBot
»security.kolla.de

Ad-Aware
»www.lavasoftusa.com/

Good luck. Let us know what you decide to do and what you find.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Tis a mystery! He started at Wilders and then in the Adelphia Forum here at DSLR, and did already have both Adaware & Spybot installed and scanned, but he needed to rule out any malware....and so far nobody is seeing any. See here for the history:\
»www.wilderssecurity.com/ ··· id=12999

»very frustrated...... : (

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to p00ter_nerd

Premium Member

to p00ter_nerd
Hi Kieth,

In other thread he has told people that he has both of those programs..and they are up to date..and they found nothing.

But if he can click on those links also and get to the two places he thought were not possible..then I know what his problem is at this time.

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to p00ter_nerd

Premium Member

to p00ter_nerd
How about the files HOSTS and LMHOSTS.

Do you see entries in there for google or yahoo?

EGeezer
Premium Member
join:2002-08-04
Midwest

1 recommendation

EGeezer to p00ter_nerd

Premium Member

to p00ter_nerd
Eznsearch, eznorun.exe et. al. look extraneous. The web page for eznsearch redirects to Yahoo for me too, but here's the html source by URL and by IP address; My guess is that it's a defunct "helper" search app of a site that's no longer operating. If it were my system, I'd back up the
registry and do a bit of cleanup.

*****************

09/02/03 22:03:38 Browsing »www.eznsearch.com/
Fetching »www.eznsearch.com/ ...
GET / HTTP/1.1

Host: www.eznsearch.com

Connection: close

HTTP/1.1 301 Moved Permanently

Date: Wed, 03 Sep 2003 02:03:31 GMT

Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2

Location: »www.yahoo.com/

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

127

301 Moved Permanently

Moved Permanently
The document has moved here.


Apache/1.3.27 Server at eznsearch.com Port 80

0

******************

However, retrieving the page by the IP address gives;

******************

09/02/03 22:01:09 Browsing »65.61.155.169/
Fetching »65.61.155.169/ ...
GET / HTTP/1.1

Host: 65.61.155.169

Connection: close

HTTP/1.1 200 OK

Date: Wed, 03 Sep 2003 02:01:03 GMT

Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2

Last-Modified: Mon, 04 Aug 2003 11:53:49 GMT

ETag: "874056-937-3f2e494d"

Accept-Ranges: bytes

Content-Length: 2359

Connection: close

Content-Type: text/html

Coming Soon - A new website hosted by GlobalHost.com

 

IMG SRC="http://globalhost.com/images/logo2.gif" >This
is the GlobalHost Server Administrator™ default page.


If
you are seeing this page it means:



1) hosting for this domain is not configured

or

2) there's no such domain setup on this Server.



If you need more information on resolving these issues visit these
links:
How
to set up a new domain in your Server Administrator


How
to configure Hosting for your domain in the Server Administrator

Email

');
document.write('support');
document.write('@');
document.write('globalhost.com');
document.write('
');

//-->

************************

Cheers,

EG
p00ter_nerd
Wort Wort Wort
join:2003-09-02
East Berlin, PA

p00ter_nerd

Member

no, I don't

and BTW, someone said earlier about mail.yahoo.com, and www.google.com, and www.mail.yahoo.com. I CANNOT GET into any of them.

Someone else asked what the virus I had was. It was a p2p worm with many names. Mine happened to be: brittney_spears_game.exe

hope this helps
p00ter_nerd

p00ter_nerd

Member

my "no I don't" was to kieth BTW
p00ter_nerd

p00ter_nerd

Member

ezn was just a piece of crap "extra" that came with my dial up. (before I got Adelphia)

I don't think that it's relavent to the problem.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to p00ter_nerd

Premium Member

to p00ter_nerd
Well, since you're sure the extra stuff doesn't affect your system, not much else to look for.

It acts like a DNS lookup related problem.

A malfunctioning helper/hijacker could affect DNS lookups.

A wrong set of DNS lookup tables could cause the problem.

A misconfigured firewall or firewall ACL could cause the problem.

Misconfigured browser settings can cause the problem.

Popup killers and proxies can cause the problem.

Thinking through What changed about the time the problem started will trigger some ideas in your head.

Myself, I prefer cleaning out the "crap" first. It does no good, often contributes to problems and obfuscates root causes. But then, it's not my system that's unable to connect ...

Cheers,

EG

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to p00ter_nerd

MVM

to p00ter_nerd
IDServe gives the following results for that 216.129.127.60 IP, so whatever it is isn't working from what I can tell. I ran NeoTrace also on that IP and came up with 100% no connection.

Initiating server query ...
Looking up the domain name for IP: 216.129.127.60
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed.
Query complete.

.
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark to p00ter_nerd

Premium Member

to p00ter_nerd
My guess is he just made a typo on the address. mail.yahoo.com is at 216.109.127.60 not 216.129.127.60. If he confirms this is a typo, then we'd know that is not the problem.

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB


1 recommendation

keith2468 to p00ter_nerd

Premium Member

to p00ter_nerd
Also, you have tried repairing your Internet Explorer, right? You access that function from add/remove programs, select MSIE, and ask it to do a repair.
----------------------------
Here's a thread on your virus, actually a back-door worm:

»www.softwaretipsandtrick ··· did=5281

Norton popes up a box ..
Norton Antivirus has detected and removed a virus from your computer
Object name c:documents and settings\all users\britney_spears_game.exe

Virus name: W32.spyboy.worm

action taken: The file was auomatically deleted
-----------------------
It is a very long thread, they are having trouble deleting it. It may be that it was a new variant at that time and the AV signatures or instructions weren't updated for it yet.

It is late and I don't have time now, but you should probably read the thread if you haven't already.
-----------------------
You might want to review to ensure you followed all the deletion instructions here:
»securityresponse.symante ··· orm.html
-----------------------

If this spybot worm allows hackers to write files to your system, and if they actually have, any file could be anything.

You know the rename command -- well so do hackers.

Using familiar names for malware is a well-known trick. So is substituting familiar modules with malware modules that have extra functions added. These are old widely published techniques dating back before there was a Windows, and used for hacking what newbies think of as the invicible non-M$ operating system, Unix.

There are ways to detect these substitutions, but there are also ways to avoid those detection techniques.

You cannot definitively tell program contents from program names. And why file compares and CRC checks work most of the time, there are ways to escape them that are sometimes employed.

The safest course would be to reformat your hard drive, in accordance with the instructions of your computer maker (sometimes they have special hidden partitions that must be preserved), and re-install the OS.

If the data on your computer isn't supercritical or very confidential, you may feel secure with lesser measures.

The decision is yours. It isn't a clear-cut decision, it partly depends on what you use your computer for.

You might try running some anti-trojan programs. You can get a free month trial of tds3 from Diamond CS in Australia.
»tds.diamondcs.com.au/

Good luck. I'm off to bed.
[text was edited by author 2003-09-03 01:57:35]