Options
Bloody spyware... heres my 'Hijackthis log'
Hi,
Well Ive just signed up, Id like to thank everyone in advance for the help im hoping to receive. Well Ive had spybot for a few months and have run that. It was all going fine until a few days ago, and I started getting popups all over the place. Found 'Best Search Engine' in my add/remove programs, but it reappears as soon as i remove it. Ive installed Xoftspy that detects alot of spyware and it picks up 'boln.dll' which it has to remove on bootup. It seems that boln.dll is the 'Best Search engine' file.
Ive also installed Hijack this and another trial program 'security task manager'.
Security task manager reckons these files below are the hirisk programs running in memory, and Ill attach the Hijack log below. Ive deleted boln.dll through hijack this, but it continues to reappear. So here go's.
y the way Adaware I have also run, but it has a problem when i try to update. It is my work computer, so not sure if the firewall affects it, but the other programs 'Norton', spybot etc seem to update OK .
Security task manager
C:\:ddesvr it detects but says it already removed
C:\:ddeplgn.dll it detects but says its already removed
C:\winnt\system32\web.exe
fnsysmgr.dll
cboapb.dll
msoffice.exe
ssonsvr.exe
mspmspsv.exe
and here's the hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 9:38:06 AM, on 17/03/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE
C:\Program Files\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\web.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wcourten\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.lc.local/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.lc.local/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.lc.local/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Leighton Contractors
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet.lc.local/proxy.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.lc.local:8080
F3 - REG:win.ini: run=C:\WINNT\system32\msoffice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ECE3B804-BFA3-4841-B28F-206D4A5A7855} - C:\WINNT\system32\cboapb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKLM\..\Run: [ut7j3ng] ssm230.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WebRun] C:\WINNT\system32\web.exe
O4 - HKCU\..\Run: [fAotRhM5h] srvdmin.exe
O4 - HKCU\..\Run: [WebRun] C:\WINNT\system32\web.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npcsibmp.dll
O12 - Plugin for .JPG: C:\Program Files\Internet Explorer\PLUGINS\npcsijpg.dll
O12 - Plugin for .ps: C:\Program Files\Internet Explorer\PLUGINS\npcsips.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.lc.local/
O15 - Trusted Zone: http://intranet.lc.local
O15 - Trusted Zone: http://intranet.lc.local (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lc.local
O23 - Service: Aluria Spyware Eliminator Service - Unknown - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks again
William
Well Ive just signed up, Id like to thank everyone in advance for the help im hoping to receive. Well Ive had spybot for a few months and have run that. It was all going fine until a few days ago, and I started getting popups all over the place. Found 'Best Search Engine' in my add/remove programs, but it reappears as soon as i remove it. Ive installed Xoftspy that detects alot of spyware and it picks up 'boln.dll' which it has to remove on bootup. It seems that boln.dll is the 'Best Search engine' file.
Ive also installed Hijack this and another trial program 'security task manager'.
Security task manager reckons these files below are the hirisk programs running in memory, and Ill attach the Hijack log below. Ive deleted boln.dll through hijack this, but it continues to reappear. So here go's.
y the way Adaware I have also run, but it has a problem when i try to update. It is my work computer, so not sure if the firewall affects it, but the other programs 'Norton', spybot etc seem to update OK .
Security task manager
C:\:ddesvr it detects but says it already removed
C:\:ddeplgn.dll it detects but says its already removed
C:\winnt\system32\web.exe
fnsysmgr.dll
cboapb.dll
msoffice.exe
ssonsvr.exe
mspmspsv.exe
and here's the hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 9:38:06 AM, on 17/03/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE
C:\Program Files\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\web.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wcourten\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.lc.local/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.lc.local/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.lc.local/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Leighton Contractors
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet.lc.local/proxy.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.lc.local:8080
F3 - REG:win.ini: run=C:\WINNT\system32\msoffice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ECE3B804-BFA3-4841-B28F-206D4A5A7855} - C:\WINNT\system32\cboapb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKLM\..\Run: [ut7j3ng] ssm230.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WebRun] C:\WINNT\system32\web.exe
O4 - HKCU\..\Run: [fAotRhM5h] srvdmin.exe
O4 - HKCU\..\Run: [WebRun] C:\WINNT\system32\web.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npcsibmp.dll
O12 - Plugin for .JPG: C:\Program Files\Internet Explorer\PLUGINS\npcsijpg.dll
O12 - Plugin for .ps: C:\Program Files\Internet Explorer\PLUGINS\npcsips.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.lc.local/
O15 - Trusted Zone: http://intranet.lc.local
O15 - Trusted Zone: http://intranet.lc.local (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lc.local
O23 - Service: Aluria Spyware Eliminator Service - Unknown - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks again
William
0