possible spyware? HJT log 1

[ksnpc]

I have a remote user running Windows NT 4. He has recently been having 5 error messages come up during start up:

1. Rundll32.exe Entry Point Not Found. The procedure entry point SymGetLineFromAddr could not be located in the dynamic link library IMAGEHLP.dll.

2. tsl.exe - Entry Point Not Found. The procedure entry point CreateToolHelp32Snapshot could not be located in the dynamic link library KERNEL32.dll.

3. Service Control Manager. At least one service or driver failed during startup. Use event viewer to examine the event log for details.

4. OleMainThreadWndName: wupdt.exe - Entry point not found. The procedure entry point SHGetSpecialFolderPathA could not be located in the dynamic link library SHELL32.dll.

5. Dr. Watson for Windows NT. An application error has occurred and an error log is being generated. Avsynmgr.exe. Exception: access violation (0xc000000e), address: 0x12011e8e.

His Internet Explorer has stopped working entirely. Start up and shut down are taking an unusually long time and he said that his antivirus software (McAfee 4.51 sp1) stopped working briefly. He had to reinstall it and now it seems to work again but has found no problems during scans. He has also scanned with Stinger and found no problems. He says Spybot Search & Destroy doesn't find any errors, but I suspect that there is some spyware. I asked him to run Hijack This and I was wondering if anyone could help interpret the log, I'm a complete novice:

Logfile of HijackThis v1.98.2
Scan saved at 12:43:16 PM, on 9/7/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cpqalert.exe
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\PROGRA~1\SEAGAT~1\SI\X86\sentnl32.exe
C:\WINNT\system32\RpcSs.exe
c:\winnt\system32\export\config\FireDaemon.EXE
c:\winnt\system32\export\config\FireDaemon.EXE
c:\winnt\system32\export\config\rundll31.exe
c:\winnt\system32\export\config\rundll32.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\DmiNT40\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\cpqdmi.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\CHKADMIN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ybpres.exe
C:\Program Files\Nortel Networks\Extranet.exe
G:\Office\Lane\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.weather.com/weather/local/USKY0721?GO=GO

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Progra~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [BIOSGuard] BGuard.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb04.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kbzvoxnet] C:\WINNT\System32\ybpres.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [NAI_INSTALL_SCAN] "C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\scan32.exe" C:\ /autoscan /autoexit
O4 - HKLM\..\Run: [InstallNAIProduct] "G:\Office\Lane\Software\McAfee\Setup.exe" /RUNKEY
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

http://www.lizardtech.com/plugins/en_US/DjVuControl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/246beed51f9a74109206/netzip/RdxIE601.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.installengine.com/engine/isetup.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = state.ky.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = state.ky.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = state.ky.us


I'm suspicious of the following entries but I have no clue about the rest:
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Progra~1\Lycos\IEagent\CSIE.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe

If anyone has any ideas or can point me in a better direction I would be extremely grateful.

Thanks,
Shauna

 

[Wishdiak]

Shauna,

I'm suspicious of those lines too, but according to your HijackThis! log, you have Spybot installed. Have you tried updating and running Spybot?

Wishdiak

http://www.wishdiak.com

 

[mattjurado]

Even if its updated, spybot misses most problems now. Get ad-aware

http://www.download.com

Don't forget to update.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[ksnpc]

I'll see if Spybot updates are current and also try ad-aware. Thanks!

 

[jbrackett]

Just a quick glance shows that you have IGetNet/ClearSearch. I'll check the log a little more, but you're definitely right to be wary of those lines. I'll get back in a bit . . .

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[jbrackett]

Sorry, just got a call from a user who downloaded a virus on his pc. I'll be back in a few minutes if no one else steps in.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[diogenes10]

After you run Adaware (from looking at some logs it looks like that should take care of the clearsearch issue),
please run an online virus scan from trendmicro, pandasoft, or rav. There are links in smah's faq.



Then close browser windows, and fix these items if still present (the one entry noted below depends on whether you know what it is):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Progra~1\Lycos\IEagent\CSIE.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

I get no hits on this one-Is it a program you are familiar with?
O4 - HKLM\..\Run: [BIOSGuard] BGuard.exe [ no hits ]

O4 - HKLM\..\Run: [kbzvoxnet] C:\WINNT\System32\ybpres.exe [ no hits ]
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe [ trojan ]
O13 - WWW. Prefix: http://
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/246beed51f9a74109206/netzip/R...

Reboot to safe mode:
delete
C:\WINNT\System32\ybpres.exe [ no hits ]
C:\PROGRA~1\COMMON~1\tsa\tsl.exe

If you fixed the biosguard line above, find and rename this program.
(Renaming instead of deleting gives you the opportunity to go back and rename it back if it turns out to be a needed file.)

reboot and see if things are better.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

oops, find and rename BGuard.exe (left file name out of instructions above.)

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[ksnpc]

Thank you all so much! I will get started on all this and repost when we get through the steps.

 

[jbrackett]

Thanks for taking this one diogenes. I got caught on the spyware call from hell. Took more than two hours to clean this pc.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[ksnpc]

Well, after following your advice we now have internet explorer up and running and are down to just 1 error! We can't get rid of that pesky rundll32.exe error but everything else is working great. I did find out that the Bios Guard (bguard.exe) is a utility that was included with his Matrox video board so I left it alone. I really appreciate all your help!

Thanks,
Shauna

 

[diogenes10]

continuing rundll errors-possibility??

c:\winnt\system32\export\config\rundll31.exe
c:\winnt\system32\export\config\rundll32.exe

The original log shows these two lines.

As I saw in a thread elsewhere " rundll31.exe eek! "
That is not a valid file.

I think rundll32.exe is a valid file name but I have a sneaking suspicion that its proper location is not the one above, which would probably make that particular file a bad one.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

And that may also mean you need to be concerned about the FireDaemon program since they are in the same directory.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[ksnpc]

I'll get rid of those files. As far as I understand from google searching, FireDaemon is a legit program but is sometimes used by spyware writers. I guess I should make sure there's nothing else using it and uninstall if there isn't. I can't imagine any real need he would have for it. Thanks for pointing that out!