sql.dll will not die - whatever I do!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Great forum guys.

I now have a reasonably clean machine now after using all the tools mentioned on here but the above Trojan is just so resistant. AVG reports it at every twist and turn.

Have run S&D, Ad-Aware, SWBlaster, CWShredder and TDS-3 but without success.

Please suggest what I should do next.

Thank you in advance
 
Joined
Jul 14, 2004
Messages
147
Hello tjkniveton and welcome to TSG!

go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Hi,
Here is the log file as requested:

Logfile of HijackThis v1.98.2
Scan saved at 12:13:21, on 02/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\dslmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Documents and Settings\Handles Direct\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.30.47.22:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System MScvb] C:\DOCUME~1\HANDLE~1\LOCALS~1\Temp\application.pif
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Handles Direct\Application Data\ttuh.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/211004e864e356a88a20/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamezdump.com/output/060356/uk/fullgames/fullgames.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba217.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba217.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91DA404-BB7A-4508-9C52-1B02F3473CCB}: NameServer = 62.55.109.14 193.189.244.205
O20 - AppInit_DLLs: C:\WINDOWS\System32\sql.dll
 
Joined
Jul 14, 2004
Messages
147
run hiajckthis put a check next to the following:


C:\Program Files\12Ghosts\12popup.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.handlesdirect.co.uk/acatalog/secretpage.html
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: DSLMON.lnk = ?


after that click fix, and post a fresh log.
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Hi,

Did as you asked and log file here:

Logfile of HijackThis v1.98.2
Scan saved at 09:03:25, on 03/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\dslmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\syz_dat\systray.exe
C:\Documents and Settings\Handles Direct\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.30.47.22:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System MScvb] C:\DOCUME~1\HANDLE~1\LOCALS~1\Temp\application.pif
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Handles Direct\Application Data\ttuh.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/211004e864e356a88a20/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamezdump.com/output/060356/uk/fullgames/fullgames.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba217.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba217.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91DA404-BB7A-4508-9C52-1B02F3473CCB}: NameServer = 62.55.109.14 193.189.244.205
O20 - AppInit_DLLs: C:\WINDOWS\System32\sql.dll
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Forgot to mention that the C: line you wanted "fixing" didn't appear in the HJT log - so I couldn't do anything about it.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.30.47.22:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O4 - HKLM\..\Run: [System MScvb] C:\DOCUME~1\HANDLE~1\LOCALS~1\Temp\application.pif
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Handles Direct\Application Data\ttuh.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/211004e...ip/RdxIE601.cab

O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamezdump.com/output/...s/fullgames.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba217.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba217.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\sql.dll

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\System32\netda.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\sql.dll
C:\Documents and Settings\Handles Direct\Application Data\ttuh.exe

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download


Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R6 30.08.2004 or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again

then post a new hijackthis log to check what is left
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Hi dvk01,

Did everything you asked but with the following exceptions:

1: Couldn't delete C:\WINDOWS\System32\sql.dll as it wouldn't let me - kept giving me the "Couldn't delete. Access denied. Make sure......" message.

2: Couldn't delete C:\Documents and Settings\Handles Direct\Application Data\ttuh.exe as it did not seem to be there. Searched high and low - could have missed it but I don't think so.

3: Couldn't do:

"as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this while in the temp folder, select view and select details. then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page. select all the files/folders except the today ones and delete them all."

as the immediately previous instruction meant that I had just emptied the temp folder. Have I got this wrong somewhere???????

Fresh log is here as requested:

Logfile of HijackThis v1.98.2
Scan saved at 12:26:41, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Handles Direct\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.30.47.22:8080
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91DA404-BB7A-4508-9C52-1B02F3473CCB}: NameServer = 62.55.109.14 193.189.244.205

Thanks for your help
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
just this one left showing

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe

run HJT again and fix it

with this onme
C:\WINDOWS\System32\sql.dll

download
killbox from
http://download.broadbandmedic.com/Killbox.exe

place it on your desktop and open it

where it says full name of file to delete paste this in C:\WINDOWS\System32\sql.dll

then select delete on reboot and tick end explorer shell while killiong file then press the red cross to delete the file

reboot & hopefully it will remove it

don't worry about point 3, it's just that in many cases XP locks some files with todays date on them and prevents them being removed but if it deleted them all then don't worry
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Hi,

Did all that you asked but, sadly, still getting AVG picking up sql.dll all the time - although I think it may be >slightly< less frequent than before.

Posting another log in case it helps

What now?

Tim
-----------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 14:26:02, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Handles Direct\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.30.47.22:8080
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91DA404-BB7A-4508-9C52-1B02F3473CCB}: NameServer = 62.55.109.14 193.189.244.205
 
Joined
Dec 9, 2000
Messages
45,855
Since Derek appears to be offline right now and I stumbled across your "reported" post, I'll pitch in just a bit for now.

1 .. Restart in Safe Mode, then run HijackThis and check and fix both these entries:

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe

2 ... Follow Symantec's instructions to disable and purge the System Restore cache as given here:

http://service1.symantec.com/SUPPOR...5065b3834b10031488256b0900255ea7?OpenDocument

3 ... now run one or both of your antivirus applications in Safe Mode. Not at the same time. And by the way, you shouldn't really let both automatically run on start. Choose 1 to avoid conflicts.

If your antivirus application doesn't target those files for deletion, find and manually delete them yourself. If you get an access denied message, try renaming them instead.

4 ... reboot and reenable System Restore and post a fresh Scanlog.
 

tjkniveton

Thread Starter
Joined
Sep 2, 2004
Messages
14
Hi Rog,

Thanks for stepping in to help.

I did all that you asked but note the following:

1. When I went to turn System Restore off, it was already off. Is this significant?

2. I ran AVG and it found 4 "net.--" Trojans and dealt with them.

3. I have deleted NAV altogether as the subscription had expired a while ago.

3. Again I could not delete sql.dll so renamed it but it still would not go. I then moved it to a floppy and removed it that way. This seems to have worked.

BUT.....I ran HJT again and the netdc and netda are still there!

Tim

Logfile of HijackThis v1.98.2
Scan saved at 10:05:38, on 07/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Handles Direct\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.handlesdirect.co.uk/acatalog/secretpage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
see here
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_CCT.A&VSect=T

but why it is reinstalling itself I don't know

check for any of these files

netda.exe
netdc.exe
netdb.exe
prntsrv.dll

in either c\:\windows or C:\windows\system32 or any other system folder and delete them

you might have trouble getting to the link as this virus can sometimes drop a hidden hosts file to prevent you getting to antivirus sites

so Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top