Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
7 replies to this topic

#1 chrisratcliffe

chrisratcliffe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 February 2005 - 09:36 PM

Logfile of HijackThis v1.99.0
Scan saved at 6:27:20 PM, on 2/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\XPsys.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\Guard.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
E:\WINDOWS\ntpl32.exe
E:\WINDOWS\System32\tibs5.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\d3or.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\56801.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Documents and Settings\christian\Desktop\New Folder\HijackThis.exe
E:\WINDOWS\System32\Notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\mopia.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - E:\WINDOWS\system\ppc2.dll
O3 - Toolbar: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O4 - HKLM\..\Run: [backup] windrv.exe
O4 - HKLM\..\Run: [w32sup] E:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus2] "E:\Program Files\Messenger\MsgPlus.exe"
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [ntpl32.exe] E:\WINDOWS\ntpl32.exe
O4 - HKLM\..\Run: [tibs5] E:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [sais] e:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [backup] windrv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O21 - SSODL: eplrr - {1799BA3F-F515-4A77-A210-494BBC72FF45} - E:\WINDOWS\System32\eplrr3.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - E:\WINDOWS\d3or.exe

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 05 February 2005 - 01:28 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 05 February 2005 - 02:01 PM

I'm back.

Thanks for sending your HJT logfile.

You have several nasty infections, including CWS About:Blank. It's best to ga after that one first.

It will take several messages to get you cleaned up.

Here is the first:

This is a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service.
  • Obtain list of irregular services:
  • Please download ServiceFilter.
  • Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
  • Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
  • If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
  • It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
  • Press Ctrl + A simultaneously to select all of the text.
  • Copy and paste the whole thing into your next post.
  • A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.
Send the Post_This.txt log as well as a fresh Hijack This log in your reply to me.

Then, please do not reboot until you hear back from me. I'll be available most of the weekend, so turnaround time should be in hours reather than days :thumbsup:

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 chrisratcliffe

chrisratcliffe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 06 February 2005 - 11:22 PM

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
Feb 6, 2005 8:18:17 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: e:\windows\system32\dllhost.exe /processid:{898e3412-a63e-4d2a-b943-6da0eb66afb0}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: %AF
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: e:\windows\d3or.exe /s
State: Running
Process ID: 1748
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 81 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 3.179688 seconds.




Logfile of HijackThis v1.99.0
Scan saved at 8:21:24 PM, on 2/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\XPsys.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\Guard.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\ntpl32.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\d3or.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\1575.exe
E:\Documents and Settings\christian\Desktop\New Folder\HijackThis.exe
E:\WINDOWS\14929.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C5085456-DE84-CE66-1C13-187FD6EE63AF} - E:\WINDOWS\ntmy.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ntpl32.exe] E:\WINDOWS\ntpl32.exe
O4 - HKLM\..\RunServices: [backup] windrv.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O21 - SSODL: eplrr - {EFB9E3E4-FB1A-4642-AD38-8F87E2BA86B1} - E:\WINDOWS\System32\eplrr3.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - E:\WINDOWS\d3or.exe

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 07 February 2005 - 01:23 PM

Thanks.

Okay...you are fighting a CWS About:Blank infection along with some other things.

We'll go after About:Blank in this post, and take care of the others once we get A:B knocked down.

Here is the first set of instructions:
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip AboutBuster to a convenient folder such as C:\AboutBuster.
    • Run AboutBuster.exe. Click OK, Update, Check For Update. Download the updates if they exist.
    • Click Exit as I do not want you to run the program yet.
  • Prepare cwsserviceremove.reg for use:
  • Print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Reconfigure Windows XP to show hidden files:
    • Click Start. Open My Computer.
    • Select the Tools menu and click Folder Options. Select the View Tab.
    • Under the Hidden files and folders heading select "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files (recommended)" option.
    • Uncheck the "Hide file extensions for known file types" option.
    • Click Yes to confirm. Click OK.
  • Boot into Safe Mode:
    • Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    • To get back to normal mode just restart the computer as you normally would.
  • Stop and disable the offending service:
    • Start | Run | type services.msc | OK
    • Scroll down the list until you find the service called Remote Procedure Call (RPC) Helper
    • Double-click on it and under the General tab click Stop to stop the service.
    • Change the Startup Type to Disabled.
    • Click Apply and then OK and close any open windows.
  • End the service process:
    • Press the Ctrl + Alt + Delete keys simultaneously to open the Task Manager.
    • Under the Processes tab find E:\WINDOWS\d3or.exe
    • Click End Process.
    • Under the Processes tab find E:\WINDOWS\ntpl32.exe
    • Click End Process.
    • File | Exit Task Manager
  • Fix malicious entries with HijackThis v1.98.2:
    • Please close all browsers and windows that you might have open.
    • Open HijackThis and click Scan.
    • Place checkmarks in the boxes next to these entries(if present):
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#12345

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#
        12345

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32
        \ozlsn.dll/sp.html#12345

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#
        12345

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\ozlsn.dll/sp.html#
        12345

        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/

        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32
        \ozlsn.dll/sp.html#12345

        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32
        \ozlsn.dll/sp.html#12345


        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

        R3 - Default URLSearchHook is missing

        O2 - BHO: (no name) - {C5085456-DE84-CE66-1C13-187FD6EE63AF} - E:\WINDOWS\ntmy.dll

        O4 - HKLM\..\Run: [ntpl32.exe] E:\WINDOWS\ntpl32.exe

        O4 - HKLM\..\RunServices: [backup] windrv.exe

        O15 - Trusted Zone: *.frame.crazywinnings.com

        O15 - Trusted Zone: *.static.topconverting.com

        O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

        O15 - Trusted Zone: *.static.topconverting.com (HKLM)

