28 replies to this topic

[mdina]

Thanks anyway. Do you know if there is a place in this forum for such unresolved challenges - maybe somebody else will come with a bright idea?

[little eagle]

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to peruse and evaluate.

Also post another hijackthis log.

[mdina]

Hi Little Eagle, I ran the RootkitRevealer as istructed. Hereis the log; it is completely innocent (another computer used a shared printer; I am not sure why another's user tempfile is hidden, but this is not the user with whom the IE plays tricks and not the one who was running the Revealer. C:\Documents and Settings\dina\Local Settings\Temporary Internet Files\Content.IE5\Y5THCA7I\imghp[1].: 3/13/2006 4:14 AM 3.53 KB Hidden from Windows API. C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060315.006\vscanmsx.dat 3/18/2006 7:01 PM 2.02 KB Hidden from Windows API. C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD 3/18/2006 7:26 PM 0 bytes Hidden from Windows API. C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL 3/18/2006 7:26 PM 0 bytes Hidden from Windows API. Here is the HT log, again nothin suspicious... Logfile of HijackThis v1.99.1 Scan saved at 9:58:18 PM, on 3/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\NavNT\defwatch.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\EZBackitup\EZBkuptray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\totalcmd\TOTALCMD.EXE C:\Program Files\Internet Explorer\iexplore.exe c:\HighjackThis\HijackThis.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: APC UPS Status.lnk = ? O8 - Extra context menu item: Expand that LJ thread - file:/c:/LJ/threader.js O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[LDTate]

When you installed Google Toolbar did you select disable advanced features when installing.?
If not, remove Google and re-install but be sure to select disable advanced features when installing.

Edited by LDTate, 19 March 2006 - 07:29 AM.

[mdina]

I've never installed Google toolbar, or at least not consciously. I do not see it, that's for sure. Can it be that it's installed but hidden? How can I check that no program had installed it without my approval? Thanks

[LDTate]

It would be on the Search Bar if you had it. Lets install it and see if that fixes the search issue.

Click the link below and get Google Toolbar.
Google toolbar has a very good built in popup blocker with a nice search bar. To provide privacy, select disable advanced features when installing.
http://toolbar.google.com/

[mdina]

I am testing it further, but seems like installing GT has cured the problem. Thanks a lot! I do still feel uncomfortable about not knowing what exactly was causing the problem....

[mdina]

Nope. Strangly, several searches worked fine, and then it all reverted back to the old odd behavior...

[LDTate]

Blacklight

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

[mdina]

Even if I will have eventually to create a new user and delete this one, I will have learned a lot of useful tools in meanwhile! It appears that this program does not dump anything to the Desktop, but it found 8 hidden processes that I copy here by hand: csiac.exe dmvdi.exe favset.exe filesafer32.exe howiper.exe pppcgm.exe sphlp32.exe wbemtest.exe I did a search for these names. Some do not pop up at all, but at least three (favset.exe, filesafer32.exe, howiper.exe) seem to be real malware. I resist temptation renaming them from the Blacklight, but since you told me not to, I keep everything intact. Oh, now I found the log - it was dumped into a temporary directory, because I ran from the web site. Here is the log: 03/19/06 17:20:42 [Info]: BlackLight Engine 1.0.33 initialized 03/19/06 17:20:42 [Info]: OS: 5.1 build 2600 (Service Pack 2) 03/19/06 17:20:43 [Note]: 7019 4 03/19/06 17:20:43 [Note]: 7005 0 03/19/06 17:20:58 [Note]: 7006 0 03/19/06 17:20:58 [Note]: 7011 3164 03/19/06 17:20:59 [Note]: FSRAW library version 1.7.1015 03/19/06 17:21:46 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 03/19/06 17:21:46 [Note]: 10002 1 03/19/06 17:21:54 [Info]: Hidden file: C:\WINDOWS\system32\csiac.exe 03/19/06 17:21:54 [Note]: 7002 32 03/19/06 17:21:54 [Note]: 7003 1 03/19/06 17:21:54 [Note]: 10002 1 03/19/06 17:21:55 [Info]: Hidden file: C:\WINDOWS\system32\dmvdi.exe 03/19/06 17:21:55 [Note]: 7002 32 03/19/06 17:21:55 [Note]: 7003 1 03/19/06 17:21:55 [Note]: 10002 1 03/19/06 17:21:56 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe 03/19/06 17:21:56 [Note]: 10002 1 03/19/06 17:21:56 [Info]: Hidden file: C:\WINDOWS\system32\filesafer23.exe 03/19/06 17:21:56 [Note]: 10002 1 03/19/06 17:21:57 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe 03/19/06 17:21:57 [Note]: 10002 1 03/19/06 17:21:59 [Info]: Hidden file: C:\WINDOWS\system32\pppcgm.exe 03/19/06 17:21:59 [Note]: 10002 1 03/19/06 17:22:00 [Info]: Hidden file: C:\WINDOWS\system32\sphlp32.exe 03/19/06 17:22:01 [Note]: 10002 1 03/19/06 17:22:37 [Note]: 7007 0

[LDTate]

Use Blacklit and Rename these:

csiac.exe
dmvdi.exe
favset.exe
filesafer32.exe
howiper.exe
pppcgm.exe
sphlp32.exe


DO NOT rename: It's a windows file.
wbemtest.exe

Edited by LDTate, 19 March 2006 - 04:52 PM.

[mdina]

I am crossing my finger, but now it seems to be really OK. Thanks a lot for hanging with me for so long! So what was that that I got and why it was doing such a strange thing - no other visible effects but search redirection! Is there a good site where I can educate myself about this malware? an again, thanks so much!

[LDTate]

Manualy delete these files located here:
C:\WINDOWS\system32\
csiac.exe ren
dmvdi.exe ren
favset.exe ren
filesafer32.exe ren
howiper.exe ren
pppcgm.exe ren
sphlp32.exe ren


I beleive these were rootkits.
http://www.f-secure....t/rootkit.shtml

You can also do a Google search for rootkits and find lots of reading.

[LDTate]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php