Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log- help


  • Please log in to reply
7 replies to this topic

#1 pieguy288

pieguy288

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 29 April 2005 - 03:24 PM

My homepage is hijacked by http://web.all-find.org/
I ran spybot-search & detroy

Logfile of HijackThis v1.98.2
Scan saved at 4:19:28 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Atguard\iamserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Atguard\iamapp.exe
C:\WINDOWS\System32\svcsysreg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\Jonny B\Desktop\Chazarai\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31CB178F-409E-4F58-A23E-D06007E7E57B} - C:\WINDOWS\SYSTEM32\bde.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O13 - DefaultPrefix: http://web.all-find.org/best.php?url=
O13 - WWW Prefix: http://web.all-find.org/best.php?url=
O13 - Home Prefix: http://web.all-find.org/best.php?url=
O13 - Mosaic Prefix: http://web.all-find.org/best.php?url=
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug%20Eliminator.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://apollo.hsclib.sunysb.edu/WebsiteVie...bsiteViewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://charon.hsclib.sunysb.edu/hsclibport...en/CSGProxy.cab
O18 - Filter: text/html - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll
O18 - Filter: text/plain - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:07:08 AM

Posted 29 April 2005 - 07:43 PM

Hi and welcome to Bleeping. :thumbsup:

Before we get started, you need to update your version of HijackThis. Please delete your copy and then download the HijackThis Self Extracting zip file from here to your desktop. Double click 'hijackthis_sfx.exe' and select "Unzip".


Ensure you have Windows configured to 'show all hidden files & folders'.
See here if you don't know how to do this.

Download rkfiles.zip from here.
UNZIP the contents to a permanent folder.

Reboot into Safe Mode - Very Important !!
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.


Doubleclick rkfiles.bat inside the folder.
It will scan for a while, so please be patient.
Wait until the DOS window closes and reboot back to normal mode.
It will generate a log file which can be located at C:\log.txt.
Post the contents of C:\log.txt in your next reply please.

Please also post a fresh HijackThis log with the new version which you will find in C:\Program Files\HijackThis
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 01 May 2005 - 11:34 AM

Here is the log.txt:

------------------------
C:\WINDOWS\SYSTEM32\DVDAudio.ax: UPX!
C:\WINDOWS\SYSTEM32\DVDVideo.ax: UPX!
C:\WINDOWS\SYSTEM32\first.awp: UPX!
C:\WINDOWS\SYSTEM32\OLDC9.tmp: UPX!
C:\WINDOWS\SYSTEM32\second.awp: UPX!
C:\WINDOWS\SYSTEM32\svcsysreg.exe: UPX!
C:\WINDOWS\SYSTEM32\wget.exe: UPX!
C:\WINDOWS\SYSTEM32\syst2.exe: FSG!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\SYSTEM32\divx.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\spoolsv.exe: UPX!
C:\WINDOWS\vsapi32(2).dll: UPX!t4
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye




Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:54 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Atguard\iamserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Atguard\iamapp.exe
C:\WINDOWS\System32\svcsysreg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31CB178F-409E-4F58-A23E-D06007E7E57B} - C:\WINDOWS\SYSTEM32\bde.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O13 - DefaultPrefix: http://web.all-find.org/best.php?url=
O13 - WWW Prefix: http://web.all-find.org/best.php?url=
O13 - Home Prefix: http://web.all-find.org/best.php?url=
O13 - Mosaic Prefix: http://web.all-find.org/best.php?url=
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug%20Eliminator.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://apollo.hsclib.sunysb.edu/WebsiteVie...bsiteViewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://charon.hsclib.sunysb.edu/hsclibport...en/CSGProxy.cab
O18 - Filter: text/html - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll
O18 - Filter: text/plain - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:07:08 AM

Posted 01 May 2005 - 03:20 PM

A slight change of direction. This is a brand new CWS infection but it would appear the files associated with it remain the same on all infected machines.


