Can't get rid of 'Hosts: 69.20.16.183 '
-
Re: Can't get rid of 'Hosts: 69.20.16.183 '
Hi there,
let me show you my last log:
Logfile of HijackThis v1.98.2
Scan saved at 10:36:15, on 2004-12-12
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\atlmt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\crdq.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Grobelski\Pulpit\hijackthis\HijackThis.ex e
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rdses.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rdses.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kafeja.3vnet.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {B32D7557-643E-F1A2-F754-61704EFBE2CB} - C:\WINDOWS\system32\msoy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atlmt.exe] C:\WINDOWS\system32\atlmt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
...and here is the logfile of DLLCompare:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\osqhf.dll Thu 2004-11-18 5:46:34 A.SH. 56 320 55,00 K
C:\WINDOWS\SYSTEM32\wvnpv.dll Sat 2004-11-27 8:38:54 A.SH. 56 320 55,00 K
C:\WINDOWS\SYSTEM32\lvn209~1.dll Sat 2004-12-11 12:28:34 ..S.R 224 814 219,54 K
C:\WINDOWS\SYSTEM32\hrp605~1.dll Sun 2004-12-12 9:13:42 ..S.R 225 581 220,29 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun 2004-12-12 2:03:14 ..S.R 223 982 218,73 K
C:\WINDOWS\SYSTEM32\k608lg~1.dll Sun 2004-12-12 5:51:06 ..S.R 226 179 220,88 K
________________________________________________
1 288 items found: 1 288 files (6 H/S), 0 directories.
Total of file sizes: 259 021 393 bytes 247,02 M
Administrator Account = True
--------------------End log---------------------
If anyone has any idea how to clean this mess, please help me. If not, ill have to try Matthew's exercises....
thnx in advance
Tom
-
Download the Pocket Killbox from here.
Unzip it and run the program.
Put a check in the Delete on Reboot box.
Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.
C:\WINDOWS\SYSTEM32\osqhf.dll
C:\WINDOWS\SYSTEM32\wvnpv.dll
C:\WINDOWS\SYSTEM32\lvn209~1.dll
C:\WINDOWS\SYSTEM32\hrp605~1.dll
C:\WINDOWS\SYSTEM32\hrru05~1.dll
C:\WINDOWS\SYSTEM32\k608lg~1.dll
C:\WINDOWS\SYSTEM32\guard.tmp
When KillBox has rebooted your system, post a fresh Hijack This log and DLL Compare log. We still have work to do, you also have another infection.
