DriverHeaven.net

 
Looking for the skin chooser?
 
 
  • Home

  • Reviews

  • Articles

  • News

  • Tools

  • GamingHeaven

  • Forums

  • Network

 

Go Back   DriverHeaven.net > Forums > Software / Tools > Windows XP / 2000 / NT / 9x Forum


Reply
 
LinkBack Thread Tools
Old Jun 10, 2004, 03:25 AM   #1
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

exclamation ntlanman !?!?!?

OMG, what is it?? Sygate popped up telling my it wanted to access the net all of the sudden.

It's in C:\Windows\system32\ntlanman

could someone check to see if they have that ntlanman.exe in that Win/sys32 folder? It sounds familiar, but maybe that's something new..


It's in my msconfig\startup


When Sygate blocked it, it logged an IP address and a name : search.requestlookup.net -

I don't know, I have Up to date everything, Spyware blaster, Spybot, Adaware, NAV, Firewall.. How does this crap get on here? I scanned with everything and found nothing detected....


I also have this damn thing in "My Documents" - it's something I cannot delete called funny.exe and an MS DOS shortcut called "funny" - I looked these up on google but I don't' have any of the registry entries that it says I would have if i'm infected with that crap- Those sites also say funny.exe would be in my C: drive, not "My Documents"



Now I open up a .txt and it says NOTEPAD.EXE could not be found WTF??? Just what those sites said happened to them earlier today when I noticed that funny.exe was there...

This is BS man. Norton Sucks if this came in through an email of my girlfriends's which it probably did...


I have a feeling they are all connected, It happened right after I downloaded the new 4.6 drivers
(I haven't opened or installed them yet- that's just a coincidence)

***** Also this is in my "list of objects" in IE6- maybe that's not bad, maybe it is..
InstallFromTheWeb ActiveX Control Installed http://tw.msi.com.tw/autobios/client/iftwclix.cab


funny.exe properties: (in My Docs)

general tab, location: C:\Documents and Settings\Administrator\My Document
size: 0 bytes
it has a memory tab, a screen tab, a font tab, a misc tab, and a compatibility tab.
The weird thing is that there is a file named "funny" that is described as a shortcut to an MS-dos program that is 3kb. It has all those tabs too, including memory tabs with all kinds of settings on there - I don't want to touch them really, and have my PC not boot up or some shit..


Well I'm going to do a full Norton scan now- maybe it will find something because I scanned all that stuff with everything and it came up clean. But I cannot delete those things... I need to go to sleep- hopefully someone will be able to find something that applies to this and I can remove it- if it's anything that's even that bad.. Who knows.. I'm just going to make ntlanman not start up, and do a scan and see...






What / where ntlanman.exe was trying to send:


File Version :
File Description : C:\WINDOWS\system32\ntlanman.exe
File Path : C:\WINDOWS\system32\ntlanman.exe
Process ID : 0x7C0 (Heximal) 1984 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : * my IP address
Local Port : 2697
Remote Name : search.requestlookup.net
Remote Address : 206.58.237.248
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: *my mac address
Source: *my MAC address
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x8149 (Correct)
Source: *my IP address
Destination: 206.58.237.248
Transmission Control Protocol (TCP)
Source port: 2697
Destination port: 80
Sequence number: 720872060
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xfeb7 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 01 5C 22 23 4E 70 50 : 80 FB 17 17 08 00 45 5C | ..\"#NpP......E\
0010: 00 30 F9 07 40 00 40 06 : 49 81 43 14 F8 9B CE 3A | .0..@.@.I.C....:
0020: ED F8 0A 89 00 50 2A F7 : A2 7C 00 00 00 00 70 02 | .....P*..|....p.
0030: FA F0 B7 FE 00 00 02 04 : 05 B4 01 01 04 02 72 63 | ..............rc
0040: 68 3F 73 6F 75 72 63 65 : 69 64 3D 6E | h?sourceid=n
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote


Old Jun 10, 2004, 06:06 AM   #2
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Have you done a scan with spybot and adaware??

If not, do both, then post a HijackThis log.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 06:22 AM   #3
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
Have you done a scan with spybot and adaware??

If not, do both, then post a HijackThis log.
Yeah everything, scanned with everything.. Maybe I'm just paranoid, but those funny.exe things are weird.. I've never used HijackThis - What is the latest version? Is it just a google search or is the website called something else?
BWX is online now   Reply With Quote
Old Jun 10, 2004, 06:28 AM   #4
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.


funny.exe may be smartsearch

Maybe after you post, running CWShredder might be a good idea. I feel you have been jacked somehow, especially with that notepad problem.


