ryanmacdonald
asked on
attempt to access invalid address!
I keep getting this error message "attempt to access invalid address" when I try to execute certain programs. I believe it was caused by either spyware or a hijacker. I know that the homepage keeps getting changed but my bigger issue is that I can not execute some programs. The tech who worked on the laptop turned off the system restore on the computer which of course deletes all of the previous restore points so that is not an option for me. Please let me know if you have any advice for me. Thanks!!
check ur host file and remove any entries other that LOCALHOST
The HOST file is at c:\<windows folder>\system32\drivers\e tc\
also, download and run Ad-Aware and Spybot search and desroy from
http://www.download.com
Also, run a thorough AV scan [update software] or try one of the free AV here,
http://pcsupport.x-host.uni.cc/security/onlineav.html
This should help.
Good luck!!!
Kumaran
The HOST file is at c:\<windows folder>\system32\drivers\e
also, download and run Ad-Aware and Spybot search and desroy from
http://www.download.com
Also, run a thorough AV scan [update software] or try one of the free AV here,
http://pcsupport.x-host.uni.cc/security/onlineav.html
This should help.
Good luck!!!
Kumaran
ASKER
Logfile of HijackThis v1.97.7
Scan saved at 4:44:30 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAM SV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUti lity\TEDTr ay.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\TOSHIBA\ivp\ISM\pinger. exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
C:\WINDOWS\System32\ezSP_P x.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\RAMASS T.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EX E
C:\Documents and Settings\Suberri\Desktop\H ijackThis. exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy1:80
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,Shellnext = http://www.toshiba.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {7F08B170-130E-4657-81EC-E 91E2E2CA49 5} - C:\WINDOWS\System32\dna.dl l
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B 2697FA7D77 E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUti lity\TEDTr ay.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger. exe /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P x.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASS T.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://www.fs.ml.com
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0 060089874E D} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {229C22C0-B5B4-414D-A00C-7 669274293B 8} (PjAdoInfo2 Class) - https://engineering3/ProjectServer/objects/pjclient.cab
O16 - DPF: {97BD39CC-7168-4C60-9E1A-A 4A6059FEA2 6} (Pj10enuC Class) - https://engineering3/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://ilogix.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = Eastern.Research
O17 - HKLM\Software\..\Telephony : DomainName = Eastern.Research
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = Eastern.Research
Scan saved at 4:44:30 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\System32\DVDRAM
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Secu
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUti
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\TOSHIBA\ivp\ISM\pinger.
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINDOWS\System32\ezSP_P
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\RAMASS
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
C:\Documents and Settings\Suberri\Desktop\H
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {7F08B170-130E-4657-81EC-E
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUti
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASS
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://www.fs.ml.com
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0
O16 - DPF: {229C22C0-B5B4-414D-A00C-7
O16 - DPF: {97BD39CC-7168-4C60-9E1A-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
ASKER
also the hosts file was full of local loop back addresses with web sites. I know it should only have the local loopback address associated with the localhost name. I copied a empty hosts file to the pc and made it only readable so that it will not be overwritten again. Hope the log file helps
ryanmacdonald,
Close all browser windows, clear out your temporary internet files.
Tick the checkbox in front of the following lines, afterwards, click "fix checked"
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\System32\ dna.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy1:80
O2 - BHO: (no name) - {7F08B170-130E-4657-81EC-E 91E2E2CA49 5} - C:\WINDOWS\System32\dna.dl l
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present <= ask your Administrator if he set these!!!!
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present <= ask your Administrator if he set these!!!!
LucF
Close all browser windows, clear out your temporary internet files.
Tick the checkbox in front of the following lines, afterwards, click "fix checked"
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: (no name) - {7F08B170-130E-4657-81EC-E
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
LucF
Hmm.. sorry, missed one.. also for
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy1:80
applies "ask your Administrator if he set these!!!!"
R1 - HKCU\Software\Microsoft\Wi
applies "ask your Administrator if he set these!!!!"
If you go to www.pestpatrol.com and scan, it will give you the name and registry entries of whatever spyware you have.
Also scan from the internet to see if you also have any Trojan/Worms
www.symantec.com/securitycheck
or
http://housecall.trendmicro.com
Once you are clean, then re-enable your System Restore
(Control Panel, System, System Restore)
Also scan from the internet to see if you also have any Trojan/Worms
www.symantec.com/securitycheck
or
http://housecall.trendmicro.com
Once you are clean, then re-enable your System Restore
(Control Panel, System, System Restore)
ASKER
Lucf,
I will delete those entries out let you know how I made out. I left work for the day and will test it out tomorrow morning 8 am EST.
Ryan
I will delete those entries out let you know how I made out. I left work for the day and will test it out tomorrow morning 8 am EST.
Ryan
ASKER
I deleted those entries using hijackthis and even though it looks like the hijacker is gone, I still can not run certain .exe files. An example of an .exe that I can not run is when I try to run the setup to install a proxy client on the end users pc. Any other suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try using the trend Micro virus scan and try removing the autostart and let you know how I make out. Thanks!
ASKER
Thanks for all of your help lgtox!
Assuming you allready used some kind of anti spyware program, use this tool and post the logfile:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Greetings,
LucF