Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this logs- please help


  • Please log in to reply
5 replies to this topic

#1 theotrain

theotrain

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 March 2005 - 04:31 PM

ive been getting popups for days. maybe due to se.dll but not sure. that particular file though pops back in when i try to uncheck it from the startup list. nasty! help greatly appreciated....
Logfile of HijackThis v1.99.1
Scan saved at 1:15:33 PM, on 3/2/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\addvh.exe
C:\WINDOWS\crib32.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C437648F-5744-78C9-4BC7-77C4AA1C8991} - C:\WINDOWS\d3ov.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [crib32.exe] C:\WINDOWS\crib32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Jpfio] C:\WINDOWS\System32\?hkntfs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/130.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Workstation NetLogon Service (  6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe


BC AdBot (Login to Remove)

 


#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 03 March 2005 - 03:13 AM

Hi,

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Now Download the followingAbout:Buster, CWshredder, Ad-aware, & Spy-Bot.
  • Updating Ad-aware:
    Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:
    Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'
Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C437648F-5744-78C9-4BC7-77C4AA1C8991} - C:\WINDOWS\d3ov.dll
O4 - HKLM\..\Run: [crib32.exe] C:\WINDOWS\crib32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Jpfio] C:\WINDOWS\System32\?hkntfs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/130.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe

and click fix.

Remain in safe mode for the next part of the removal.

- Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'
  • Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Press 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Press 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'
Click 'Proceed'
  • Now press "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'
Close Out Ad-aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all finding are checked and click 'Fix Selected Problems'
Close SpyBot!

Now Delete the following Files and Folders,

Files:
C:\WINDOWS\system32\addvh.exe
C:\WINDOWS\crib32.exe
C:\WINDOWS\System32\?hkntfs.exe


Folders:
C:\Program Files\Ebates_MoeMoneyMaker

Now Click Start > goto Run > type cleanmgr hit enter > Click 'OK' > Click 'OK' > Exit out the program.

Reboot back into normal mode and please post a fresh Hijackthis log.

#3 theotrain

theotrain
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 03 March 2005 - 02:20 PM

thanks so much for responding. after doing all that i seem to be having the same problem as before though, a popup every 20 minutes or so. (even w/ no browser open) i noticed se.dll is still living comfortably in my Startup list in msconfig too. heres the new HJT log:

_____________________________
Logfile of HijackThis v1.99.1
Scan saved at 11:05:14 AM, on 3/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuibc.dll/sp.html#75034
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuibc.dll/sp.html#75034
N3 - Netscape 7: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe (file missing)
_________________


#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 03 March 2005 - 04:54 PM

Download: supershell.zip
http://p-nand-q.com/download/tools/supershell.zip

Unzip supershell.zip

Make sure you are logged in under an Administrator account.
(or are a user with Administrator privledges)
Open the unzipped SuperShell folder.
Double-click (launch) SuperShell.exe.

This will launch a Command Prompt window.
at the prompt type regedit and press enter.

Regedit will open. At the top of the window click edit then copy and paste the following into the window.

6Q'8

Then click find now.
When you find the entry right click on it and select delete, anwer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

If you get a (Permissions) error?
Right-click the key (left pane)

Click Advanced [button]
If the "Inherit Permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".

Once the program is complete run Hijackthis and place a check next to the following.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zuibc.dll/sp.html#75034
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zuibc.dll/sp.html#75034
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll,DllInstall
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe (file missing)

and click fix.

Now locate the following files and folder and delete them.

File:
C:\WINDOWS\system32\zuibc.dll
C:\WINDOWS\system32\addvh.exe

Folders:
C:\PROGRAM FILES\Utility

Going to give this a try and see if it removes the se.dll file. Please download the following program to your desktop.
http://securityresponse.symantec.com/avcenter/FxAgentB.exe

After you have downloaded the program, boot your computer into safe mode (press f8 during a reboot) and run the program from safe mode.


Once the program is complete post a fresh Hijackthis log.