Edit- Did you try deleting the funny files from safemode??

Last edited by malkor; Jun 10, 2004 at 06:36 AM.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 07:55 AM   #5
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.


funny.exe may be smartsearch

Maybe after you post, running CWShredder might be a good idea. I feel you have been jacked somehow, especially with that notepad problem.


Edit- Did you try deleting the funny files from safemode??
Nope not yet-
I do have CWshredder but I misplaced it-
I'll just see what it is now because I just ran a half hour scan- it was one of those online scans- the free Panda virus scanner here -- http://www.pandasoftware.com/actives..._principal.htm

I just let it go for a long time and now it says it found one file infected with something.. so I guess I'll go see what it is..



EDIT- That was nothing, false alarm- just an old key logger that got downloaded a couple years ago that I never unzipped or installed- it's gone now anyway, it was on a different HD too.. I dunno, I guess I'll delete those in safe mode- not sure why I can't delete them now..



By the way, do you have that ntlanman.exe on your PC?
__________________
One Big Ass Mistake America

Last edited by BWX; Jun 10, 2004 at 08:09 AM.
BWX is online now   Reply With Quote
Old Jun 10, 2004, 08:50 AM   #6
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

it's a DLL file not an EXE.
not sure if any app that uses ntlanman.exe.
locate the file, and look at its Properties.

Quote:
http://computercops.biz/postp176258.html
What a coincidence. Mad I happen to have an executable that showed up in my SYSTEM32 directory in the last week, which is also named after a DLL in the same directory and ZoneAlarm has been blocking its attempts to connect to the exact same IP you are seeing. 206.58.237.248:80

My guess is that there is a piece of hackerware that was deposited on my machine somehow or a virus, and it names the executable after *any* DLL in your system32 directory.

For me the exe is "iglzw32s.exe". When I bring up the process monitor, I can see it among the processes. Killing it does not appear to affect the computer. I've asked ZoneAlarm to permanently block it.

Something to watch out for... by picking a random real DLL and naming the exe after it, the hacker avoids people from searching for the filename in google and finding anything unusual. Sleazy.
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 09:06 AM   #7
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

that thing with notepad is a .txt viewer I tried out weeks ago called Subpad http://www.snapfiles.com/freeware/we...sh/fwtext.html


But I quit using it, and uninstalled it, now for some reason it has taken over- Even when I set .txt file to be viewed with notepad.txt, when I open them , they are opened /w subpad- I have to hunt that down and get rid of it, the program sucked anyway..

Messed up.








EDIT

And my notepad is there, but I can't make a txt file open up with it...
So I don't know- I have something I think, I cannot believe it got through though. Spywareblaster, Adaware, Spybot, Norton, or Sygate (well, it was what it was doing) - none of them see it- Not even Bazooka Spyware Scanner or McAfee Stinger see it..
__________________
One Big Ass Mistake America

Last edited by BWX; Jun 10, 2004 at 09:29 AM.
BWX is online now   Reply With Quote
Old Jun 10, 2004, 09:24 AM   #8
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by TIRO
it's a DLL file not an EXE.
not sure if any app that uses ntlanman.exe.
locate the file, and look at its Properties.


TIRO my Hero, Oh crAp- what do I have.
BWX is online now   Reply With Quote
Old Jun 10, 2004, 09:37 AM   #9
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
HJT 1.97

Handy program, lists all BHOs, startup entries, downloaded programs etc.

DL it, unzip it to a permanent folder, run it, press scan, then press save. The log will appear in a Notepad window. Just copy and paste the entire log here. We can have a look at what's going on.
It doesn't work. The button on that page takes me to a "cannot display" page
BWX is online now   Reply With Quote
Old Jun 10, 2004, 09:49 AM   #10
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Try here .

merjin's site (the creator) and other spyware info sites have been getting DDOS attacks for months now from the creeps who produce this crapware.


Also have a look here . Try to DL the latest CWShredder (it's updated often). I think you're gouig to need it.

Last edited by malkor; Jun 10, 2004 at 09:55 AM.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 09:56 AM   #11
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
Try here .

merjin's site (the creator) and other spyware info sites have been getting DDOS attacks for months now from the creeps who produce this crapware.
Already found it0 here check this-

Crap-- my notepad doesn't even work now!!

WTF-- hold on.


If I reboot I bet it will be a lot less..





