Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring problem with CWS Hijacker


  • This topic is locked This topic is locked
20 replies to this topic

#1 ebidder

ebidder

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 07:54 AM

Hi there, Having a problem trying to get rid of CWS. Have tried DOS Scan, CWShredder. My HJT scan is below. I 've deleted all entries from H1 down to entires 018 but they are back again. Any help would be much appreciated. Thanks !



Logfile of HijackThis v1.99.1
Scan saved at 12:46:15, on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\ECLEA1_7.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {F5F474C9-8FED-11D9-BDDB-000B546910A7} - C:\WINDOWS\SYSTEM\IGPPNA.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {6DBFFB60-9097-11D9-BDDB-000B8A5B471D} - C:\WINDOWS\SYSTEM\IGPPNA.DLL
O18 - Filter: text/plain - {6DBFFB60-9097-11D9-BDDB-000B8A5B471D} - C:\WINDOWS\SYSTEM\IGPPNA.DLL


BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 09 March 2005 - 12:47 PM

Hello ebidder and welcome to BleepingComputer.

Hopefully you have not deleted the backups created by HijackThis, as you have managed to remove much that should not have been removed.

- Open HJT and click on "None of the above, just start the program".
- Click on "config..." then the 'Backups' button.
- Select all listed items and click on "Restore".
- Close HJT.

Reboot normally and post a new HJT log.
Derfram
~~~~~~

#3 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 04:49 PM

Hi, I've tries to restore and it won't restore any of the entries.
Some of the entries at 04 are graphics but I can do without them for now.
Have reset my MSGTAG and that is all. Nearly all entries were se.dll and registry changes set to HomePageStart.
Another one or two were "Extra Button" & "Extra Tools".
At the moment I haven't had any sightings of the trojan.
I've deleted entries in safe mode.
Also found se.dll wouldn't delete in C:\WINDOWS\TEMP so I deleted the whole TEMP folder.

If it comes back again I'll format the hard drive as I've tried all options I can find to do.
Many thanks for your help !


Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:43:58, on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup


#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 09 March 2005 - 04:57 PM

OK, let's work with what we have.....


1. Download Startdreck from the following location:
http://www.niksoft.at/_data/startdreck.zip

2. Unzip the file onto your desktop.

3. Double-click the startdreck.exe program and when it loads, click on the Config button.

4. Press the Unmark All button.

5. Then select the following checkboxes:

- Run Keys under the Registry Section
- Running Processes under the System/Drivers section.


6. Press the OK button.

7. When it is done scanning your computer, press the Save button and then open that log and post its contents as a reply to this message.
Derfram
~~~~~~

#5 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 05:13 PM

Hi, Here is the log for StartDreck:

StartDreck (build 2.1.7 public stable) - 2005-03-09 @ 22:08:18 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at 1

舞egistry
舞un Keys
翟urrent User
舞un
*MSGTAG="C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
舞unOnce
聞efault User
舞un
*MSGTAG="C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
舞unOnce
腿ocal Machine
舞un
舞unOnce
舞unServices
舞unServicesOnce
**f=rundll32 C:\WINDOWS\HLPLOWO.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCFCA13=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF1C1F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF00F3=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF28B3=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE8367=C:\WINDOWS\RUNDLL32.EXE
+FFFF4733=C:\WINDOWS\EXPLORER.EXE
+FFFE4D0B=C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
+FFFCC1EB=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFBA903=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB0393=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific


#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 09 March 2005 - 05:32 PM

1. Download CWShredder from the following location and save it to your desktop, but do not run it yet. http://cwshredder.net/bin/CWShredder.exe

2. Reboot your computer, and press F8 when Windows is starting. When you come to the menu, select to boot into the safe command prompt mode.

3. At the DOS prompt type the following (There is a space between del and C:\):

del C:\WINDOWS\HLPLOWO.GIF

4. Copy the text in the quote box below to notepad. Name the file showhidden.reg and change the save as type to All files. Then save the file to the desktop.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]



5. Now double-click on the showfile.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes or OK button.

6. Reboot your computer into Safe Mode.

7. Run CWshredder and click on the Fix button. A tutorial on how to use this program can be found here:
How to remove CoolWebSearch with CWShredder