#5 theotrain

theotrain
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 07 March 2005 - 03:19 PM

hi, thanks again for responding.

after following the steps in the first part, i had a problem opening an application that i needed to use for work. i couldnt really ask for advice at that point bacause i needed to open it quickly, so i did a system restore, and was able to go back a couple days and get the application running.

my suspicion is that that probably totally bleeped up the procedure you were getting me to follow, and we would have to start from scratch.

in any case i did download fixAgentB.exe and it found nothing, but while i was there i downloaded the trial version of Norton Anti-virus and it seemed to do a pretty good job of getting the cooties off my machine, and at least managing the problem temporarily.

im posting a HJT log file anyway, it seems obvious there is still shady stuff in there but the constant popups have stoped. my IE starts on "about:Blank", some crappy wannabe portal, but i dont really use IE. it seems like a neverending battle i cant win, only manage.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:08 AM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\Program Files\Outlook Express\Msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ALG32.EXE
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\WINDOWS\System32\ALG32.EXE
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\Documents and Settings\Windows User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edzww.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Windows User\Application Data\Mozilla\Profiles\default\fuv3afwd.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {979A9E47-F82E-43C0-840B-492952E55A19} - C:\WINDOWS\System32\dnjn.dll
O2 - BHO: HTDP Class - {9E6EC32A-7C19-4409-99E8-FC980BCDAF26} - C:\WINDOWS\htass.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Jpfio] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/130.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O18 - Filter: text/html - {52443632-0EDB-4247-9777-88B955B5DCEE} - C:\WINDOWS\System32\dnjn.dll
O18 - Filter: text/plain - {52443632-0EDB-4247-9777-88B955B5DCEE} - C:\WINDOWS\System32\dnjn.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe (file missing)



#6 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 09 March 2005 - 04:52 AM

Okay lets take this in steps, first we'll remove the HomeSearch infection, then we'll deal with the se.dll infection.

Close all your internet browser, IE and Firefox also close down any running programs. Click Start > go to Run > type regedit and hit enter > Click Edit > Go To 'Find' > In the 'Find What:' box copy and paste the following 6Q'8 and click 'Find Next' > the search will appear in the Right Column > Right-Click and Select Delete > keep deleting these entries until regedit can't find any more.

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Now Download the following About:Buster, CWshredder, Ad-aware, & Spy-Bot.
  • Updating Ad-aware:
    Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:
    Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'
Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edzww.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {979A9E47-F82E-43C0-840B-492952E55A19} - C:\WINDOWS\System32\dnjn.dll
O2 - BHO: HTDP Class - {9E6EC32A-7C19-4409-99E8-FC980BCDAF26} - C:\WINDOWS\htass.dll
O4 - HKCU\..\Run: [Jpfio] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {644EE240-C406-402C-874E-7556330EE029} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/130.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {52443632-0EDB-4247-9777-88B955B5DCEE} - C:\WINDOWS\System32\dnjn.dll
O18 - Filter: text/plain - {52443632-0EDB-4247-9777-88B955B5DCEE} - C:\WINDOWS\System32\dnjn.dll
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\addvh.exe (file missing)

and click fix.

Remain in safe mode for the next part of the removal.

- Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'
  • Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Press 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Press 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'
Click 'Proceed'
  • Now press "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'
Close Out Ad-aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all finding are checked and click 'Fix Selected Problems'
Close SpyBot!

Now Delete the following Files and Folders,

Files:
C:\WINDOWS\System32\addvh.exe
C:\WINDOWS\System32\dnjn.dll
C:\WINDOWS\System32\iegfxfrw.dll
C:\WINDOWS\System32\?hkntfs.exe
C:\WINDOWS\System32\ALG32.EXE
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\WINDOWS\edzww.dll

Folders:
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\Utility

Now Click Start > goto Run > type cleanmgr hit enter > Click 'OK' > Click 'OK' > Exit out the program.

Once complete post a fresh Hijackthis log and we'll tackle the se.dll infection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users