1) Please download Killbox from here.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up.
Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\syst2.exe
C:\WINDOWS\System32\syst3.exe
C:\WINDOWS\System32\cidft.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\gupd.dll
C:\WINDOWS\System32\hst32.dll
C:\WINDOWS\System32\icnfe.dll
C:\WINDOWS\System32\icqrt.dll
C:\WINDOWS\System32\icvbr.dll
C:\WINDOWS\System32\sdfup.dll
C:\WINDOWS\System32\thun.dll
C:\WINDOWS\System32\wcnl32.dll
C:\WINDOWS\System32\wecxg32.dll
C:\WINDOWS\System32\wirl.dll
C:\WINDOWS\System32\xcwer32.dll
C:\WINDOWS\System32\zxmsn.dll
C:\WINDOWS\System32\svcsysreg.exe
C:\WINDOWS\SYSTEM32\bde.dll


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Pending Operations prompt.

This will restart your computer.




Please then run HijackThis again and place a check before the following entries:


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://web.all-find.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://web.all-find.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://web.all-find.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: (no name) - {31CB178F-409E-4F58-A23E-D06007E7E57B} - C:\WINDOWS\SYSTEM32\bde.dll (file missing)
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O13 - DefaultPrefix: http://web.all-find.org/best.php?url=
O13 - WWW Prefix: http://web.all-find.org/best.php?url=
O13 - Home Prefix: http://web.all-find.org/best.php?url=
O13 - Mosaic Prefix: http://web.all-find.org/best.php?url=
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://apollo.hsclib.sunysb.edu/WebsiteVie...bsiteViewer.cab
O18 - Filter: text/html - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll
O18 - Filter: text/plain - {BEA92D6E-7060-4AB4-B3B4-D57B6DC41F16} - C:\WINDOWS\SYSTEM32\bde.dll
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)


Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked



Reboot and run an online virus scan at Panda:

http://www.pandasoftware.com/activescan/

Note the location of anything it found but couldn't remove.


Reboot once more and post a fresh HijackThis log.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 02 May 2005 - 06:41 PM

I ran the panda scan and this is the report:

Incident Status Location

Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\Boi5X.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\BpaEG.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\Emw274e8.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\KfmJ8U3.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\KppJ3f.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\NvxhL7fw.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\Pret0XNQ.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\Puf9Xk.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\RnuQDB55.exe
Adware:Adware/MemoryWatcher No disinfected C:\!PeperFix\Zgl8.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\bleep Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Jonny B\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-6e76f307.zip[InstallerApplet.class]
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-50947875.class
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Jonny B\Application Data\tvmuknwrd.dll
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\bleep Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Jonny B\Favorites\XXX personal photos.url
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\!update.exe
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\60.tmp
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\60.tmp.exe
Adware:Adware/Winshow No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\8F.tmp.exe
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\A.tmp
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\A.tmp.exe
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\A7.tmp
Possible Virus. No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\A7.tmp.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\all_files8.exe
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\B.exe
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\clicks.dll
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\ICD1.tmp\ysbactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\ICD1.tmp\ysbactivex.inf
Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\PO.exe
Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Jonny B\Local Settings\Temp\XrKMV0M.exe
Adware:Adware/IEDriver No disinfected C:\Overpro-347.exe
Adware:Adware/SideSearch No disinfected C:\SEPinst.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\70odhr0b.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgUS10.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgUS990.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ysbactivex.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS10.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\istactivex.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS10.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS990.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\istactivex.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgUS10.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\istactivex.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\rdgUS10.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\istactivex.inf
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\rdgUS10.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\istactivex.inf
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS10.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\istactivex.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\istactivex.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\on-line.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS10.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS19.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS990.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_bexwfp.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mbhyda.dat
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\remtm3.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\securea.html
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\secureb.html
Adware:Adware/Startpage.ML No disinfected C:\WINDOWS\spoolsv.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\bahbplaa.tmp
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\CERTMGR8.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\CNETCFG0.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\eaabjaba.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\efppmaaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\eiibeoaa.tmp
Adware:Adware/MProcessor No disinfected C:\WINDOWS\SYSTEM32\first.awp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\hidcfcca.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ilkbijaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\jdaajdaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\kblnijaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\mkicofaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\moooddaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ncjcmbba.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ojflamaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\omfbpgaa.tmp
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\pipdmaaa.tmp
Adware:Adware/MProcessor No disinfected C:\WINDOWS\SYSTEM32\second.awp
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\terabyte.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\unwise56.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM32\~GLH002c.TMP
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~25116.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~36874.tmp
Adware:Adware/Startpage.CCM No disinfected C:\WINDOWS\win32.bmp
Adware:Adware/Startpage.CCM No disinfected C:\WINDOWS\win32.dat