        O21 - SSODL: eplrr - {EFB9E3E4-FB1A-4642-AD38-8F87E2BA86B1} - E:\WINDOWS\System32\eplrr3.dll

        O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - E:\WINDOWS\d3or.exe
    • Once you have placed a checkmark next to each one of them, click Fix Checked.
  • Remove malicious programs:
    • Please remove these entries from Add/Remove Programs in the Control Panel(if present):none
  • Remove malicious folders:
    • Please delete these folders using Windows Explorer(if present):none
  • Remove malicious files:
    • Please delete these files using Windows Explorer(if present):E:\WINDOWS\system32\ozlsn.dll <-- this file

      E:\WINDOWS\System32\eplrr3.dll <-- this file

      E:\WINDOWS\d3or.exe <-- this file

      E:\WINDOWS\ntmy.dll <-- this file

      E:\WINDOWS\ntpl32.exe <-- this file

      E:\WINDOWS\1575.exe <-- this file

      E:\WINDOWS\14929.exe <-- this file
  • Remove the offending service:
    • Double-click the cwsserviceremove.reg file you downloaded at the beginning.
    • Answer Yes when prompted to add the contents to the registry.
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • Restart your computer normally to return to normal mode.
  • Restore (possibly) deleted files:
    • control.exe - Visit this page.
      • Download the version of control.exe that corresponds to your operating system.
      • If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
      • If you are running Windows 2000 copy it to C:\WINNT\system32.
      • If you are running Windows XP copy it to C:\WINDOWS\system32.
    • HOSTS - Download the Hoster.
      • Unzip Hoster to a convenient folder such as C:\Hoster.
      • Run Hoster.exe, click Restore Original Hosts and then click OK.
      • Click the X to exit the program.
      • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
    • SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.
      • The normal path is C:\Program Files\Spybot - Search & Destroy.
    • shell.dll - Visit this page.
      • Download the version that corresponds to your operating system.
      • If you are running Windows 98 copy it to C:\WINDOWS\System.
      • If you are running Windows 2000 copy it to C:\WINNT\System32.
      • If you are running Windows XP copy it to C:\WINDOWS\System32.
  • Check ActiveX security settings:
    • In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled)
    • Script ActiveX controls marked safe for scripting (Prompt)
  • Run an online virus scan:
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.
I'll follow up with the next set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 chrisratcliffe

chrisratcliffe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 09 February 2005 - 01:50 AM

Logfile of HijackThis v1.99.0
Scan saved at 10:46:49 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\Guard.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Documents and Settings\christian\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - E:\WINDOWS\system\ppc2.dll
O3 - Toolbar: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



Scanned at: 10:45:46 PM on: 2/8/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


ADS not scanned System(FAT)
Removed! : E:\WINDOWS\olquq.dll
Removed! : E:\WINDOWS\gckzn.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


COMPLICATIONS:

#7 chrisratcliffe

chrisratcliffe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 09 February 2005 - 01:54 AM

Logfile of HijackThis v1.99.0
Scan saved at 10:46:49 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\winhost.exe
E:\WINDOWS\Guard.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Documents and Settings\christian\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - E:\WINDOWS\system\ppc2.dll
O3 - Toolbar: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



Scanned at: 10:45:46 PM on: 2/8/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


ADS not scanned System(FAT)
Removed! : E:\WINDOWS\olquq.dll
Removed! : E:\WINDOWS\gckzn.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


COMPLICATIONS:
1. my computer is now really slow when it boots up, and also to open programs
2.was I supposed to turn back on (RPC) helper?

Thanks for helping me out!

#8 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 09 February 2005 - 02:06 PM

Thanks.


Good work so far. The About:Blank infection is knocked down.

Now we'll take care fo the remaing problems showing up on your system.


First...

Of immediate concern is the outdated version of Internet Explorer you are running. Please start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.


Next...

Download the file called DelDomains.inf to your desktop.

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Do this after you have completed the following instructions and replied to me at the end of the fix.



And now, the HijackThis fix and general cleanup.

Since you will not be able to access this page in safe mode during this fix, please print these instructions now, or save them to your desktop, to help keep track of the steps.


To start, follow this link for instructions to enable 'show all files' for your system.


1 -- After checking yourself against the following instructions, run AdAware and Spybot Search and Destroy:

Please see How to use Ad-Aware to remove Spyware for instructions on how to download, install and then use this software.

Please see How to use Spybot to remove Spyware for instructions on how to download, install and then use this software, which may catch things that Ad-Aware misses.

Please let me know if anything can not be cleaned by these utilities.


2 -- Next, use Control Panel > Add/Remove Programs to remove any of the following malware that you find:

mscman



3 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - E:\WINDOWS\system\ppc2.dll

O3 - Toolbar: 24T - {4E7BD74F-2B8D-469E-C68A-8D2CF4D5FA7D} - E:\WINDOWS\system\ppc.dll

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.static.topconverting.com

Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


4 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.

E:\WINDOWS\system\ppc.dll <-- this file

E:\WINDOWS\system\ppc2.dll <-- this file

Please let me know about any problems with the file/folder deletes.


5 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


6 -- Now, reboot normally and run at least two of these online virus scans (Or more if you wish.), reboot after each scan:

RAV<<<Add a check by 'Autoclean', leave everything else as is.

eTrust<<<'Cure' whatever is found, then delete if unsuccessful

Housecall<<<Put on 'Autoclean' and delete what it can't clean.

Panda ActiveScan<<<Accept default settings

If the above find things to clean, please re-run them to be sure the bad files are gone. If not, please tell me what could not be cleaned up.


Now, reboot once again, and run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. Your response and the new logfile will determine the next steps for this fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users