• Home
  • Reviews
  • Articles
  • News
  • Tools
  • GamingHeaven
  • Forums
  • Network
 

Go Back   DriverHeaven.net > Forums > Software / Tools > Windows XP / 2000 / NT / 9x Forum

Notices

Reply
 
LinkBack Thread Tools
Old Jun 10, 2004, 02:25 AM   #1
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

exclamation ntlanman !?!?!?

OMG, what is it?? Sygate popped up telling my it wanted to access the net all of the sudden.

It's in C:\Windows\system32\ntlanman

could someone check to see if they have that ntlanman.exe in that Win/sys32 folder? It sounds familiar, but maybe that's something new..


It's in my msconfig\startup


When Sygate blocked it, it logged an IP address and a name : search.requestlookup.net -

I don't know, I have Up to date everything, Spyware blaster, Spybot, Adaware, NAV, Firewall.. How does this crap get on here? I scanned with everything and found nothing detected....


I also have this damn thing in "My Documents" - it's something I cannot delete called funny.exe and an MS DOS shortcut called "funny" - I looked these up on google but I don't' have any of the registry entries that it says I would have if i'm infected with that crap- Those sites also say funny.exe would be in my C: drive, not "My Documents"



Now I open up a .txt and it says NOTEPAD.EXE could not be found WTF??? Just what those sites said happened to them earlier today when I noticed that funny.exe was there...

This is BS man. Norton Sucks if this came in through an email of my girlfriends's which it probably did...


I have a feeling they are all connected, It happened right after I downloaded the new 4.6 drivers
(I haven't opened or installed them yet- that's just a coincidence)

***** Also this is in my "list of objects" in IE6- maybe that's not bad, maybe it is..
InstallFromTheWeb ActiveX Control Installed http://tw.msi.com.tw/autobios/client/iftwclix.cab


funny.exe properties: (in My Docs)

general tab, location: C:\Documents and Settings\Administrator\My Document
size: 0 bytes
it has a memory tab, a screen tab, a font tab, a misc tab, and a compatibility tab.
The weird thing is that there is a file named "funny" that is described as a shortcut to an MS-dos program that is 3kb. It has all those tabs too, including memory tabs with all kinds of settings on there - I don't want to touch them really, and have my PC not boot up or some shit..


Well I'm going to do a full Norton scan now- maybe it will find something because I scanned all that stuff with everything and it came up clean. But I cannot delete those things... I need to go to sleep- hopefully someone will be able to find something that applies to this and I can remove it- if it's anything that's even that bad.. Who knows.. I'm just going to make ntlanman not start up, and do a scan and see...






What / where ntlanman.exe was trying to send:


File Version :
File Description : C:\WINDOWS\system32\ntlanman.exe
File Path : C:\WINDOWS\system32\ntlanman.exe
Process ID : 0x7C0 (Heximal) 1984 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : * my IP address
Local Port : 2697
Remote Name : search.requestlookup.net
Remote Address : 206.58.237.248
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: *my mac address
Source: *my MAC address
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x8149 (Correct)
Source: *my IP address
Destination: 206.58.237.248
Transmission Control Protocol (TCP)
Source port: 2697
Destination port: 80
Sequence number: 720872060
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xfeb7 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 01 5C 22 23 4E 70 50 : 80 FB 17 17 08 00 45 5C | ..\"#NpP......E\
0010: 00 30 F9 07 40 00 40 06 : 49 81 43 14 F8 9B CE 3A | .0..@.@.I.C....:
0020: ED F8 0A 89 00 50 2A F7 : A2 7C 00 00 00 00 70 02 | .....P*..|....p.
0030: FA F0 B7 FE 00 00 02 04 : 05 B4 01 01 04 02 72 63 | ..............rc
0040: 68 3F 73 6F 75 72 63 65 : 69 64 3D 6E | h?sourceid=n
BWX is offline   Reply With Quote


Old Jun 10, 2004, 05:06 AM   #2
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Have you done a scan with spybot and adaware??

If not, do both, then post a HijackThis log.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 05:22 AM   #3
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by malkor
Have you done a scan with spybot and adaware??

If not, do both, then post a HijackThis log.
Yeah everything, scanned with everything.. Maybe I'm just paranoid, but those funny.exe things are weird.. I've never used HijackThis - What is the latest version? Is it just a google search or is the website called something else?
BWX is offline   Reply With Quote
Old Jun 10, 2004, 05:28 AM   #4
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.


funny.exe may be smartsearch

Maybe after you post, running CWShredder might be a good idea. I feel you have been jacked somehow, especially with that notepad problem.


