Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High Jack this log


  • This topic is locked This topic is locked
32 replies to this topic

#1 Elm

Elm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 12 June 2005 - 02:42 PM

Hi, was highjacked and ran panda,spy-bot,adaware,microsoft adware,deleted what i could find but not sure what else i should clean.please check my log and advise.thanksLogfile of HijackThis v1.99.1
Scan saved at 10:37:17 AM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Highjackthiis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shopnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lavasoftnews.com/ms/display_mai...=IBIS%20Toolbar
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {77BE0ED7-9115-95EF-4992-97BC600AE69F} - C:\WINDOWS\System32\oslgp.dll
O2 - BHO: Internet Explorer Hot Fix - {E4519D23-9DC6-4424-889A-D1A2AF3D40D6} - C:\WINDOWS\System32\bdoex.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [Ptiikxkq] C:\Program Files\Cfuxabt\Qavq.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4B2BBEE7-BD76-46D6-A6A4-6482D73F75F1}\SVCHOST.EXE
O4 - HKLM\..\Run: [Uint32] lpt.exe
O4 - HKLM\..\Run: [SysEntry] InpriseMon.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4B2BBEE7-BD76-46D6-A6A4-6482D73F75F1}\SECURITY.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [alcnacz] c:\windows\system32\oqhkyds.exe r
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Zip Up The Web Tray Icon.lnk = C:\Program Files\Insight Development\Zip Up The Web Pro\ZUTWTray.exe
O4 - Startup: Lotus SmartSuite 9.6 - English Registration.lnk = C:\Lotus\register\REMIND32.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shopnbc.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{42C4794D-FF7E-40B3-9949-9D5288F22087}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{88621F66-CC2B-43BF-AD6C-4D1ACA2FF6A1}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4A2324-85E1-46EA-B939-187EFCF6D18D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{42C4794D-FF7E-40B3-9949-9D5288F22087}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: style2 - C:\WINDOWS\q1478355_disk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 13 June 2005 - 12:15 PM

Hello Elm and welcome to BleepingComputer. We have quite a lot to do here.

I need to get samples of some of your files. Please create a folder on your desktop and name it Elm. Now copy the following files into that directory:

lpt.exe
InpriseMon.exe

^ You will need to use Windows Search to locate these files

To copy the files simply navigate to the directory they are in and right click on the file name, and then click on copy option. Now go back to the newly created desktop folder <Elm> and right click in the folder and select the paste option. Do not 'Drag & Drop' as that will move the files instead of copying them.

Once the files are all copied zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a folder called Elm.zip on your desktop. If you are using another version of Windows, you will need to use a zip utility of your choice to compress the folder.

When the files are zipped, go to: http://www.bleepingcomputer.com/submit-malware.php and fill in the required fields and browsing to the file you are submitting. Please note in your comments in which folders these files were found. Finally click on the Send File button.



You have Microsoft Antispyware running. The MSAS real-time protection can interfer with the fixes we are about to do so we need to disable it for the duration of this cleanup.

Open Microsoft AntiSpyware.
  • Click on Tools, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
To re-enable it, you follow the same steps but check Enable Real-time Protection.

You also have AOL Spyware Protection running. I have no specific instruction for that one, but please disable it if you can.


Download the following file and save it to your desktop: DelDomains.inf
- Right-click on the deldomains.inf file and select Install.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O1 - Hosts: auto.search.msn.com 127.0.0.1

O2 - BHO: (no name) - {77BE0ED7-9115-95EF-4992-97BC600AE69F} - C:\WINDOWS\System32\oslgp.dll
O2 - BHO: Internet Explorer Hot Fix - {E4519D23-9DC6-4424-889A-D1A2AF3D40D6} - C:\WINDOWS\System32\bdoex.dll

O4 - HKLM\..\Run: [Ptiikxkq] C:\Program Files\Cfuxabt\Qavq.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4B2BBEE7-BD76-46D6-A6A4-6482D73F75F1}\SVCHOST.EXE
O4 - HKLM\..\Run: [Uint32] lpt.exe
O4 - HKLM\..\Run: [SysEntry] InpriseMon.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4B2BBEE7-BD76-46D6-A6A4-6482D73F75F1}\SECURITY.EXE
O4 - HKLM\..\Run: [alcnacz] c:\windows\system32\oqhkyds.exe r

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{42C4794D-FF7E-40B3-9949-9D5288F22087}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{88621F66-CC2B-43BF-AD6C-4D1ACA2FF6A1}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4A2324-85E1-46EA-B939-187EFCF6D18D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{42C4794D-FF7E-40B3-9949-9D5288F22087}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINDOWS\q1478355_disk.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\q1478355_disk.dll <--Files
C:\WINDOWS\System32\oslgp.dll
C:\WINDOWS\System32\bdoex.dll
c:\windows\system32\oqhkyds.exe

C:\WINDOWS\System\svchost.exe <--File.
Be careful to NOT delete the copy of svchost.exe in the C:\WINDOWS\System32 folder

C:\Program Files\Cfuxabt\ <--Folders
C:\WINDOWS\System32\Services\

If any of these resist being deleted, boot into Safe Mode and try from there.


Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

cd \
cd c:\windows\system32
dir /a wi*.* >find_wirl.txt
notepad find_wirl.txt
del find_wirl.txt


Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as find_wirl.bat. Close Notepad.

Double click on find_wirl.bat and a notepad file should open. Copy the contents of that file to your next post along with a fresh HJT log.
Derfram
~~~~~~

#3 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 13 June 2005 - 05:18 PM

hi,ddeerrff and thanks for the reply. I looked for the files you wanted but they were not there as well as several others. i think they change when i reboot. here is the log files you asked for. i found aurora file , surfsidekick3 , spysheriff and wareout in the reg under current user can i delete them?forget aurora file its gone

Volume in drive C has no label.
Volume Serial Number is 182D-18D4

Directory of C:\WINDOWS\system32

10/31/2002 05:10 PM <DIR> wins
08/18/2001 05:00 AM 166,912 wintrust.dll
08/18/2001 05:00 AM 93,184 winscard.dll
08/18/2001 05:00 AM 14,848 winrnr.dll
08/18/2001 05:00 AM 25,600 winipsec.dll
06/04/1996 11:09 PM 12,800 wing32.dll
06/23/1995 10:55 AM 92,208 WING.DLL
06/23/1995 10:55 AM 188,960 WINGDE.DLL
06/23/1995 10:55 AM 6,736 WINGDIB.DRV
08/18/2001 05:00 AM 4,096 winver.exe
08/18/2001 05:00 AM 414,720 wiaacmgr.exe
08/18/2001 05:00 AM 449,536 wiadefui.dll
08/18/2001 05:00 AM 70,656 wiascr.dll
08/29/2002 03:41 AM 119,808 wiadss.dll
08/18/2001 05:00 AM 40,448 wiasf.ax
08/18/2001 05:00 AM 568,832 wiashext.dll
08/18/2001 05:00 AM 104,448 wiavideo.dll
08/18/2001 05:00 AM 145,408 wiavusd.dll
08/18/2001 05:00 AM 9,216 wifeman.dll
08/18/2001 05:00 AM 18,432 win.com
08/18/2001 05:00 AM 13,312 win87em.dll
08/18/2001 05:00 AM 9,216 winfax.dll
08/18/2001 05:00 AM 32,674 winhelp.hlp
08/18/2001 05:00 AM 8,192 winhlp32.exe
08/18/2001 05:00 AM 11,776 winmsd.exe
08/18/2001 05:00 AM 5,120 winnls.dll
08/18/2001 05:00 AM 762,368 winntbbu.dll
08/18/2001 05:00 AM 2,080 winoldap.mod
08/18/2001 05:00 AM 2,864 winsock.dll
08/18/2001 05:00 AM 2,112 winspool.exe
08/18/2001 05:00 AM 18,944 winstrm.dll
08/29/2002 03:41 AM 48,128 winsta.dll
08/29/2002 03:41 AM 171,520 winmm.dll
08/29/2002 03:41 AM 599,040 wininet.dll
08/29/2002 03:41 AM 316,416 wiaservc.dll
08/29/2002 01:09 AM 403,456 winbrand.dll
08/18/2001 05:00 AM 119,808 winmine.exe
08/18/2001 05:00 AM 35,328 winchat.exe
10/31/2002 05:20 PM 488 WindowsLogon.manifest
08/29/2002 03:41 AM 276,480 winsrv.dll
08/29/2002 03:41 AM 132,096 winspool.drv
08/29/2002 03:41 AM 516,608 winlogon.exe
08/29/2002 03:41 AM 99,328 win32spl.dll
08/29/2002 02:14 AM 1,813,632 win32k.sys
07/24/1994 05:23 PM 14,928 wingen.drv
08/17/2001 10:36 PM 87,040 wiafbdrv.dll
07/01/2004 06:08 PM 331,776 winhttp.dll
06/10/2005 07:49 PM 14,336 wirl.dll
47 File(s) 8,395,914 bytes
1 Dir(s) 68,904,615,936 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 5:44:54 PM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sder\dees.exe
C:\WINDOWS\System32\??rvices.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\Versato.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Highjackthiis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shopnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [Skqhtp] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [ParisM] DTOURS.exe
O4 - HKCU\..\Run: [forces_elite] PrcIdle.exe
O4 - HKCU\..\Run: [driver64] runload32.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shopnbc.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 13 June 2005 - 06:28 PM

Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- SpySheriff
- WareOut


Be sure Microsoft AntiSpyware is still configured with the resident protection disabled. The instruction for that again are:

Open Microsoft AntiSpyware.
  • Click on Tools, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Click here and download Killbox by Option^Explicit.
- Extract the program to your desktop and double-click on its folder.
- Then double-click on Killbox.exe to start the program.
- In the killbox program, select the Delete on Reboot option.
- Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\winstall.exe
C:\WINDOWS\System32\syst1.exe
C:\WINDOWS\System32\syst2.exe
C:\WINDOWS\System32\syst3.exe
C:\WINDOWS\System32\cidft.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\gupd.dll
C:\WINDOWS\System32\hst32.dll
C:\WINDOWS\System32\icnfe.dll
C:\WINDOWS\System32\icqrt.dll
C:\WINDOWS\System32\icvbr.dll
C:\WINDOWS\System32\sdfup.dll
C:\WINDOWS\System32\thun.dll
C:\WINDOWS\System32\wcnl32.dll
C:\WINDOWS\System32\wecxg32.dll
C:\WINDOWS\System32\wirl.dll
C:\WINDOWS\System32\xcwer32.dll
C:\WINDOWS\System32\zxmsn.dll


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Pending Operations prompt.


Reboot again, this time into Safe Mode.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [Skqhtp] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [ParisM] DTOURS.exe
O4 - HKCU\..\Run: [forces_elite] PrcIdle.exe
O4 - HKCU\..\Run: [driver64] runload32.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following folders (Don't be concerned if they can not be found):

C:\Program Files\sder\ <--Folders
C:\Program Files\WareOut\
C:\Program Files\SpySheriff\

Reboot normally.


Be sure your copy of Ad-Aware is Ad-aware SE v1.06r1. If not, download Ad-aware SE v1.06 from LavaSoft. Update it and run a "Full scan", but uncheck "Search for negligible risk entries" and "Search for low-risk threats". Allow Ad-aware to remove anything it finds.

Post a fresh HJT log.
Derfram
~~~~~~