Reboot your system back to normal mode and post a fresh HJT log. Please be sure to copy the entire log, the last one appeared truncated.
Derfram
~~~~~~

#7 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 06:02 PM

Hi, It didn't find the C:\WINDOWS\HLPLOWO.GIF file to delete it. Did the merge registry data.
Did CWShredder and all was clear.
Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:30, on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup


#8 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 06:04 PM

Hi again, I've just now had my IE hijacked again. I've straightaway scanned with HJT and it is still the same as above with only 2 entries: MSGTAG & Google.

#9 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 09 March 2005 - 06:10 PM

I've found in HKEY/L/M/Soft/Microsoft/IE/Main/StartPage..."about:blank".
+

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 09 March 2005 - 08:48 PM

There is so little running on your machine that it is hard to determine what might be happening.

Can you be more specific as to what you mean by "had my IE hijacked"?

Are you being hijacked to an undesidered web page or are you just getting a 'blank page'?

About:blank is the default webpage when there is nothing else set. What happens when you try to set a homepage?
Derfram
~~~~~~

#11 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 March 2005 - 05:41 AM

Hi again, What is happening now is that ocassionally when I'm on a web page such as this site it suddenly changes to that search page with lists of links to everything under the sun and has tons of pop ups all about spyware and viruses.

When I open IE I usually get my homepage which is Google but sometimes it changes itself to that search page.

Still nothing showing in HJT - just the 2 entries below.

Logfile of HijackThis v1.99.1
Scan saved at 10:30:38, on 10/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup



I don't have much running on my PC - I don't have many programs loaded. Just bare 'Windows' mainly.

Still can't figure out why the trojan keeps reappearing when I've done all and everything there is to be done.
AdAware & SpyBot come up clear too.
When the trojan does come back and takes over completely the only way I can get back to normal is to reboot in Safe Mode and deleted the registry entries and find the se.dll file and delete that too.

Has anyone ever gotten rid of this latest CWS completely?
CWShredder hasn't been updated for months and doesn't seem to work with the latest version of CWS.

Am wondering if I should give up and format the drive.
Any help much appreciated !
Many thanks for all the time spent trying to sort this out.

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 10 March 2005 - 10:36 AM

Let's try a different angle...

Do a normal reboot.

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.


Also post another Startdreck log, same as before.
Derfram
~~~~~~

#13 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 March 2005 - 05:17 PM

Hi, I'll try that and will post the results and many thanks.

Meanwhile below is the the latest HJT as the trojan is active again. The log is showing the changed registry entries.

Logfile of HijackThis v1.99.1
Scan saved at 22:09:50, on 10/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {7C19A4E2-91AF-11D9-BDDB-000BCFEC5F95} - C:\WINDOWS\SYSTEM\NHKN.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
O18 - Filter: text/html - {7C19A4E1-91AF-11D9-BDDB-000B3F3EC1E2} - C:\WINDOWS\SYSTEM\NHKN.DLL
O18 - Filter: text/plain - {7C19A4E1-91AF-11D9-BDDB-000B3F3EC1E2} - C:\WINDOWS\SYSTEM\NHKN.DLL


#14 ebidder

ebidder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 March 2005 - 05:26 PM

Hi, That file you asked for in msinfo32 is:

C:\WINDOWS\Hlplowo.gif

The StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-03-10 @ 22:21:19 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at 1

舞egistry
舞un Keys
翟urrent User
舞un
*MSGTAG="C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
舞unOnce
聞efault User
舞un
*MSGTAG="C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
舞unOnce
腿ocal Machine
舞un
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
舞unOnce
舞unServices
舞unServicesOnce
**gxmx=rundll32 C:\WINDOWS\HLPLOWO.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*{7C19A4E2-91AF-11D9-BDDB-000BCFEC5F95}
`InprocServer32=C:\WINDOWS\SYSTEM\NHKN.DLL
肇iles
翠utostart Folders
翟urrent User
聞efault User
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
艋ystem/Drivers
舞unning Processes
+FFCFF0E3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF247B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF398F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF6EA7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEB99B=C:\WINDOWS\RUNDLL32.EXE
+FFFF7F8B=C:\WINDOWS\EXPLORER.EXE
+FFFE77EF=C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
+FFF74B3F=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF9B6A3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF9AC93=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFA67E7=C:\WINDOWS\RUNDLL32.EXE
+FFF9518B=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF9FE37=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFA489B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF9A48B=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
臧T Services
翠pplication specific


#15 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:58 PM

Posted 10 March 2005 - 05:33 PM

The msinfo32 info confirms the Startdreck info. C:\WINDOWS\Hlplowo.gif is the reinfector.

Navigate to the C:\Windows folder and see it you can see the file. Running the .reg script *should* have made it visible. If you find it, delete it.

If not, boot into safe mode and see if you can find/delete it.

Let me know the results.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users