Edit- Did you try deleting the funny files from safemode??

Last edited by malkor; Jun 10, 2004 at 05:36 AM.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 06:55 AM   #5
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by malkor
HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.


funny.exe may be smartsearch

Maybe after you post, running CWShredder might be a good idea. I feel you have been jacked somehow, especially with that notepad problem.


Edit- Did you try deleting the funny files from safemode??
Nope not yet-
I do have CWshredder but I misplaced it-
I'll just see what it is now because I just ran a half hour scan- it was one of those online scans- the free Panda virus scanner here -- http://www.pandasoftware.com/actives..._principal.htm

I just let it go for a long time and now it says it found one file infected with something.. so I guess I'll go see what it is..



EDIT- That was nothing, false alarm- just an old key logger that got downloaded a couple years ago that I never unzipped or installed- it's gone now anyway, it was on a different HD too.. I dunno, I guess I'll delete those in safe mode- not sure why I can't delete them now..



By the way, do you have that ntlanman.exe on your PC?

Last edited by BWX; Jun 10, 2004 at 07:09 AM.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 07:50 AM   #6
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 49
PangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the rough

it's a DLL file not an EXE.
not sure if any app that uses ntlanman.exe.
locate the file, and look at its Properties.

Quote:
http://computercops.biz/postp176258.html
What a coincidence. Mad I happen to have an executable that showed up in my SYSTEM32 directory in the last week, which is also named after a DLL in the same directory and ZoneAlarm has been blocking its attempts to connect to the exact same IP you are seeing. 206.58.237.248:80

My guess is that there is a piece of hackerware that was deposited on my machine somehow or a virus, and it names the executable after *any* DLL in your system32 directory.

For me the exe is "iglzw32s.exe". When I bring up the process monitor, I can see it among the processes. Killing it does not appear to affect the computer. I've asked ZoneAlarm to permanently block it.

Something to watch out for... by picking a random real DLL and naming the exe after it, the hacker avoids people from searching for the filename in google and finding anything unusual. Sleazy.
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 08:06 AM   #7
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

that thing with notepad is a .txt viewer I tried out weeks ago called Subpad http://www.snapfiles.com/freeware/we...sh/fwtext.html


But I quit using it, and uninstalled it, now for some reason it has taken over- Even when I set .txt file to be viewed with notepad.txt, when I open them , they are opened /w subpad- I have to hunt that down and get rid of it, the program sucked anyway..

Messed up.








EDIT

And my notepad is there, but I can't make a txt file open up with it...
So I don't know- I have something I think, I cannot believe it got through though. Spywareblaster, Adaware, Spybot, Norton, or Sygate (well, it was what it was doing) - none of them see it- Not even Bazooka Spyware Scanner or McAfee Stinger see it..

Last edited by BWX; Jun 10, 2004 at 08:29 AM.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 08:24 AM   #8
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by TIRO
it's a DLL file not an EXE.
not sure if any app that uses ntlanman.exe.
locate the file, and look at its Properties.


TIRO my Hero, Oh crAp- what do I have.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 08:37 AM   #9
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by malkor
HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.
It doesn't work. The button on that page takes me to a "cannot display" page
BWX is offline   Reply With Quote
Old Jun 10, 2004, 08:49 AM   #10
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Try here .

merjin's site (the creator) and other spyware info sites have been getting DDOS attacks for months now from the creeps who produce this crapware.


Also have a look here . Try to DL the latest CWShredder (it's updated often). I think you're gouig to need it.

Last edited by malkor; Jun 10, 2004 at 08:55 AM.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 08:56 AM   #11
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by malkor
Try here .

merjin's site (the creator) and other spyware info sites have been getting DDOS attacks for months now from the creeps who produce this crapware.
Already found it0 here check this-

Crap-- my notepad doesn't even work now!!

WTF-- hold on.


If I reboot I bet it will be a lot less..





Logfile of HijackThis v1.97.7
Scan saved at 9:53:48 am, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
E:\1 NETWORK STUFF\HIJACK THIS\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ntlanman] C:\WINDOWS\System32\ntlanman.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Open new IE window (HKLM)
O9 - Extra 'Tools' menuitem: Open new IE window (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...884.4202314815
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...36/mcfscan.cab
BWX is offline   Reply With Quote
Old Jun 10, 2004, 09:10 AM   #12
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 49
PangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the rough

R-click on the ntlanman.exe,
select Properties, see on the Version tab, its Description, File version, Copyright..
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 09:10 AM   #13
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Ok, this is after I rebooted-

Now that ntlanman.exe is asking to connect again (same IP) and it's running again even though I took it out of the startup- Now it's back again- Do you have that file?


