Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help. Thanks! johnboyinfl


  • Please log in to reply
2 replies to this topic

#1 johnboyinfl

johnboyinfl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 20 February 2005 - 12:03 PM

i tried following the instructions from http://www.bleepingcomputer.com/forums/t/3341/how-to-remove-home-search-assistant-cws-ns3-backdoor-bdd/
i thought i had it figured out but i guess not because when i did a reboot i got the only the best pop up and more. :-)
i also had an error message
"Windows cannot find c:/windows\system32\mskw32.exe make sure you typed the path name correctly, and then try again. To search for a file, click the start button and then click search."

-----------------------------------------------------------------------------------

let me tell you what i did already (that didn't work)

i ran spybot s&d and adaware
i then tried following the instructions at.
http://www.bleepingcomputer.com/forums/t/3341/how-to-remove-home-search-assistant-cws-ns3-backdoor-bdd/

i did the reboot into safe mode.
i found the network security service running... c:\windows\javagr32.exe
i disabled it.

i didn't find anything in my running processes that i thougth i should delete.. i did find lsass.exe and smss.exe and csrss.exe that i did research on and found out that they are okay???

i ran hijackthis and got............(original log so you can see if i deleted something i shouldn't have......)
Logfile of HijackThis v1.99.1
Scan saved at 1:10:58 AM, on 2/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\tibs5.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\apirz32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\mskw32.exe
C:\Documents and Settings\John\Desktop\delete spyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phpyn.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C5B61BDC-0B56-F5CE-80B3-EA952A978484} - C:\WINDOWS\system32\ntgq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [24.tmp] C:\DOCUME~1\John\LOCALS~1\Temp\24.tmp.exe 2 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [apirz32.exe] C:\WINDOWS\system32\apirz32.exe
O4 - HKLM\..\RunOnce: [ntgq32.exe] C:\WINDOWS\system32\ntgq32.exe
O4 - HKLM\..\RunOnce: [mskw32.exe] C:\WINDOWS\system32\mskw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098044191216
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINDOWS\javagr32.exe (file missing)

-----------------------------------------------------------------------------------------

from that, i checked...........
O2 - BHO: (no name) - {C5B61BDC-0B56-F5CE-80B3-EA952A978484} - C:\WINDOWS\system32\ntgq32.dll
O4 - HKLM\..\Run: [24.tmp] C:\DOCUME~1\John\LOCALS~1\Temp\24.tmp.exe 2 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\RunOnce: [ntgq32.exe] C:\WINDOWS\system32\ntgq32.exe
O4 - HKLM\..\RunOnce: [mskw32.exe] C:\WINDOWS\system32\mskw32.exe

i then found and deleted mshw32.exe
that must be why i am getting the.......
"Windows cannot find c:/windows\system32\mskw32.exe make sure you typed the path name correctly, and then try again. To search for a file, click the start button and then click search." error message. :-(

i did not find...
tibs5.exe
or
ntgq32.exe
so i couldn't delete them.

ran adspy
did not see javagr32.exe in the list so i did not delete anything.

i did not run the cws-hsa.reg file because i forgot to download it before i started all of this.. :-(


i ran about:buster and got......
Scanned at: 11:12:08 AM on: 2/20/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\System32\ymamg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


then i did a reboot and only the best pop up and more. :-)

so here i am with my new log............please help.. i hope i didn't ramble on and provide too much information. thanks so much for this service.

johnboyinfl

-------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:36:50 AM, on 2/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\apirz32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\system32\ntxc32.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17AF3D30-061C-15C3-F3DD-FF77212FA819} - C:\WINDOWS\system32\iesi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [apirz32.exe] C:\WINDOWS\system32\apirz32.exe
O4 - HKLM\..\RunOnce: [ntxc32.exe] C:\WINDOWS\system32\ntxc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098044191216
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINDOWS\javagr32.exe (file missing)

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 20 February 2005 - 09:41 PM

Hello johnboyinfl and Welcome! :thumbsup:
Sorry you're having malware trouble.

Please follow ALL these instructions slowly and carefully.

Please enable all hidden files and folders in Windows. For instructions click here

Download and install CCleaner here.
Please do not run the CCleaner utility yet.

Please configure the Ad-Aware program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Please do not run a scan with Ad-Aware yet.

Download the eScan Antivirus Toolkit here. Save it to the desktop. This program is 9.55MB in size. Before running the program, we need to update the signature files first.

Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the desktop; it will extract the program files to new folder called Kaspersky at the root of the C:\drive in Windows, C:\Kaspersky.
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file.
3.) Double-clicking on the kavupd.exe file open the command prompt (DOS screen) and update the program with all the latest signature files. By default, the update process creates a folder on the root of the C:\drive called Downloads. This is where the updated files are placed.
4.) After the update is complete, copy and paste these new updated signature files (from the C:\Downloads folder) to the C:\Kaspersky folder where eScan originally extracted the antivirus program files.
Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Go to Start, Run, type in services.msc, click OK, scroll down and look for Network Security Service, double-click on it, click STOP, change Startup Type to Disabled, click OK.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kgipd.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {17AF3D30-061C-15C3-F3DD-FF77212FA819} - C:\WINDOWS\system32\iesi32.dll
O4 - HKLM\..\Run: [apirz32.exe] C:\WINDOWS\system32\apirz32.exe
O4 - HKLM\..\RunOnce: [ntxc32.exe] C:\WINDOWS\system32\ntxc32.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O23 - Service: Network Security Service (�%AF) - Unknown owner - C:\WINDOWS\javagr32.exe (file missing)


These are not malware, but unneeded resource hogs; they are safe to delete in HijackThis also.
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.

C:\WINDOWS\javagr32.exe <----Delete this file.
C:\WINDOWS\system32\apirz32.exe <----Delete this file.
C:\WINDOWS\system32\ntxc32.exe <----Delete this file.
C:\WINDOWS\system32\kgipd.dll <----Delete this file.

From Safe Mode, browse to aboutbuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.
4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

Copy the contents of the Quote Box below to Notepad. Name the file as trustedsitesfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]



Now double-click on the trustedsitesfix.reg file and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.

From Safe Mode, open CCleaner, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit.

Reboot PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#3 johnboyinfl

johnboyinfl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 05 March 2005 - 06:33 PM

thanks so much for all the help. it seems that all is well and the log looks good. what do you think?



Logfile of HijackThis v1.99.1
Scan saved at 6:30:45 PM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098044191216
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users