Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help please


  • This topic is locked This topic is locked
11 replies to this topic

#1 andykuld

andykuld

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 24 July 2004 - 11:47 AM

My uncle's computer is having homepage hijacking and other spyware or adware type problems. I've tried running both ad-aware, and spybot search and destroy to no avail. Here is the HijackThis log. Any help would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 1:10:45 AM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING DELUXE 11\MINIMAVIS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\ATLLD32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\ATLLD32.EXE
C:\WINDOWS\D3NB32.EXE
C:\WINDOWS\D3NB32.EXE
C:\WINDOWS\D3NB32.EXE
C:\WINDOWS\ADDRQ.EXE
C:\WINDOWS\ADDRQ.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\SYSTEM\MFCOK.EXE
C:\WINDOWS\ATLLD32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\SYSTEM\ADDTM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\IPDV32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\SYSTEM\MFCNJ.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\APIWC32.EXE
C:\WINDOWS\D3NB32.EXE
C:\WINDOWS\MFCDM32.EXE
C:\WINDOWS\ADDRQ.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ayiwh.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayiwh.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayiwh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ayiwh.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayiwh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ayiwh.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B41F60FA-6DED-6A3D-8737-C716CB55B622} - C:\WINDOWS\MSZY32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {2DC71E50-378D-4BE1-BFED-02721ACCFD00} - C:\WINDOWS\SYSTEM\PJFAJA.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [IEBN.EXE] C:\WINDOWS\SYSTEM\IEBN.EXE
O4 - HKLM\..\Run: [IPDV32.EXE] C:\WINDOWS\SYSTEM\IPDV32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ATLLD32.EXE] C:\WINDOWS\ATLLD32.EXE
O4 - HKLM\..\RunServices: [D3NB32.EXE] C:\WINDOWS\D3NB32.EXE
O4 - HKLM\..\RunServices: [ADDRQ.EXE] C:\WINDOWS\ADDRQ.EXE
O4 - HKLM\..\RunServices: [MFCDM32.EXE] C:\WINDOWS\MFCDM32.EXE
O4 - HKLM\..\RunServices: [MFCOK.EXE] C:\WINDOWS\SYSTEM\MFCOK.EXE
O4 - HKLM\..\RunServices: [ADDTM.EXE] C:\WINDOWS\SYSTEM\ADDTM.EXE
O4 - HKLM\..\RunServices: [MFCNJ.EXE] C:\WINDOWS\SYSTEM\MFCNJ.EXE
O4 - HKLM\..\RunServices: [APIWC32.EXE] C:\WINDOWS\APIWC32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8097.2323842593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 24 July 2004 - 07:09 PM

Hello andykuld,
Since it seems everybody is busy at the moment, I'll lend a hand. This is my favorite infection to fight. :thumbsup:

Actually, this one is kind of tough, so it will probably take multiple steps. Please follow all directions carefully.


**********************************************************************


We need to download a few tools first:Unzip about:buster to your desktop, and install Adaware. Please make sure Adaware is up to date by clicking on the globe icon in the upper right hand corner. If you need help, here is a nice Adaware Tutorial from Bleeping Computer.
***********************************************************************
Please print out this thread, as you will not be able to open IE until you are instructed to do so. :D

***********************************************************************
Boot into SAFE MODE by tapping the f8 key during boot up.

***********************************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

O2 - BHO: (no name) - {B41F60FA-6DED-6A3D-8737-C716CB55B622} - C:\WINDOWS\MSZY32.DLL
O4 - HKLM\..\RunServices: [ATLLD32.EXE] C:\WINDOWS\ATLLD32.EXE
O4 - HKLM\..\RunServices: [D3NB32.EXE] C:\WINDOWS\D3NB32.EXE
O4 - HKLM\..\RunServices: [ADDRQ.EXE] C:\WINDOWS\ADDRQ.EXE
O4 - HKLM\..\RunServices: [MFCDM32.EXE] C:\WINDOWS\MFCDM32.EXE
O4 - HKLM\..\RunServices: [MFCOK.EXE] C:\WINDOWS\SYSTEM\MFCOK.EXE
O4 - HKLM\..\RunServices: [ADDTM.EXE] C:\WINDOWS\SYSTEM\ADDTM.EXE
O4 - HKLM\..\RunServices: [MFCNJ.EXE] C:\WINDOWS\SYSTEM\MFCNJ.EXE
O4 - HKLM\..\RunServices: [APIWC32.EXE] C:\WINDOWS\APIWC32.EXE

***********************************************************************

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

***********************************************************************

Run Adaware with the following options:

  • Configure Ad-aware
    • Click on the Gear-shaped icon at the top to open the Settings window.
    • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
    • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
    • Scanning Settings
      • Scan Within Archives
      • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
    • Advanced Settings - Enable all four options under 'Log-file Detail level'
    • Tweak Settings
      • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
      • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
    • Click Proceed
  • Click on the 'Start' button in the lower right.



  • Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.



  • Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.



  • Close Ad-aware

***********************************************************************

Reboot. Now open IE and run the following scan:
TrendMicro

***********************************************************************

Reboot, and post copies of your about:buster logs, along with a new log from HJT. :D

#3 andykuld

andykuld
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 July 2004 - 11:58 AM

Thanks Groovicus,

I did all of that except the last step because IE kept getting an error everytime I tried to load the virus scanning program. Unfortunately, I am still getting popups and my homepage is still getting hijacked. Here are all my new logs.

First Aboutbuster log:

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\nthe32.exe
Removed! : C:\WINDOWS\ersdin.dat
Removed! : C:\WINDOWS\lawetr.dat
Removed! : C:\WINDOWS\addrq.exe
Removed! : C:\WINDOWS\ziyas.dat
Removed! : C:\WINDOWS\eszjx.dat
Removed! : C:\WINDOWS\dqclyo.dat
Removed! : C:\WINDOWS\mfcdm32.exe
Removed! : C:\WINDOWS\mcsztv.dat
Removed! : C:\WINDOWS\ntlzww.dat
Removed! : C:\WINDOWS\ckitnm.dat
Removed! : C:\WINDOWS\fglhxg.dat
Removed! : C:\WINDOWS\kqrkmi.dat
Removed! : C:\WINDOWS\sdkgf.exe
Removed! : C:\WINDOWS\apiwc32.exe
Removed! : C:\WINDOWS\iepl.exe
Removed! : C:\WINDOWS\bkavpo.dat
Removed! : C:\WINDOWS\ienb32.exe
Removed! : C:\WINDOWS\krlgwu.dat
Removed! : C:\WINDOWS\bfrkzq.dat
Removed! : C:\WINDOWS\cruz32.exe
Removed! : C:\WINDOWS\dwvahh.dat
Removed! : C:\WINDOWS\apisd32.exe
Removed! : C:\WINDOWS\xkaqwt.dat
Removed! : C:\WINDOWS\mfcso.exe
Removed! : C:\WINDOWS\wqodpu.dat
Removed! : C:\WINDOWS\sdkia32.exe
Removed! : C:\WINDOWS\SYSTEM\iebn.exe
Removed! : C:\WINDOWS\SYSTEM\cgxjv.dat
Removed! : C:\WINDOWS\SYSTEM\iepy.exe
Removed! : C:\WINDOWS\SYSTEM\ayiwh.dll
Removed! : C:\WINDOWS\SYSTEM\ipdv32.exe
Removed! : C:\WINDOWS\SYSTEM\ntzq.exe
Removed! : C:\WINDOWS\SYSTEM\addtm.exe
Removed! : C:\WINDOWS\SYSTEM\appez.exe
Removed! : C:\WINDOWS\SYSTEM\mfcnj.exe
Removed! : C:\WINDOWS\SYSTEM\mfcub32.exe
Removed! : C:\WINDOWS\SYSTEM\crea32.exe
Removed! : C:\WINDOWS\SYSTEM\ieka.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Second About Buster log:

-- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

New Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:22:26 AM, on 7/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\IEGE32.EXE
C:\WINDOWS\SYSTEM\WINLH32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING DELUXE 11\MINIMAVIS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\IEGE32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\IEGE32.EXE
C:\WINDOWS\APIGF32.EXE
C:\WINDOWS\SYSTEM\APIWW32.EXE
C:\WINDOWS\IEGE32.EXE
C:\WINDOWS\IEGE32.EXE
C:\WINDOWS\APIPT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\APIPT.EXE
C:\WINDOWS\APIPT.EXE
C:\WINDOWS\NTER32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edvvu.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edvvu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edvvu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {AFBA4799-6C82-44A5-831A-015F6BB6F80F} - C:\WINDOWS\SYSTEM\HAOFL.DLL (file missing)
O2 - BHO: (no name) - {2D3E89CD-A4AC-454C-130C-C5ACF05F7AEC} - C:\WINDOWS\WINJM.DLL (file missing)
O2 - BHO: (no name) - {63205DF7-E69F-C6A7-B29B-5EAE5A02155F} - C:\WINDOWS\SYSTEM\NETSY32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [APIWW32.EXE] C:\WINDOWS\SYSTEM\APIWW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [IEPL.EXE] C:\WINDOWS\IEPL.EXE
O4 - HKLM\..\RunServices: [WINLH32.EXE] C:\WINDOWS\SYSTEM\WINLH32.EXE
O4 - HKLM\..\RunServices: [CREA32.EXE] C:\WINDOWS\SYSTEM\CREA32.EXE
O4 - HKLM\..\RunServices: [IEGE32.EXE] C:\WINDOWS\IEGE32.EXE
O4 - HKLM\..\RunServices: [APISD32.EXE] C:\WINDOWS\APISD32.EXE
O4 - HKLM\..\RunServices: [MFCSO.EXE] C:\WINDOWS\MFCSO.EXE
O4 - HKLM\..\RunServices: [APIGF32.EXE] C:\WINDOWS\APIGF32.EXE
O4 - HKLM\..\RunServices: [APIPT.EXE] C:\WINDOWS\APIPT.EXE
O4 - HKLM\..\RunServices: [NTER32.EXE] C:\WINDOWS\NTER32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8097.2323842593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Any more help would be greatly appreciated.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 26 July 2004 - 12:25 PM

This one usually takes a couple attempts, so don't worry about that. We will get it cleaned up though.

I need to re-emphasize, while you are dong the fixes, all windows and browsers need to be closed. The best idea is to print out the thread for reference.

***********************************************************************

Please download this file to your desktop and extract the file from the zip onto your desktop. Then run the vbs file and post the contents of the notepad that will appear as a response to this message. (in your next reply)

It can be downloaded from here:

http://www.computercops.biz/modules.php?na...ownload&id=2239

***********************************************************************

Alos, please download the updated version of HJT:
http://www.amchrisarmstrong.com/HijackThis.exe

***********************************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

***********************************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edvvu.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edvvu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edvvu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\edvvu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {AFBA4799-6C82-44A5-831A-015F6BB6F80F} - C:\WINDOWS\SYSTEM\HAOFL.DLL (file missing)
O2 - BHO: (no name) - {2D3E89CD-A4AC-454C-130C-C5ACF05F7AEC} - C:\WINDOWS\WINJM.DLL (file missing)
O2 - BHO: (no name) - {63205DF7-E69F-C6A7-B29B-5EAE5A02155F} - C:\WINDOWS\SYSTEM\NETSY32.DLL
O4 - HKLM\..\RunServices: [IEPL.EXE] C:\WINDOWS\IEPL.EXE
O4 - HKLM\..\RunServices: [WINLH32.EXE] C:\WINDOWS\SYSTEM\WINLH32.EXE
O4 - HKLM\..\RunServices: [CREA32.EXE] C:\WINDOWS\SYSTEM\CREA32.EXE
O4 - HKLM\..\RunServices: [IEGE32.EXE] C:\WINDOWS\IEGE32.EXE
O4 - HKLM\..\RunServices: [APISD32.EXE] C:\WINDOWS\APISD32.EXE
O4 - HKLM\..\RunServices: [MFCSO.EXE] C:\WINDOWS\MFCSO.EXE
O4 - HKLM\..\RunServices: [APIGF32.EXE] C:\WINDOWS\APIGF32.EXE
O4 - HKLM\..\RunServices: [APIPT.EXE] C:\WINDOWS\APIPT.EXE
O4 - HKLM\..\RunServices: [NTER32.EXE] C:\WINDOWS\NTER32.EXE

***********************************************************************

Rerun about:buster twice again and save the logs. Please post those in your next response also.

***********************************************************************

Reboot, and let's try a different scan this time:
Symantec

Reboot, and post a new HJT log. :thumbsup:

Just a note, you also have a secondary infection that is a major pain also, so I need you to do one more step for me:

***********************************************************************

Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

***********************************************************************

Whew!! Once you get through all of that, post all 5 resulting logs please.

#5 andykuld

andykuld
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 July 2004 - 12:58 PM

Could you tell me the name of the first file I need to download as the link does not work.

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 26 July 2004 - 01:00 PM

Crud...they must have just done that. I'll see what I can find.

