Announcement

Collapse
No announcement yet.

IE opening randomly\HJT log included

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IE opening randomly\HJT log included

    I have a laptop that was infested with spyware and ran a few fixer tools (combofix, vunofix, etc.) which seems to have removed most of the issues i was having but, while im browsing the web (with firefox) IE will randomly pop up with a blank page and never load anything. i have attempted several things found on google. i was hoping someone could take a look at my HijackThis log with the hopes that someone would see something that i dont. any help is greatly appreciated.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:45:38 PM, on 2/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Hamachi\hamachi.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\PROCEXP.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\mstsc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {de9f9b1a-90eb-482f-99f1-4e28470171d5} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8292] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6275] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.thomashospital.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admin
    O17 - HKLM\Software\..\Telephony: DomainName = admin
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admin
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = admin
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

  • #2
    Re: IE opening randomly\HJT log included

    http://www.hijackthis.de

    Use that as a HJT analysis tool. looks clean, but you're on a domain called "admin"?

    FYI, also run CWShredder: http://www.trendmicro.com/ftp/produc...cwshredder.exe

    It was originally made by the same guy who made HJT.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: IE opening randomly\HJT log included

      Download runscanner from http://www.runscanner.net
      Save a run file and upload it here (zipped)

      Comment


      • #4
        Re: IE opening randomly\HJT log included

        thanks for the replies fellas.....

        wired: i already have cwshredder would it help to post a list of all the tools i have used?

        lol @ the question about the admin domain. yeah this laptop used to be a part of that domain and it hasnt been used since we did our domain migration from the single label domain. talk about one of the roughest weeks in the history of my career! thats a story for another day though over many beers! lol

        geertm: going to try that now and i will repost

        thanks again guys

        Comment


        • #5
          Re: IE opening randomly\HJT log included

          runscanner run file is attached. thanks again!
          Attached Files

          Comment


          • #6
            Re: IE opening randomly\HJT log included

            I see nothing suspicious except for this file:
            Code:
            Item: 011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
            Description: parvdmm
            Path: C:\WINDOWS\system32\drivers\parvdmm.sys
            FileDescription: parvdmm.sys
            Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\parvdmm
            Certificate: File error
            Google also can't find "parvdmm.sys"

            Could you try uploading the file to virustotal for a virus check;

            Comment


            • #7
              Re: IE opening randomly\HJT log included

              hm... just did that and this is the message

              "0 bytes size received / Se ha recibido un archivo vacio"

              Comment


              • #8
                Re: IE opening randomly\HJT log included

                Were you able to get rid of core.cache.dsk?

                I've never removed this one before but Google can help.

                http://www.google.com/search?hl=en&q...=Google+Search

                This is your problem.
                Andrew

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  Re: IE opening randomly\HJT log included

                  i got this from another forum.... i dont know how you guys are about posting the names of other forums in here but to give credit where it is do, the users name was miekiemoes

                  Ok,

                  * Open notepad - don't use any other texteditor than notepad or the script will fail.
                  Copy/paste the text in the quotebox below into notepad:

                  File::
                  C:\WINDOWS\system32\drivers\parvdmm.sys
                  C:\WINDOWS\system32\drivers\core.cache.dsk

                  Folder::
                  C:\WINDOWS\system32\wnzs6
                  C:\WINDOWS\system32\ni4
                  C:\Temp\tn3
                  C:\WINDOWS\system32\nGpxx01
                  C:\WINDOWS\system32\etz1
                  C:\WINDOWS\system32\comg7
                  C:\VundoFix Backups

                  Driver::
                  MSControlService
                  parvdmm

                  Registry::
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
                  "SpybotDeletingA8292"=-
                  "SpybotDeletingC6275"=-
                  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{de9f9b1a-90eb-482f-99f1-4e28470171d5}]


                  Save this as txtfile CFScript

                  Then drag the CFScript into ComboFix.exe

                  this seemed to have fixed the issue so it looks like you were on the right path geertm. thanks for the help guys!

                  Comment


                  • #10
                    Re: IE opening randomly\HJT log included

                    Mieke's forum is bluemedicine.be (in dutch)
                    She's an MVP in security.

                    A simpler fix would have been to just check the files in runscanner and then fix them.

                    Comment


                    • #11
                      Re: IE opening randomly\HJT log included

                      actually it was geekstogo but probably the same person. yeah, i think im going to be using runscanner quite a bit. seems like a very useful tool. thanks!

                      Comment


                      • #12
                        Re: IE opening randomly\HJT log included

                        Originally posted by Geertm View Post
                        Mieke's forum is bluemedicine.be (in dutch)
                        She's an MVP in security.

                        A simpler fix would have been to just check the files in runscanner and then fix them.
                        Geertm, please check your PM and respond appropriately. Thank you.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment

                        Working...
                        X