hi guys im new to the boards so hello everyone. im at work and when i try to do a google search sometimes this trust cleaner ad pops up and when i search on ebay. any help is apprecciated i included a log file from hijack this thanks. Logfile of HijackThis v1.99.1 Scan saved at 4:13:22 PM, on 2/6/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\wm.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\NWTRAY.EXE C:\PROGRA~1\NavNT\vptray.exe C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe C:\WINNT\system32\iprntctl.exe S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\system32\proquota.exe C:\Program Files\dqs\WinSPC\WinSPC32.exe C:\Documents and Settings\MCDEPOSIT1\Desktop\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing) O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file) O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file) O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file) O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing) O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
This is bad. trustincontext.dll is the main parasite but I also see the ClientMan dropper, which is a backdoor trojan/dropper. I also see your DNS system is completely compromised, hence the .MARS domains. I think one of the other files might be operating as a DNS redirector kind of line the NEW.NET malware does. You can try deleting all the below items (a few are unrelated to this but are unneeded e.g. qttask.exe). You should run SpyBot, ccleaner, AVG Anti-spyware (Ewido), etc. To clean up the DNS hijack, go into Network Connections, LAN (or whatever you use to connect), select TCP/IP, Properties, then Advanced and delete anything and everything pertaining to DNS. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.CLV.NA.MARS R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/ O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - C:\WINNT\system32\COMCATb.dll O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing) O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} - C:\WINNT\system32\mscoriezb.dll O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file) O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - (no file) O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
dunker thanx for reply i think i have fixed it by another post on this site in another forum but heres a new hijack log if you dont care to look thanx for all the help
sorry Logfile of HijackThis v1.99.1 Scan saved at 8:25:07 PM, on 2/7/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\wm.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\proquota.exe C:\WINNT\system32\NWTRAY.EXE C:\PROGRA~1\NavNT\vptray.exe C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe C:\WINNT\system32\iprntctl.exe S:\WinSPC\pub\Autocodedater\AutoCodeDate.exe C:\Program Files\dqs\WinSPC\WinSPC32.exe C:\Program Files\Quick View Plus\Program\qvp32.exe h:\New Folder\HijackThis_v1.99.1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/index.cfm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masterfoodsusa.mars/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag O4 - HKLM\..\Run: [iPrint Tray] C:\WINNT\system32\iprntctl.exe TRAY_ICON O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx O4 - Global Startup: Shortcut to AutoCodeDate.lnk = WinSPC\pub\Autocodedater\AutoCodeDate.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://clvsn1.clv.na.mars/iNotes6.cab O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLV.NA.MARS O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clv.na.mars,na.mars,mars,sa.mars,eu.mars,ap.mars,cds.mars O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe O23 - Service: OracleOracle_871ClientCache - Unknown owner - (no file) O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing) O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
Sorry for taking so long to get back. Your system appears to still be infected, and I wouldn't be surprised if there's a rootkit in there. Try renaming your hijackthis.exe file to something else with a .exe extension, as rootkits can use this to identify if hijackthis is being run and hide themselves, and post a log. Likewise, you may also want to try running a somewhat older (and renamed) version afterwards, as rootkits can identify HJT by other means. I see AutoCodeDate.exe and WinSPC32.exe still running, which is likely the trojan itself. The DNS situation is still screwed up too, which is potentially the most serious threat. The following is also not a good sign: O4 - HKLM\..\Run: [NI.UWAS6_0001_N69M0903] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe" -nag Try removing those again, or using a product that can tackle these. FYI, as a rule of thumb, avoid paid anti-spyware software except Ewido (AVG Anti-Spyware) and Webroot Spysweeper. I also see you have Norton Anti-Virus, which is probably one of the worst products around. Try uninstalling that and using AVG, Avira Antivir, or Avast! which are also free for home use. Incidentally, I noticed you have WinZIP installed: O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE WinZIP and other compression programs need to be kept up-to-date as they suffer lots of security problems, so make sure you have the latest version of that.
Dunker thanx for all the help. I am on a work pc and the autocodedater and the spc programs are for quality checks here at work. The trust cleaner doesnt pop up any more and everything seems to be ok thanks for all your help.