#5 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 13 June 2005 - 10:53 PM

hi, the exe files in the list will not copy in kill box when I copy from the clipboard. I can only do the exe files one at a time but not when the other dll files are in kill box. Will that work if i kill 1 and reboot exc... and should I kill the files in order exe first? Also the spy sheriff and wareout are not in add remove because I already removed them but there are still references to them in the registry. Should I delete the registy references? Thank you so much for your help.

Edited by Elm, 13 June 2005 - 10:57 PM.


#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 13 June 2005 - 11:03 PM

Don't do any manual registry editing unless I ask you to.

Try using Killbox on the .dll files first (delete on reboot), then come back and do the .exe's. Entering them one by one instead of copy/paste is OK if that works for you. If you can manually delete them, that would be OK too, the idea is just to be sure all the listed files have been removed. 'Wirl' is a fairly new infection and the fix is still being tweaked.
Derfram
~~~~~~

#7 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 14 June 2005 - 12:26 AM

ok, heres how it went. i could not find any of the exe files after retuning to normal mode i ran ad_aware,1.06 and it locked up at HKEY_local_Machine\software\..
30164 objects scanned i tried in safe mode also same result. this is 1 of the problems i have been having. i redownloaded it got the up dates and same results. i can not change my desktop background the box is whited out and locked up.
here is my new hjt log

Logfile of HijackThis v1.99.1
Scan saved at 1:05:24 AM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\Versato.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NetMedia\OSD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Highjackthiis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.shopnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://home.netscape.com/
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} -

C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} -

C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -

C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark

X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero

Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NetMedia.lnk = C:\Program

Files\NetMedia\Versato.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program

Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C}

- C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar -

{4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL

Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .UVR: C:\Program Files\Internet

Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shopnbc.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com

Installer) -

http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime

Environment 1.4.0_01) -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,

Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown

owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. -

C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 14 June 2005 - 09:10 AM

Your HJT is actually clear at this time. Let's move our attention to the desktop problem.

Download smitfraud.reg to your desktop.
- Double click the smitfraud.reg icon on your desktop.
- When it asks if you want to add the data to the registry, say Yes.


Go to the Control Panel and do the following:

- Click on the Display item.
- Click on the Desktop tab.
- Click on the Customize Desktop button.
- Click on the Web tab.
- In the Web Pages area:
--- Remove the checkmark from each item in the box.
--- Click on each item in turn and click the Delete button.
- Click the Ok button.
- Make any changes to your Desktop, Background and Themes that you want and then close the Display dialog.

Can you configure your desktop now?
Derfram
~~~~~~

