Wife got something installed on here

[Modeps]

help

Logfile of HijackThis v1.99.1
Scan saved at 6:41:30 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\syscd32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\crlc32.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\James\Desktop\New DLs\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\setup.exe
C:\DOCUME~1\James\LOCALS~1\Temp\IXP000.TMP\jvsetup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0A897F02-3691-B9B2-22B5-29117868FF15} - C:\WINDOWS\applb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [syscd32.exe] C:\WINDOWS\syscd32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "f:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://H:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1093914796898
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11C2AB7B-61A0-4C2E-9382-52427658D578}: NameServer = 130.132.1.9,130.132.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{11C2AB7B-61A0-4C2E-9382-52427658D578}: NameServer = 130.132.1.9,130.132.1.10
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crlc32.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

[Green Man]

C:\WINDOWS\syscd32.exe

WTF is this?

 

[Green Man]

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crlc32.exe

and WTF is this?

I assume you've tried a virus scan?
I notice you don't have SP2 on there.

Patch the system and run a different virus scan.

http://housecall.trendmicro.com/

 

[Modeps]

Originally posted by: Green Man

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crlc32.exe

and WTF is this?

I assume you've tried a virus scan?
I notice you don't have SP2 on there.

Patch the system and run a different virus scan.

http://housecall.trendmicro.com/

Yeah, I scanned with Norton, I'll try that housecall... I did notice that crlc32 running in my processtab, I'd kill it then it'd come back...

 

[Green Man]

Originally posted by: Modeps


Yeah, I scanned with Norton, I'll try that housecall... I did notice that crlc32 running in my processtab, I'd kill it then it'd come back...

If that doesn't pick anything up, I would start by booting into safe mode. Go into the registry and delete
O4 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [syscd32.exe] C:\WINDOWS\syscd32.exe

Then go and delete C:\WINDOWS\syscd32.exe and C:\WINDOWS\system32\crlc32.exe from the hard drive and see where that gets you.

 

[mechBgon]

Make sure to note the exact names of whatever HouseCall finds. Also look at Norton's logs for clues. If you can post the names of what's being detected, that helps identify the problem. Know thine enemy and stuff

Big picture: move wife to Limited account. Password-protect all Admin-class accounts to keep exploits from grabbing the Admin powers.

 

[boomerang]

These two sites can give you some help deciphering the log files. There are other sites out there also.

http://www.help2go.com/modules.php?name=HJTDetective

http://www.hijackthis.de/en

All you need to do is copy and paste the log file.

 

[Modeps]

Boomerang, Awesome sites, thanks for those.... the first entries it had me fix were the culprits:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfdsm.dll/sp.html#12047
R3 - Default URLSearchHook is missing

AVG Picked up 2 virii too... but it's still scanning
Trojan Horse Downloader.Agent 11.Q
Startpage.19.AO


Thanks for the info everyone... Now I've gotta download all my CoH updates so I can play... I thought it was a problem with the last patch I had applied, boy was I wrong. :beer:

 

[Modeps]

I'm just curious why Norton didnt find those virii in the first place, it's got the latest def's in there... Looks like I'll be making a switch.

 

[mechBgon]

Originally posted by: Modeps
I'm just curious why Norton didnt find those virii in the first place, it's got the latest def's in there... Looks like I'll be making a switch.

What generation of Norton is it? 2003, 2004, 2005? Is it set to scan within compressed files and use max heuristics? Configuration can be half the battle with antivirus software, and I would know! :shocked:

If you want something new, try Kaspersky Antivirus Personal 5. Not too hard to configure, $42, tops in detection tests, free 30-day trial. Note there's a difference b/w KAV5 and KAV5Pro, my instruction page is for KAV5.

 

[Modeps]

Alright, looks like I didnt kill it because it keeps coming back. I think it resets up when I open IE. I'll install SP2 in the morning...

EDIT: Nope, it just installed itself somehow without me opening IE... I must have bypassed this before in my control panel

"Shopping Wizard" and
"Home Search Assistant"
Looks like it's also adding bookmarks to my IE list.

 

[boomerang]

Did you kill System Restore first?

A lot of these things hide there.

I learned about those websites through what I learned here.

It's a step by step process that really must be followed to the letter for best results.

Hijack This is one of the last steps.

The only one I have problems with is running online virus scans in Safe Mode. The resolution will not allow the webpage(s) to display properly and you can't navigate.

There are some spyware removal tutorials here at the forums also.

Edit: The first link is a link from here.

 

[mechBgon]

Download and follow the instructions in this text file in Safe Mode. Don't install SP2 before the system's clean. Also look through your Windows Services for a bogus Service and try a 30-day trialware of Webroot Spysweeper, which will scan in Safe Mode (props to FlyingPenguin for making me aware of Spysweeper ). And you can slap on the 30-day trial of KAV5, update with the Extended-databases option, and scan in Safe Mode with that also (right-click C: and launch a scan).

edit: oh, and disable System Restore. Also be confident that running those three scans in Safe Mode will take longer than reinstalling WindowsXP from scratch, so consider the Drop-The-Bomb-On-It method too :evil: If you do reinstall... be safe in the process and secure it better this time .

 

[Modeps]

Originally posted by: mechBgon
Download and follow the instructions in this text file in Safe Mode. Don't install SP2 before the system's clean. Also look through your Windows Services for a bogus Service and try a 30-day trialware of Webroot Spysweeper, which will scan in Safe Mode (props to FlyingPenguin for making me aware of Spysweeper ). And you can slap on the 30-day trial of KAV5, update with the Extended-databases option, and scan in Safe Mode with that also (right-click C: and launch a scan).

edit: oh, and disable System Restore. Also be confident that running those three scans in Safe Mode will take longer than reinstalling WindowsXP from scratch, so consider the Drop-The-Bomb-On-It method too :evil: If you do reinstall... be safe in the process and secure it better this time .

Thanks Mech, I'll give that a try in the AM.