HiJack this entry

[morganlefay]

I need help.......

I have a computer on my bench (CEOs Home machine) which was running on the internet with NO updated av ...

Has P2P sharing kazaa.etc etc


I have cleaned it....user runs norton internet security 2005....which WILL NOT run in safe mode

Ran hijack this....and have 2 concerns

one is windupdates...keeps coming back...have found some stuff on google which I am going back to read

and this also concerns me....

O17 - HKLM\System\CCS\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1

The above address is the gateway in use


Thought I would just post and see if I can get any tips.....of to do some reasearch

Yes I have disabled sysrestore, updated antispyware, av etc

Scanned with what ever will run in safe mode\and reg mode....am going to do an online scan now..

I am curious about these entries...any insight is greatly appreciated

MLF

PS

If I dont get back to you right away...its cause I have a meeting...should be done in 1-2 hours

Accounting stuff.........oh joy

[dalek]

Originally posted here by morganlefay
I need help.......

I have a computer on my bench (CEOs Home machine) which was running on the internet with NO updated av ...

Has P2P sharing kazaa.etc etc


I have cleaned it....user runs norton internet security 2005....which WILL NOT run in safe mode

Ran hijack this....and have 2 concerns

one is windupdates...keeps coming back...have found some stuff on google which I am going back to read

and this also concerns me....

O17 - HKLM\System\CCS\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{9045444D-CF5C-4021-8E33-7DDC9D952B42}: NameServer = 192.168.0.1

The above address is the gateway in use


Thought I would just post and see if I can get any tips.....of to do some reasearch

Yes I have disabled sysrestore, updated antispyware, av etc

Scanned with what ever will run in safe mode\and reg mode....am going to do an online scan now..

I am curious about these entries...any insight is greatly appreciated

MLF

PS

If I dont get back to you right away...its cause I have a meeting...should be done in 1-2 hours

Accounting stuff.........oh joy

Hi MLF


Got this from Merjin's site...

O17 - Lop.com domain hijacks

What it looks like:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries.
For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.Merjin's

Winupdates is a concern:...

Full Name:
Windupdates Websearch
Type: Adware
Also Known as: Windows AdTools winad DeskAd Service DeskAd.Service
Created by: WINDUPDATES
SG Index: 5 [Explain]
Removal tools: List of products that detect/remove/protect against Windupdates:
# X-Cleaner
# RegBlock
# RTGuardian
Category Description: Adware: Program that creates advertisments on your Pc.

Note that many websites have their own advertising, unrelated to adware.
Adware is any software application in which advertising is displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen and sometimes through text links or in search results. Adware may or may not track personal information. It may also gather information anonymously or in aggregate only.
Comment: From the Website:
You downloaded Wind Updates from a Website that is able to offer its content for free because it shows the Wind Updates ActiveX popup. You also specifically agree to abide by the Software Licensing Agreement and Terms and Conditions of Golden Palace.com, n-CASE Privacy Policy, BetterInternet End User License Agreement and Bargain Buddy License Agreement.
Information URL: http://www.windupdates.com/

Spywareguide

To really get rid of files try this app...KILLBOX


Luck..

[morganlefay]

You must spread your AntiPoints around before giving it to dalek again.

Thank you...just finished the online scan from panda...it found 286 peices of spyware that both Norton and adaware did not find...1 dialer and on virus...

Thank you for your help dalek....I am off to manually remove them....see if they come back

thanks for the links too

I owe you a beer....or 2

MLF

[Tiger Shark]

Morgan:

If it's one of those that keeps returning you're in for some fun... Especially if you don't want to reformat and reinstall... which I don't like doing on people's personal boxes unless I have to... I spent 4 hours on one yesterday... It had infected Winlogon.exe... I determined that by using Process Explorer from Sysinternals... Really handy tool for this... Use it to look through the running processes for the rogue threads.

Try not to have too much fun with it... on a Friday...

[morganlefay]

Funny that you mention winlogon.exe....cause I had an error earlier....thought it was to do with Norton...hadnt run the live update yet (fresh install of the app)...

Thanks for the tips.... have lotsa handy tools on my jump drive....I REALLY dont want to reload this machine


this along with the accounting meeting........woohoo...fun fun fun


I definately will have earned a nice bottle of australian shiraz...or 2... by this evening

MLF

[Tiger Shark]

You get the two bottles for the accounting meeting... You deserve another one or two for the box...

The "nasty" this box had was WinFixScan or something... It would generate processes that had random filenames of 5 or 6 chars that, in my case, always started with an A... Since they were unkillable it was then I took out procexp to see which system process was protecting them... Yes I would get several Winlogon errors after log in, (winxp box), and norton was installed but the subscription was expired so it was doing nothing. I eventally got rid of it by d/ling Avast AV and having it do a pre-boot scan... It repaired it...

[morganlefay]

winfixer....oh ya what a PITA piece of crap software.

My guys kids come over and stay on weekend and they go some warning about the machine being infected...use this winfixer to repair..


The thing is almost imposile to remove....pops up with crap like y"you have 5000 security threats"

buy now to fix.....


98 machine.....

anyway off to the fun fun fun

MLF

[dalek]

Hi MLF


As it's winfixer, then you will need VUNDO Remover

It's a Trojan.....

Winfixer is also known as: Virtumonde, and Msevents, and more appropriately: Trojan.Vundo. Trojan.Vundo is a component of a Spyware program and is known to be installed by visiting a web site link contained in a spammed email.

Luck....

[morganlefay]

Again dalak thanks a bunch for your help...

I havent had the time to reseach all the crap...too busy with accounting ( I would rather be shoving a pen in my eye...over and over..)

anyway..your help is greatly appreciated....

I think I will have to get both you and Tiger beer....

May have to change my rates from wine to beer just to pay you guys....

MLF

[Tiger Shark]

May have to change my rates from wine to beer just to pay you guys....

Do you deliver? *snikker*