Logfile of HijackThis v1.97.7
Scan saved at 9:53:48 am, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
E:\1 NETWORK STUFF\HIJACK THIS\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ntlanman] C:\WINDOWS\System32\ntlanman.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Open new IE window (HKLM)
O9 - Extra 'Tools' menuitem: Open new IE window (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...884.4202314815
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...36/mcfscan.cab
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Old Jun 10, 2004, 10:10 AM   #12
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

R-click on the ntlanman.exe,
select Properties, see on the Version tab, its Description, File version, Copyright..
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 10:10 AM   #13
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Ok, this is after I rebooted-

Now that ntlanman.exe is asking to connect again (same IP) and it's running again even though I took it out of the startup- Now it's back again- Do you have that file?


DOES ANYONE have that file? Please LOOK!!!

If not, I will delete it, but I don't want to delete a file that I need...


Anyway, here it is-- right after reboot..

Logfile of HijackThis v1.97.7
Scan saved at 10:06:14 am, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ntlanman.exe
E:\1 NETWORK STUFF\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ntlanman] C:\WINDOWS\System32\ntlanman.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Open new IE window (HKLM)
O9 - Extra 'Tools' menuitem: Open new IE window (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...884.4202314815
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...36/mcfscan.cab





hmmm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.driverheaven.net/index.php?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
[color=yellow]R3 - Default URLSearchHook is missing[/color] <-- ??



I'm too tired, been up for 3 days, need sleep... Hopefullty I'll find problem after I wake up..
__________________
One Big Ass Mistake America

Last edited by BWX; Jun 10, 2004 at 10:16 AM.
BWX is online now   Reply With Quote
Old Jun 10, 2004, 10:18 AM   #14
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab


Close all open windows and browsers. Run HJT and check the above files and click fix.

Post a new log. I think it's remnants of the peper worm.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 10:29 AM   #15
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Also do as TIRO mentioned and right click that ntlanman.exe file and look at its properties. Maybe you can see where it's from, or who created it.

All the 016 entries can be safely removed, they will be replaced the next time you visit the site.

I only suggested the one because it's from MSI, and your sig says you have an Abit board.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 10:30 AM   #16
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

ntlanman.exe.., the file is in your system, why don't you check it..
what's it for and why it on the Run registry?
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 10:34 AM   #17
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab


Close all open windows and browsers. Run HJT and check the above files and click fix.

Post a new log. I think it's remnants of the peper worm.
K, but this is still tryiong to phone home: I see it in my Sygate logs-

06/10/2004 10:22:22-----Blocked ---------Outgoing-----TCP-----search.requestlookup.net----

[206.58.237.248]-----**my mac**---(port)80-----**my IP***------**my net card mac**------(port)1434--------**---> this is it---> C:\WINDOWS\system32\ntlanman.exe ------06/10/2004 10:21:08---------06/10/2004 10:21:17 (rule) Ask all running apps


206.58.237.248

OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.verio.net:4321/

NetRange: 206.58.0.0 - 206.58.255.255
CIDR: 206.58.0.0/16
NetName: VRIO-206-058
NetHandle: NET-206-58-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-01-10
Updated: 2003-08-27

TechHandle: VIA4-ORG-ARIN
TechName: Verio, Inc.
TechPhone: +1-303-645-1900
TechEmail: vipar@verio.net

OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net

OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@verio.net

OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@verio.net

# ARIN WHOIS database, last updated 2004-06-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Old Jun 10, 2004, 10:36 AM   #18
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

Look at it's properties.

If you don't recognize who created it, have hijackthis fix it. If something doesn't work right after, HJT saves a backup and you can reinstate it. That's why I suggested running HJT from a permanent folder, so backups are saved.


If you fix with HJT and have no problems, then boot into safemode and remove the file.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 10:44 AM   #19
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by TIRO
ntlanman.exe.., the file is in your system, why don't you check it..
what's it for and why it on the Run registry?
Oh yeah I did, and it's nothing special- just an .exe file-
I was wondering if it was normal to have it in there since you said it was a .dll, and in fact there is a .dll too. I though I could just delete it in safe mode if no one else had it in their System32 folder-


name -ntlanman.exe


location- C:\WINDOWS\system32

size- 51.3 KB (52,625 bytes)

size on disk- 64.0 KB (65,536 bytes)

created- Friday, September 19, 2003, 9:02:03 pm

modified- Friday, September 19, 2003, 9:02:04 pm

accessed- Today, June 10, 2004

--archive checked- others not checked.


then there is programibility tab- nothing checked-



Google- http://www.google.com/search?sourcei...ntlanman%2Eexe


One return, but the guy who has it, has some other Trojan that I don't have... Wow, weird, I dunno, not too experienced with this stuff, I usually stay out of trouble.. This is my first infection actually- all the others were me just being paranoid... But this thing is calling home, so I know its' real.
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Old Jun 10, 2004, 10:47 AM   #20
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by malkor
Look at it's properties.

