Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJL Log - brandster


  • Please log in to reply
12 replies to this topic

#1 brandster

brandster

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 March 2005 - 03:25 AM

I have quite a mess on my computer - my homepage (usually Google) has been changed to about.com, I have constant pop-ups telling me I have spyware & viruses (no kidding), even my printer isn't working. Someone else using the computer clicked on a popup, thinking it would help, but I think it may have caused more problems. I've run Spybot, AdAware, anti-virus from my Internet provider (telus). Have tried to run Panda & Housecall, but am unable to download them. Had a lot of trouble getting Hijack This to download...

Any help you could offer would be greatly appreciated! I'm getting very frustrated & about ready to fire my computer out the nearest window!!!! :thumbsup:

Thanks so much for your time! Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:56 PM, on 3/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZERO KNOWLEDGE\TELUS SECURITY SERVICE\FREEDOM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6B972E51-D8CE-4DF3-B30F-19D3FE915DDC} - C:\WINDOWS\SYSTEM\JOJN.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mwavscan] "C:\WINDOWS\TEMP\MWAVSCAN.COM" /s
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [F225.TMP] C:\WINDOWS\TEMP\F225.TMP.exe 0 10001
O4 - HKLM\..\Run: [A1F2.TMP] C:\WINDOWS\TEMP\A1F2.TMP.exe 0 10001
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [JAVAAG.EXE] C:\WINDOWS\JAVAAG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [APIPK.EXE] C:\WINDOWS\APIPK.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware Programs\SpywareGuard\sgmain.exe
O4 - Startup: Event Reminder.lnk = D:\PMW\PMREMIND.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/8ef4de9a/enter.cab
O18 - Filter: text/html - {4184ABA8-EAD8-40C5-B7A6-1FE497B13EC0} - C:\WINDOWS\SYSTEM\JOJN.DLL
O18 - Filter: text/plain - {4184ABA8-EAD8-40C5-B7A6-1FE497B13EC0} - C:\WINDOWS\SYSTEM\JOJN.DLL

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 11 March 2005 - 12:35 PM

Hello, brandster and Welcome! :thumbsup:
Sorry you're having malware trouble.

Download: "StartDreck", from here

Unzip it to its own folder, name the folder Startdreck and double-click on StartDreck.exe to start the program.

Press Config
Press Unmark All

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press Ok

Press Save and select the location to save the log file
(default is the same folder as the application)

Post the StartDreck log in this thread for review.

#3 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 March 2005 - 02:17 PM

Hello, SirJon. I've run StartDreck & following is my log. Hopefully you can make some sense out of it.... Thanks!!!

StartDreck (build 2.1.7 public stable) - 2005-03-11 @ 10:42:17 (GMT -08:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as keith at KEITH

舞egistry
舞un Keys
翟urrent User
舞un
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*SpybotSD TeaTimer=C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
舞unOnce
聞efault User
舞un
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*SpybotSD TeaTimer=C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
舞unOnce
腿ocal Machine
舞un
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
*LoadQM=loadqm.exe
*mwavscan="C:\WINDOWS\TEMP\MWAVSCAN.COM" /s
*TELUS Security service=C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*F225.TMP=C:\WINDOWS\TEMP\F225.TMP.exe 0 10001
*A1F2.TMP=C:\WINDOWS\TEMP\A1F2.TMP.exe 0 10001
*OmgStartup=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
*JAVAAG.EXE=C:\WINDOWS\JAVAAG.EXE
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*APIPK.EXE=C:\WINDOWS\APIPK.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F9201=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFDAA1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC2CD=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE6D41=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE8F05=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEADC5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE84C5=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFD2A7D=C:\WINDOWS\EXPLORER.EXE
+FFFC74E1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCAF75=C:\WINDOWS\LOADQM.EXE
+FFFC0355=C:\PROGRAM FILES\ZERO KNOWLEDGE\TELUS SECURITY SERVICE\FREEDOM.EXE
+FFFCC601=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFB159D=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFB07BD=C:\WINDOWS\RUNDLL32.EXE
+FFFB6129=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFB85C1=C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFA1DED=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFFAA3D1=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
+FFFA8741=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
+FFFAFE39=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
+FFFAD545=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF9180D=C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGMAIN.EXE
+FFF94AE5=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF87F71=C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGBHP.EXE
+FFF7AE2D=C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
+FFF7EB1D=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+F9F24699=C:\WINDOWS\SYSTEM\PSTORES.EXE
+F90075CD=C:\WINDOWS\WINHLP32.EXE
+F914445D=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+F9135DD9=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+F9129E11=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 11 March 2005 - 03:56 PM

Thank you for posting the StartDreck log, however I didnt find the rogue hidden file I was looking for.

