1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

trust cleaner help please!

Discussion in 'Windows - Virus and spyware problems' started by groomjac, Feb 6, 2007.

  1. groomjac

    groomjac Member

    Joined:
    Feb 6, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    hi guys im new to the boards so hello everyone. im at work and when i try to do a google search sometimes this trust cleaner ad pops up and when i search on ebay. any help is apprecciated i included a log file from hijack this thanks.


    Logfile of HijackThis v1.99.1
    Scan saved at 4:13:22 PM, on 2/6/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NavNT\DefWatch.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NWTRAY.EXE
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe
    C:\WINNT\system32\iprntctl.exe
    S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\system32\proquota.exe
    C:\Program Files\dqs\WinSPC\WinSPC32.exe
    C:\Documents and Settings\MCDEPOSIT1\Desktop\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll
    O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing)
    O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll
    O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
    O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file)
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
    O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
    O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON
    O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
    O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
    O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
    O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file)
    O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
     
  2. elokito

    elokito Regular member

    Joined:
    Jul 16, 2006
    Messages:
    854
    Likes Received:
    0
    Trophy Points:
    26
    the "net installer" seems suspicious to me, also use firefox instead of ie prblm solved
     
  3. Dunker

    Dunker Regular member

    Joined:
    May 8, 2006
    Messages:
    1,444
    Likes Received:
    0
    Trophy Points:
    46
    This is bad. trustincontext.dll is the main parasite but I also see the ClientMan dropper, which is a backdoor trojan/dropper. I also see your DNS system is completely compromised, hence the .MARS domains. I think one of the other files might be operating as a DNS redirector kind of line the NEW.NET malware does. You can try deleting all the below items (a few are unrelated to this but are unneeded e.g. qttask.exe). You should run SpyBot, ccleaner, AVG Anti-spyware (Ewido), etc. To clean up the DNS hijack, go into Network Connections, LAN (or whatever you use to connect), select TCP/IP, Properties, then Advanced and delete anything and everything pertaining to DNS.




    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
    O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll
    O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing)
    O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll
    O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
    O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file)
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
    O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
    O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
    O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
    O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
     
  4. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,091
    Likes Received:
    84
    Trophy Points:
    128
    moved to correct forum
     
  5. groomjac

    groomjac Member

    Joined:
    Feb 6, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    dunker thanx for reply i think i have fixed it by another post on this site in another forum but heres a new hijack log if you dont care to look thanx for all the help
     
  6. groomjac

    groomjac Member

    Joined:
    Feb 6, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    sorry
    Logfile of HijackThis v1.99.1
    Scan saved at 8:25:07 PM, on 2/7/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NavNT\DefWatch.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\proquota.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe
    C:\WINNT\system32\iprntctl.exe
    S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe
    C:\Program Files\dqs\WinSPC\WinSPC32.exe
    C:\Program Files\Quick View Plus\Program\qvp32.exe
    h:\New Folder\HijackThis_v1.99.1.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/index.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
    O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag
    O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON
    O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
    O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab
    O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
    O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
    O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file)
    O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe

     
  7. Dunker

    Dunker Regular member

    Joined:
    May 8, 2006
    Messages:
    1,444
    Likes Received:
    0
    Trophy Points:
    46
    Sorry for taking so long to get back. Your system appears to still be infected, and I wouldn't be surprised if there's a rootkit in there. Try renaming your hijackthis.exe file to something else with a .exe extension, as rootkits can use this to identify if hijackthis is being run and hide themselves, and post a log. Likewise, you may also want to try running a somewhat older (and renamed) version afterwards, as rootkits can identify HJT by other means.

    I see AutoCodeDate.exe and WinSPC32.exe still running, which is likely the trojan itself. The DNS situation is still screwed up too, which is potentially the most serious threat. The following is also not a good sign:

    O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag

    Try removing those again, or using a product that can tackle these. FYI, as a rule of thumb, avoid paid anti-spyware software except Ewido (AVG Anti-Spyware) and Webroot Spysweeper. I also see you have Norton Anti-Virus, which is probably one of the worst products around. Try uninstalling that and using AVG, Avira Antivir, or Avast! which are also free for home use.

    Incidentally, I noticed you have WinZIP installed:
    O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    WinZIP and other compression programs need to be kept up-to-date as they suffer lots of security problems, so make sure you have the latest version of that.
     
  8. groomjac

    groomjac Member

    Joined:
    Feb 6, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Dunker thanx for all the help. I am on a work pc and the autocodedater and the spc programs are for quality checks here at work. The trust cleaner doesnt pop up any more and everything seems to be ok thanks for all your help.
     

Share This Page