If you don't recognize who created it, have hijackthis fix it. If something doesn't work right after, HJT saves a backup and you can reinstate it. That's why I suggested running HJT from a permanent folder, so backups are saved.


If you fix with HJT and have no problems, then boot into safemode and remove the file.
Oh, I didn't even know HJT could do that- I'll try--
BWX is online now   Reply With Quote
Old Jun 10, 2004, 10:49 AM   #21
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

No Version tab??? Where the company who made it could be listed?

Just a reminder, always use HJT with ALL windows and browsers closed. After fixing something, reboot and post a fresh log.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 10:53 AM   #22
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

Quote:
Originally posted by BWX
Oh yeah I did, and it's nothing special- just an .exe file-
I was wondering if it was normal to have it in there since you said it was a .dll, and in fact there is a .dll too. I though I could just delete it in safe mode if no one else had it in their System32 folder-


name -ntlanman.exe


location- C:\WINDOWS\system32

size- 51.3 KB (52,625 bytes)

size on disk- 64.0 KB (65,536 bytes)

created- Friday, September 19, 2003, 9:02:03 pm

modified- Friday, September 19, 2003, 9:02:04 pm

accessed- Today, June 10, 2004

--archive checked- others not checked.


then there is programibility tab- nothing checked-



Google- http://www.google.com/search?sourcei...ntlanman%2Eexe


One return, but the guy who has it, has some other Trojan that I don't have... Wow, weird, I dunno, not too experienced with this stuff, I usually stay out of trouble.. This is my first infection actually- all the others were me just being paranoid... But this thing is calling home, so I know its' real.

this is what i like you to read...
Quote:
http://computercops.biz/postp176258.html
What a coincidence. Mad I happen to have an executable that showed up in my SYSTEM32 directory in the last week, which is also named after a DLL in the same directory and ZoneAlarm has been blocking its attempts to connect to the exact same IP you are seeing. 206.58.237.248:80

My guess is that there is a piece of hackerware that was deposited on my machine somehow or a virus, and it names the executable after *any* DLL in your system32 directory.

For me the exe is "iglzw32s.exe". When I bring up the process monitor, I can see it among the processes. Killing it does not appear to affect the computer. I've asked ZoneAlarm to permanently block it.

Something to watch out for... by picking a random real DLL and naming the exe after it, the hacker avoids people from searching for the filename in google and finding anything unusual. Sleazy.
ntlanman.exe.... this file name can be anything so you wont find its info on the net..
trojan or hacker!!!

whatever it is you don't need it in startup items..
go to the Run registry key, backup and delete it..
then reboot, then go check the Run key again,
if the registry entry does not come back..
you can delete the "ntlanman.exe" file in the /system32 folder.
backup the file first if you're not sure..
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 11:02 AM   #23
DriverHeaven Lover
 
Join Date: Apr 2004
Posts: 123
Rep Power: 0
malkor is on a distinguished road

OK. You're being told to do different things for the same result. Don't want to confuse here or step on anyone's toes. I'll leave it with TIRO, you're in good hands.
malkor is offline   Reply With Quote
Old Jun 10, 2004, 11:07 AM   #24
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by TIRO
this is what i like you to read...


ntlanman.exe.... this file name can be anything so you wont find its info on the net..
trojan or hacker!!!

whatever it is you don't need it in startup items..
go to the Run registry key, backup and delete it..
then reboot, then go check the Run key again,
if the registry entry does not come back..
you can delete the "ntlanman.exe" file in the /system32 folder.
backup the file first if you're not sure..
Yeah, HJT couldn't fix it either, I just tried, it came right back..