This is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:39:22 PM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Atguard\iamserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Atguard\iamapp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE SP2 AddOn - {351F123D-BEA3-48EF-8282-D4161960C3D9} - C:\WINDOWS\System32\spdhp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug%20Eliminator.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://charon.hsclib.sunysb.edu/hsclibport...en/CSGProxy.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:07:08 AM

Posted 03 May 2005 - 05:59 AM

The browser Hijacker has gone, now for the rest. Strangely, your HJT log didn't show any signs of a Peper Trojan as found in the Panda scan. We'll run the Peper Fix just in case during this next assault.

Enter your control panel. If you are using Windows XP's Category View, select the 'Network and Internet Connections' category otherwise double click on 'Network Connections'. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Please ensure that Windows is set to 'Show all hidden files and folders' and that you are familiar with 'Rebooting into Safe Mode'.


Download and install Ad-aware SE from here.
Once installed, run the program and in the bottom right hand corner click 'Check For Updates'.
Update Ad-aware following the prompts and then close the program, we'll use it later.

You have a peper infection amongst others which requires a special removal tool.
Download PeperFix and run it twice, rebooting after the first run.



Then run HJT again and checkmark the boxes next to the following:-

O2 - BHO: IE SP2 AddOn - {351F123D-BEA3-48EF-8282-D4161960C3D9} - C:\WINDOWS\System32\spdhp.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F265881-9203-49F8-892A-38FA0528A0A5}: NameServer = 69.50.184.86,195.225.176.110

Now close ALL windows & browsers and click FIX CHECKED




Reboot your computer into Safe Mode and delete the following files in bold:

C:\WINDOWS\system32\spdhp.dll
C:\WINDOWS\system32\ie2cltr.dll



Then click on Start > Settings> Control Panel
In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory.


Then click on Start > Run and type cleanmgr into the run box.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin ONLY are checkmarked and click 'OK'.


Now open Ad-Aware SE and configure with the following settings:

1.Close ALL windows except Ad-Aware SE.

2. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window.

3. In the ‘GENERAL’ window make sure the following are selected in green:

*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)


-Under Definitions:
*Prompt to udate outdated definitions - set the number of days


4. Click on the ‘SCANNING’ button on the left and select in green :

-Under Driver, Folders & Files:
*Scan Within Archives

-Under Select drives & folders to scan:
*choose all hard drives

-Under Memory & Registry: (all green)
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


5. Click on the ‘ADVANCED’ button on the left and select in green:

-Under Shell Integration:
*Move deleted files to recycle bin

-Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information


-Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


6. Click the ‘TWEAK’ button and select in green:

-Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


-Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

-Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check and make Green: Include Module list in logfile


7. Click on ‘PROCEED’ to save the settings.

8. Click ‘Start’

*Choose: 'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

9. Click ‘Next’ and Ad-Aware SE will scan your hard drive with the options you have selected and clean automatically.

10. If Ad-Aware SE finds bad entries in the registry or bad files, you will receive a list of what it found in the window. Right click on any of the bad entries and click on 'select all'.

11. Click ‘NEXT’

12. Close Ad-Aware SE.


Reboot and run an online virus scan from any of the following locations:

http://www.ravantivirus.com/scan/ - RAV
http://uk.trendmicro-europe.com/consumer/p...call_launch.php - Trend Micro


Reboot once more and post a fresh log.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 04 May 2005 - 07:18 AM

I did everything except when I ran the trend micro scan I was unable to fix the infected filees that it found after the scan.

Here is the new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 8:14:56 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Atguard\iamserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Atguard\iamapp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug%20Eliminator.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://charon.hsclib.sunysb.edu/hsclibport...en/CSGProxy.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:07:08 AM

Posted 04 May 2005 - 08:18 AM

Please disable System Restore, reboot and then renable it following the instructions here:

Windows XP System Restore Guide

Run Trendmicro again and it should be clear. If not, please make a note of the scan results and post them in your next reply.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users