NOTE: Please print out these instructions beforehand.

PLEASE FOLLOW ALL THESE STEPS SLOWLY AND CAREFULLY.
PLEASE DO NOT FIX ANY ENTRIES ON YOUR OWN WITH THE HIJACKTHIS TOOL.

Please enable all hidden files and folders in Windows. For instructions click here

Download the eScan Antivirus Toolkit here. It is 9.55MB in size, if its anything less after the download, please download it again. Save it to the desktop. Before running the program, we need to update the signature files first.

Updating the eScan Antivirus Toolkit with the latest files:1.) Double-click on the mwav.exe file saved to the desktop; it will extract the program files to new folder called Kaspersky at the root of the C:\drive in Windows, C:\Kaspersky.
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file.
3.) Double-clicking on the kavupd.exe file open the command prompt (DOS screen) and update the program with all the latest signature files. By default, the update process creates a folder on the root of the C:\drive called Downloads. This is where the updated files are placed.
4.) After the update is complete, copy and paste these new updated signature files (from the C:\Downloads folder) to the C:\Kaspersky folder where eScan originally extracted the antivirus program files.
Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Download and install the latest version of Ad-Aware SE here. Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.

NOTE:If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.

Please do not run a scan with Ad-Aware yet.

Download and install CCleaner here.

Please do not run the CCleaner utility yet.

Download the SpSehjfix tool here
Save it to the desktop. Extract the SpSehjfix_Beta6.exe file into its own folder named SpSehjfix.

Please do not run a scan with the SpSehjfix tool yet.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.
4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

From Safe Mode, open CCleaner, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit. This program will delete the rogue files in the C:\WINDOWS\TEMP folder.

From Safe Mode, run the SpSehjfix tool you downloaded and saved earlier.
Double-click SpSehjfix_Beta6.exe click Start Disinfection. By default, this will generate a log, please save this log.

Now reboot back into Normal Mode (Windows) and open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

Edited by SirJon, 11 March 2005 - 03:58 PM.


#5 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2005 - 02:36 AM

Hi, I did all of what you gave me to do, this is the updated hijackthis log. The homepage has returned to google (not about:blank), but we still have some messages coming up... browser help objects are apparently being changed. These messages pop up one after another.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:16 PM, on 3/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZERO KNOWLEDGE\TELUS SECURITY SERVICE\FREEDOM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [A1F2.TMP] C:\WINDOWS\TEMP\A1F2.TMP.exe 0 10001
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware Programs\SpywareGuard\sgmain.exe
O4 - Startup: Event Reminder.lnk = D:\PMW\PMREMIND.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/8ef4de9a/enter.cab

#6 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2005 - 02:40 AM

Oh, by the way, the logfile from SpSehjfix is as follows:

3/11/2005 10:57:41 PM SPSeHjFix started v1.06
3/11/2005 10:57:41 PM OS: 4
3/11/2005 10:57:41 PM Bad-Dll(IEP): se.dll
3/11/2005 10:57:41 PM UBF: 4
3/11/2005 10:57:41 PM UBB: 0
3/11/2005 10:57:41 PM UBR: 13
3/11/2005 10:57:41 PM Bad IE-pages found:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEM3/11/2005 10:59:52 PM SPSeHjFix started v1.06
3/11/2005 10:59:53 PM OS: 4
3/11/2005 10:59:53 PM Bad-Dll(IEP): (not found)
3/11/2005 10:59:53 PM BHO-DLL: (not found)
3/11/2005 10:59:53 PM UBF: 4
3/11/2005 10:59:53 PM UBB: 0
3/11/2005 10:59:53 PM UBR: 13
3/11/2005 10:59:53 PM Bad IE-pages found:
3/11/2005 10:59:53 PM Stealth-String not found:
3/11/2005 10:59:53 PM Not infected->END

#7 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 12 March 2005 - 10:42 AM

Good job! :thumbsup:
We’re making progress.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.

Step 1
Please download CWShredder™ Version 2.1 here. Save it to its own folder named CWShredder and place it at the root of your C:\drive.

Please do not run a scan with the CWShredder utility yet.