DOES ANYONE have that file? Please LOOK!!!

If not, I will delete it, but I don't want to delete a file that I need...


Anyway, here it is-- right after reboot..

Logfile of HijackThis v1.97.7
Scan saved at 10:06:14 am, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ntlanman.exe
E:\1 NETWORK STUFF\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ntlanman] C:\WINDOWS\System32\ntlanman.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Open new IE window (HKLM)
O9 - Extra 'Tools' menuitem: Open new IE window (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...884.4202314815
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...36/mcfscan.cab





hmmm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
[color=yellow]R3 - Default URLSearchHook is missing[/color] <-- ??



I'm too tired, been up for 3 days, need sleep... Hopefullty I'll find problem after I wake up..

Last edited by BWX; Jun 10, 2004 at 09:16 AM.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 09:18 AM   #14
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab


Close all open windows and browsers. Run HJT and check the above files and click fix.

Post a new log. I think it's remnants of the peper worm.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 09:29 AM   #15
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Also do as TIRO mentioned and right click that ntlanman.exe file and look at its properties. Maybe you can see where it's from, or who created it.

All the 016 entries can be safely removed, they will be replaced the next time you visit the site.

I only suggested the one because it's from MSI, and your sig says you have an Abit board.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 09:30 AM   #16
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 49
PangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the roughPangingJr is a jewel in the rough

ntlanman.exe.., the file is in your system, why don't you check it..
what's it for and why it on the Run registry?
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 09:34 AM   #17
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by malkor
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab


Close all open windows and browsers. Run HJT and check the above files and click fix.

Post a new log. I think it's remnants of the peper worm.
K, but this is still tryiong to phone home: I see it in my Sygate logs-

06/10/2004 10:22:22-----Blocked ---------Outgoing-----TCP-----search.requestlookup.net----

[206.58.237.248]-----**my mac**---(port)80-----**my IP***------**my net card mac**------(port)1434--------**---> this is it---> C:\WINDOWS\system32\ntlanman.exe ------06/10/2004 10:21:08---------06/10/2004 10:21:17 (rule) Ask all running apps


206.58.237.248

OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.verio.net:4321/

NetRange: 206.58.0.0 - 206.58.255.255
CIDR: 206.58.0.0/16
NetName: VRIO-206-058
NetHandle: NET-206-58-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-01-10
Updated: 2003-08-27

TechHandle: VIA4-ORG-ARIN
TechName: Verio, Inc.
TechPhone: +1-303-645-1900
TechEmail: vipar@verio.net

OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net

OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@verio.net

OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@verio.net

# ARIN WHOIS database, last updated 2004-06-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 09:36 AM   #18
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Look at it's properties.

If you don't recognize who created it, have hijackthis fix it. If something doesn't work right after, HJT saves a backup and you can reinstate it. That's why I suggested running HJT from a permanent folder, so backups are saved.


If you fix with HJT and have no problems, then boot into safemode and remove the file.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 09:44 AM   #19
BWX
watching 1080i
 
BWX's Avatar
 
Join Date: Nov 2002
Location: April 13th 2029
Posts: 19,435
Rep Power: 75
BWX will become famous soon enough
System Specs

Quote:
Originally posted by TIRO
ntlanman.exe.., the file is in your system, why don't you check it..
what's it for and why it on the Run registry?
Oh yeah I did, and it's nothing special- just an .exe file-
I was wondering if it was normal to have it in there since you said it was a .dll, and in fact there is a .dll too. I though I could just delete it in safe mode if no one else had it in their System32 folder-


name -ntlanman.exe


location- C:\WINDOWS\system32

size- 51.3 KB (52,625 bytes)

size on disk- 64.0 KB (65,536 bytes)

created- Friday, September 19, 2003, 9:02:03 pm

modified- Friday, September 19, 2003, 9:02:04 pm

accessed- Today, June 10, 2004

--archive checked- others not checked.


then there is programibility tab- nothing checked-



Google- http://www.google.com/search?sourcei...ntlanman%2Eexe


One return, but the guy who has it, has some other Trojan that I don't have... Wow, weird, I dunno, not too experienced with this stuff, I usually stay out of trouble.. This is my first infection actually- all the others were me just being paranoid... But this thing is calling home, so I know its' real.
BWX is offline   Reply With Quote
Old Jun 10, 2004, 09:47 AM   #20
BWX
watching 1080i