Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Sonya


  • This topic is locked This topic is locked
7 replies to this topic

#1 sonya

sonya

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 July 2004 - 06:22 PM

Next to 'charity' in the dictionary, this forum should be listed! Thanks to anyone who looks this over in his or her free time. This is my first computer since Pentium I came out, and I should have protected myself before I went off browsing.

The problem isn't that dire - just very annoying. Every time I open Internet Explorer the homepage is set to 'res://sum.hc.dll/index.html#12802' and a search window pop-up also appears. I tried following the advice in http://www.geekgirls.com/net_hijacked.htm - including changing the search page values in my registry, but they keep being reset by the malware, wherever it is. I downloaded SpyBot and Ad-Aware and quarantined/fixed everything they identified. Pruning the bad files that HighjackThis identified might be my last recourse, but I'm following the advice of checking with a professional first. Well ... coming completely clean, I did try fixing the files that had the offending webpage mentioned (entries 2-7 in my HJT log), but that didn't fix the hijack and they came back as entries when I ran HJT again.

I also downloaded Firefox and plan to use this as my default browser to reduce the chance of future hijacks.

Thanks for any advice (the log is attached),
Sonya

Attached Files



BC AdBot (Login to Remove)

 


#2 sonya

sonya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 July 2004 - 07:08 PM

I re-read the instructions and realized I was supposed to paste the log. Here it is:

Logfile of HijackThis v1.98.0
Scan saved at 3:16:56 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\crkp32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\atlfw.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Mulberry\bin32\Kstatus.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nytimes.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sumhc.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sumhc.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sumhc.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E09F949B-33ED-E152-6852-2FECABDB4D1C} - C:\WINDOWS\atlbl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [atlfw.exe] C:\WINDOWS\system32\atlfw.exe
O4 - HKLM\..\RunOnce: [crkp32.exe] C:\WINDOWS\system32\crkp32.exe
O4 - Startup: Kstatus.lnk = C:\Program Files\Mulberry\bin32\Kstatus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\esbwvpip.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 16 July 2004 - 08:01 PM

When you reply to this post with a new log, please paste it into the reply instead of attaching it. Makes it easier for us. Thanks

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\crkp32.exe
C:\WINDOWS\system32\atlfw.exe

Step 3:
I now need you to delete the following files:

C:\WINDOWS\system32\crkp32.exe
C:\WINDOWS\system32\atlfw.exe
The file from the services above.
C:\WINDOWS\system32\sumhc.dll
C:\WINDOWS\atlbl32.dll

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sumhc.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sumhc.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sumhc.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sumhc.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E09F949B-33ED-E152-6852-2FECABDB4D1C} - C:\WINDOWS\atlbl32.dll
O4 - HKLM\..\Run: [atlfw.exe] C:\WINDOWS\system32\atlfw.exe
O4 - HKLM\..\RunOnce: [crkp32.exe] C:\WINDOWS\system32\crkp32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\esbwvpip.exe

Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://sumhc.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


#4 sonya

sonya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 July 2004 - 10:06 PM

Thank you for those detailed instructions, Grinler! I was able to follow most of the steps, but:

1) Under Step 3, I wasn't able to delete the C:\WINDOWS\atlbl32.dll file. It was not read-only (I checked), so I'm not sure why I wasn't able to do so.

2) Under Step 4, entry 016 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\esbwvpip.exe no longer existed after I ran the HijackThis program again.

3) Under Step 5, no _NS_Service or NS_Service files existed.

The good news is that we got rid of the original page that Internet Explorer was opening up to. The bad news is that Internet Explorer now opens up to res://crzkw.dll/index.html#37049 plus a pop-up window (which ironically, is usually promoting anti-adware/spyware products).

Should I follow the steps you outlined to get rid of any mention of crzkw.dll? Also, do you think my inability to delete C:\WINDOWS\atlbl32.dll is what prevented me from getting rid of the malware?

I ran SpyBot, Ad-Aware, and HijackThis again and have included the new log file. Sorry to present a resistant case!

Sonya


Logfile of HijackThis v1.98.0
Scan saved at 9:45:28 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Mulberry\bin32\Kstatus.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nytimes.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\crzkw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\crzkw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\crzkw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E09F949B-33ED-E152-6852-2FECABDB4D1C} - C:\WINDOWS\atlbl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Kstatus.lnk = C:\Program Files\Mulberry\bin32\Kstatus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 16 July 2004 - 11:17 PM

Did you see the network security service in step 1?

#6 sonya

sonya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 July 2004 - 09:12 AM

Yes, I did see the Network Security Service step and followed those instructions. The name of the file listed in the Path to executable field was:

C:\WINDOWS\system32\crkp32.exe /s

I'm not sure what the /s meant, but I figured that I had taken care of the deletion when I deleted C:\WINDOWS\system32\crkp32.exe under step 3.

Interestingly, if I didn't delete the .exe files fast enough after ending the processes in task manager, they would pop back up in the task manager. (I had to have the task manager and windows explorer open at the same time so I could delete immediately after ending the process.)

The only other things I can think of to add are:

1) Under step 7, I downloaded the Hoster and restored original hosts as instructed. However, I didn't know where to put the Hoster I downloaded and left it on the desktop.

2) In the process of doing everything, something called desktop.ini also appeared on my desktop.

Hopefully I'm missing something obvious here. I appreciate your help.

Sonya

#7 sonya

sonya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 July 2004 - 03:43 PM

Great news - I was finally able to get rid of the altbl32.dll file! I downloaded Sysinternals Process Explorer to see what exe's were using altbl32.dll, and explorer.exe was. Maybe this was why I couldn't manually delete it and HijackThis couldn't delete it. I then ran BHO Demon, which disabled it, and I was able to manually delete it. After that, I followed your instructions again and Internet Explorer opened to the msn webpage. I sucessfully changed my home page to the NYTimes. Could you look at the following HijackThis log (hopefully my last) and tell me if it looks clean?

Thank you!

Logfile of HijackThis v1.98.0
Scan saved at 3:40:46 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mulberry\bin32\Kstatus.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nytimes.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Kstatus.lnk = C:\Program Files\Mulberry\bin32\Kstatus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{348717D7-D120-448A-BBBF-E49120B784EE}: NameServer = 205.188.146.146

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 17 July 2004 - 04:24 PM

Nope you are not missing anything. This is just a pain to remove.

Post a fresh log so I know what to tell you what to do .




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users