Well I have a backup now so I guess I can try to delete it now..



http://computercops.biz/postp176258.html <-- Yeah I read that too- It's the same IP and everything, but that guy never found out what it was either.. I suppose he just deleted it- But I have those other files too- I guess I'll just safe mode it and delete them all..
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Old Jun 10, 2004, 11:17 AM   #25
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

Quote:
Originally posted by malkor
OK. You're being told to do different things for the same result. Don't want to confuse here or step on anyone's toes. I'll leave it with TIRO, you're in good hands.
arr, it's about the same...
backup then remove the Run (auto start registry key) registry entry by using the HijackThis
or doing it by hand
or using the MSCONFIG,

its just don't spend time with this and let it keep calling home...
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 11:37 AM   #26
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

ok, sorry but lay off the HijackThis for a min this is not its job..

backup the Run registry key, then delete the ntlanman.exe entry.
then go to \system32 folder, backup the ntlanman.exe then delete it.

if you can not delete it in normal mode do it in safe mode,
enter MSCONFIG and add /SAFEBOOT to the boot.ini in the tab BOOT.INI
or use F-8 kay during bootup.

do not delete other files now.
see if you can find more info about the ntlanman.exe file..

Last edited by Net; Jun 10, 2004 at 11:46 AM.
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 12:18 PM   #27
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by TIRO
ok, sorry but lay off the HijackThis for a min this is not its job..

backup the Run registry key, then delete the ntlanman.exe entry.
then go to \system32 folder, backup the ntlanman.exe then delete it.

if you can not delete it in normal mode do it in safe mode,
enter MSCONFIG and add /SAFEBOOT to the boot.ini in the tab BOOT.INI
or use F-8 kay during bootup.

do not delete other files now.
see if you can find more info about the ntlanman.exe file..
Uh oh, I already did that- I went into safe mode and and deleted ntlanman.exe - it's in the recycle bin right now... I have much bigger problems though, that Funny.exe would not delete in safe mode- so I tried to find out more about it, it is tied into something on the %systemroot%Autoexec.NT and something else- I'll just post a pic-- And when I try to change any properties of the file, it just creates a shortcut of itself, but I can delete that- it's weird...


EDIT-- don't worry, I changed the ICON_ it wasn't like that -









Even worse is my notepad shortcut in my program list has turned into some weird app, but I can actually right click and get some info on I will post that.



I think the ntlanman.exe is all taken care of though-- Thanks for hooking me up w/ HJT though malkor, and thanks for the help.
BWX is online now   Reply With Quote
Old Jun 10, 2004, 12:54 PM   #28
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Here is what my notepad shortcut in my programs list looks like-



I guess I could just delete it right?
That is also the same as the sfc.dll -I wonder if it's the same as the ntlanman thing?
Actually It doesn't seem like it because that was created a while ago and looks legit...
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Old Jun 10, 2004, 01:20 PM   #29
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 55
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

Don't delete the "sfc.exe" the program is the Windows system file checker.

check this and pls reply..
go to the \system32, R-click the "notepad.exe" and select Send to -> Desktop(create shortcut),
then R-cleck on the shortcut and see its Properties again.. its Target line shoud read "C:\WINDOWS\system32\notepad.exe".... What do you have on the Target line?

re the Funny.exe... i believe it's one of the old Back Orifice Trojan, i'll look up for more info later..
PangingJr is offline   Reply With Quote
Old Jun 10, 2004, 01:50 PM   #30
BWX
Spinal Tapped
 
BWX's Avatar
 
Join Date: Nov 2002
Location: USNY
Posts: 19,571
Rep Power: 92
BWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud ofBWX has much to be proud of
System Specs

Quote:
Originally posted by TIRO
Don't delete the "sfc.exe" the program is the Windows system file checker.

check this and pls reply..
go to the \system32, R-click the "notepad.exe" and select Send to -> Desktop(create shortcut),
then R-cleck on the shortcut and see its Properties again.. its Target line shoud read "C:\WINDOWS\system32\notepad.exe".... What do you have on the Target line?

re the Funny.exe... i believe it's one of the old Back Orifice Trojan, i'll look up for more info later..
Thanks, I've been looking (funny.exe) but none of them applied to me- they were all in the root folder and had specific reg entries that I didn't have...


Yeah, that was just a shortcut to the sfc.exe, it wasn't the file itself, but it was where my notepad shortcut used to be, and it was called notepad. I mad ethe shortcut to notepad and it has the correct line. But I still cannot make a .txt file open with it, it gives an error when I right click .txt file, open with , click or browse to notepad, then it gived an error... saying not a valid win32file..... Weird..

Something is stuck on that notepad in windows,--

!!! No wait, actually my notepad was in the WINDOWS folder, NOT the WINDOWS/System32 folder- Is it supposed to be in system32?

I did a search, it is also here: C:\WINDOWS\system32\dllcache

Hmmmmm maybe just put it back in C:\WINDOWS\system32\ ??
__________________
One Big Ass Mistake America
BWX is online now   Reply With Quote
Reply

Bookmarks

Thread Tools