Go ahead and do the rest though. There is plenty to work on besides that. :thumbsup:

Edited by groovicus, 26 July 2004 - 01:01 PM.


#7 andykuld

andykuld
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 July 2004 - 02:28 PM

Thanks again groovicus. Here's the new log files.

aboutbuster first scan:

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\apigf32.exe
Removed! : C:\WINDOWS\krlgwu.dat
Removed! : C:\WINDOWS\apipt.exe
Removed! : C:\WINDOWS\nter32.exe
Removed! : C:\WINDOWS\appyw32.exe
Removed! : C:\WINDOWS\winjm.exe
Removed! : C:\WINDOWS\SYSTEM\edvvu.dat
Removed! : C:\WINDOWS\SYSTEM\edvvu.dll
Removed! : C:\WINDOWS\SYSTEM\apiww32.exe
Removed! : C:\WINDOWS\SYSTEM\javaai.exe
Removed! : C:\WINDOWS\SYSTEM\ntci32.exe
Removed! : C:\WINDOWS\SYSTEM\appom32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Aboutbuster second scan:

-- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

Hijackthis scan after:]

Logfile of HijackThis v1.98.0
Scan saved at 3:48:02 AM, on 7/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING DELUXE 11\MINIMAVIS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [APPYW32.EXE] C:\WINDOWS\APPYW32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

StartDreck log:

StartDreck (build 2.1.5 public BETA) - 2004-07-26 @ 03:53:13
Platform: Windows ME (Win 4.90.3000 )

»Registry
»Run Keys
»Current User
»Run
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
»RunOnce
»Default User
»Run
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
»RunOnce
»Local Machine
»Run
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Adaptec DirectCD=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*LexStart=Lexstart.exe
*LXSUPMON=C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
*CreateCD=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*APPYW32.EXE=C:\WINDOWS\APPYW32.EXE
»RunServicesOnce
**izhc=rundll32 C:\WINDOWS\SYSTEM\D3DBEAD.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FF0F10A5=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF5B19=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFFB0D=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFE149=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE3709=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE0BDD=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFD2291=C:\WINDOWS\RUNDLL32.EXE
*FFFE9D89=C:\WINDOWS\EXPLORER.EXE
*FFFC30A5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFC0C7D=C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*FFFC49E5=C:\WINDOWS\SYSTEM\LXSUPMON.EXE
*FFFCA3FD=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFFB32A5=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
*FFFB1A15=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
*FFFB4FED=C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING DELUXE 11\MINIMAVIS.EXE
*FFFD41E1=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
*FFFCF5B9=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
*FFFCFB95=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFA80B5=C:\WINDOWS\SYSTEM\LEXBCES.EXE
*FFFA6145=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF9AD89=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFF82FC1=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
*FFF99F65=C:\WINDOWS\SYSTEM\LEXPPS.EXE
*FFFABFB1=C:\WINDOWS\SYSTEM\HPZIPM12.EXE
*FFF75A45=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFF7C1AD=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFF6A899=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
*FFF469D1=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
*FFF344C1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF772A5=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF437C1=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
»Application specific

I couldn't get the first program so I do not have the log file for it.

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 26 July 2004 - 03:06 PM

Don't worry about the first log. At this point, it appears that the initial infection is gone. So we will deal with the second one. :thumbsup:

Now for round 2.....

Download: "Win98Fix.zip" from here:
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to C:\WINDOWS\SYSTEM\D3DBEAD.DLL.
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)

**********

Then run Adaware in safe mode with the instructions outlined above.

#9 andykuld

andykuld
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 July 2004 - 06:21 PM

I've done everything you said too, and it seems to be working now. Thanks again for all your help, I really appreciate it.

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 26 July 2004 - 06:27 PM

Could you post one last log so we can be sure we didn't miss anyting?? :D

#11 andykuld

andykuld
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 July 2004 - 10:55 PM

Sure, thanks again.

Logfile of HijackThis v1.98.0
Scan saved at 12:21:47 PM, on 7/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING DELUXE 11\MINIMAVIS.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [APPYW32.EXE] C:\WINDOWS\APPYW32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:31 PM

Posted 27 July 2004 - 10:37 AM

Launch Notepad, and copy and paste the contents of the quote box below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]

[-HKEY_CLASSES_ROOT\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}]

[-HKEY_CLASSES_ROOT\Image.Image]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Image.Image.1]


Then, locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot.

Then find and delete, if still there, this file: C:\WINDOWS\msopt.dll

Reboot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users