Options
Yet another HSA problem
A collegue has been attacked by the HSA trojan on his laptop. We have been through the HSA removal procedure several times but without success. workstation netlogon service is listed in services & has been disabled but we cannot find any reference to it in the registry. To do a hard reboot we disconnect the mains power & pull the battery
Any help would be appreciated
Logfile of HijackThis v1.98.2
Scan saved at 19:19:45, on 13/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netpf.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\WINDOWS\system32\apiee32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rob Holland\Desktop\security\HijackThis19802.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Warboys Services Ltd.
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6BA13B87-DA76-DCBF-8B9F-C13DA50A9571} - C:\WINDOWS\system32\ipsh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
O4 - HKLM\..\Run: [CreativeKeyboard ] C:\Program Files\Creative\Desktop Wireless\kb_2k.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [apiee32.exe] C:\WINDOWS\system32\apiee32.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Podt] C:\Documents and Settings\Rob Holland\Application Data\hrui.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Acrobat Assistant.lnk = C:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: winlgn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\Software\..\Telephony: DomainName = warboysservices.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
Any help would be appreciated
Logfile of HijackThis v1.98.2
Scan saved at 19:19:45, on 13/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netpf.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\WINDOWS\system32\apiee32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rob Holland\Desktop\security\HijackThis19802.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\szdcg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Warboys Services Ltd.
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6BA13B87-DA76-DCBF-8B9F-C13DA50A9571} - C:\WINDOWS\system32\ipsh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
O4 - HKLM\..\Run: [CreativeKeyboard ] C:\Program Files\Creative\Desktop Wireless\kb_2k.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [apiee32.exe] C:\WINDOWS\system32\apiee32.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Podt] C:\Documents and Settings\Rob Holland\Application Data\hrui.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Acrobat Assistant.lnk = C:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: winlgn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\Software\..\Telephony: DomainName = warboysservices.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = warboysservices.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{049134F4-1BE4-47F8-A282-9C04C84EFC1A}: NameServer = 82.144.228.34,82.144.228.3,192.168.10.254
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
0
Comments
Many Thanks
Dexter...
The laptop is out of the office today, will post on return