Step 2
Please copy the contents of the Quote Box below to Notepad. Name the file as trustedsitesfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]


Step 3
Please reboot into Safe Mode. For instructions click here

Step 4
From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [A1F2.TMP] C:\WINDOWS\TEMP\A1F2.TMP.exe 0 10001
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/8ef4de9a/enter.cab


Step 5
From Safe Mode, go to the CWShredder folder you created earlier, open it and double-click on CWShredder.exe. Click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

Step 6
From Safe Mode, open CCleaner again, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit.

Step 7
From Safe Mode, double-click on the trustedsitesfix.reg file you saved to the desktop earlier and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.

Step 8
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#8 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2005 - 02:10 PM

Hi! :thumbsup: The computer is going much faster but there are still attempts to change the search and home pages:

SPYWAREGUARD BROWSER PROTECTION ALERT!

An attempt to change IE settings has been detected.

WARNING! Your IE default search url has been changed!
Your IE local machine default search url has been changed
res://msaps.dll/search.html
to
<none>
And then there's two options at the bottom, "Restore old value" and "Keep new value". We always click on restore old value, but the messages just keep rapidly popping up.

And there are others - sometimes it says the homepage is being changed
www.google.ca
to
about:blank
Although, the homepage doesn't actually change, it's still google.

Anyway, here's the latest hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:31 AM, on 3/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZERO KNOWLEDGE\TELUS SECURITY SERVICE\FREEDOM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware Programs\SpywareGuard\sgmain.exe
O4 - Startup: Event Reminder.lnk = D:\PMW\PMREMIND.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

Thanks!!

#9 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 12 March 2005 - 03:11 PM

Sorry you're still having trouble.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


From Safe Mode, please delete the following files and/or folders:
Go to Start, Find, For Files or Folders, and type in each file or folder name.

tss.exe <----Delete this file.
wins32t.dll <----Delete this file.
msaps.dll <----Delete this file.

Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#10 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 March 2005 - 01:13 AM

Sorry we're still giving you trouble!! Thanks for helping us. We tried to find tss.exe, wins32t.dll, and msaps.dll to delete them but they weren't on our computer (we searched unter start, search, files and folders). So, here's the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:19 PM, on 3/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZERO KNOWLEDGE\TELUS SECURITY SERVICE\FREEDOM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYWARE PROGRAMS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware Programs\SpywareGuard\sgmain.exe
O4 - Startup: Event Reminder.lnk = D:\PMW\PMREMIND.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

#11 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 13 March 2005 - 09:36 AM

Nice Work! :thumbsup:
Your log is clean.

#12 brandster

brandster
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 March 2005 - 08:37 PM

That's great to hear. But we're still getting the following popups:

An attempt to change IE settings has been detected.
WARNING! Your IE search page has been changed!
Your IE local machine search page has been changed from
res://msaps.dll/search.html
to
<none>
What would you like to do?
Restore old value
Keep new value


When I choose "restore old value", I then get:

An attempt to change IE settings has been detected.
WARNING! Your IE default search url has been changed!
Your IE local machine default search url has been changed
res://msaps.dll/search.html
to
<none>
Restore old value
Keep new value


When I choose "restore old value", I get:

Spybot - Search & Destroy has detected an important registry entry that has been changed.
Category - Browser page
Change - Value added
Entry - First home page
New data - http://www.microsoft.com/isapi/redir.dll?Prd=
Allow Change
Deny Change


When I select "deny change", the next popup is:

Spybot - Search & Destroy has detected an important registry entry that has been changed.
Category - Browser page
Change - Value added
Entry - Default_Search_URL
New data - res://msaps.dll/search.html
Allow change
Deny Change


When I select "deny change", I get the same popup as the first one I described here, and they just keep up the same cycle.

Is there any way to get rid of these?
Are they a sign something is still wrong?

Thank you so much for all your help...

#13 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 AM

Posted 14 March 2005 - 11:45 AM

An attempt to change IE settings has been detected.
WARNING! Your IE search page has been changed!
Your IE local machine search page has been changed from
res://msaps.dll/search.html
to
<none>
What would you like to do?
Restore old value
Keep new value


When I choose "restore old value", I then get:

An attempt to change IE settings has been detected.
WARNING! Your IE default search url has been changed!
Your IE local machine default search url has been changed
res://msaps.dll/search.html
to
<none>
Restore old value
Keep new value


Choose Keep New Value.
Look at the message closely, if you choose Restore old value you're putting back in old the malware setting. We don't want res://msaps.dll/search.html

Edited by SirJon, 14 March 2005 - 11:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users