#9 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 14 June 2005 - 09:22 PM

hi, that worked grate desk top back. she seems to be working fine now. the ad-aware still hangs but if i disable deep reg scan it will complete. there are several shot cuts that don't work so i think i just have to reinstall, some of them get 16bit error. i scanned with Microsoft's anti-spy and it found 3 surfsidekick, media tickets cdt, and a possible IE highjack :about blank. There are some programs that are just gone. I just can not thank you enough for your help . I have run into this on 2 other pcs and just reloaded. but I didn't have the disk for this one. my friend is so happy :thumbsup:
? i have the firewall with real time protection ,spywareblaster,microsoft antispyware all running with full protection enabled is that alright?
agian Thankyou Elm

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 14 June 2005 - 09:43 PM

the ad-aware still hangs but if i disable deep reg scan it will complete.

That's been know to happen on other systems, and I don't think a root cause was every found. Just leave the deep Registry scan turned off.

For the "16 bit error", download and run XP_Fix.exe from here. Another not uncommon problem.

Your protection sounds reasonable. You may want to run one or two online virus scans from the following list:

TrendMicro Housecall
Panda ActiveScan
BitDefender On-Line Virus Scan
CA eTrust AV WebScanner
Symantec Security Check

Allow the online scan to remove anything they find.


Now that you are clean, please follow these steps in order to keep your computer safe and secure:

How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet

Glad we were able to be of help.
Derfram
~~~~~~

#11 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 15 June 2005 - 06:38 AM

Hi. went to panda to do a scan and when I clicked on your link for panda a popup came up for viagra. Then I went back and clicked on it again and it took me to panda. Did a scan and it found 48 files. Went to copy the log and before I got a change to highlight the log the page changed to adware and I couldn't copy the log. I'm all infected again. Here's my latest HJT log and freedom antivirus. Also my favorites in ie are full of gambling and sex links.

Logfile of HijackThis v1.99.1
Scan saved at 7:14:04 AM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\Versato.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Highjackthiis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://home.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.shopnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://home.netscape.com/
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} -

C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} -

C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -

C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark

X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero

Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NetMedia.lnk = C:\Program

Files\NetMedia\Versato.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program

Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C}

- C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar -

{4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL

Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .UVR: C:\Program Files\Internet

Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shopnbc.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com

Installer) -

http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime

Environment 1.4.0_01) -
O17 -

HKLM\System\CCS\Services\Tcpip\..\{72DB66C9-6E5C-452E-9E6A-620FDFE2201F

}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,

Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. -

C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

FreedomŽ Anti-Virus
Scanning Report (6/15/2005 4:47:18 AM)
Master Boot Records and Fixed Disk Boot Sectors
Scanned 1 Master Boot Record(s) for viruses.

Scanned 1 Boot Sector(s) for viruses.

Your Master Boot Record(s)/Boot Sector(s) are not infected.

Files
Drive C:\
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternet.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin10.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin11.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin12.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin13.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin14.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin15.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin16.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin17.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin18.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin19.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin20.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin21.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin22.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin23.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin24.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin25.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin4.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin5.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin6.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin7.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin8.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin9.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RingRing.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RingRing1.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindUpdates.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\nCase.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080034.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080047.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080064.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080086.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080102.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080113.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080140.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080163.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080203.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080222.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080240.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080273.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080274.exe

File infected with "W32/Downloader.CRN" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080327.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081701.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081702.exe

File infected with "W32/Downloader.CRL" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081703.exe

File infected with "W32/Downloader.CRN" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081704.exe

File infected with "W32/Downloader.CRM" virus and was successfully deleted.
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081705.exe

File infected with "W32/Downloader.CRK" virus and was successfully deleted.
Files scanned: 57319
Infected files: 19
Disinfected files: 0
Deleted files: 19
Files unable to scan: 33

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 15 June 2005 - 12:01 PM

FreedomŽ Anti-Virus

Files
Drive C:\
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternet.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.
[.....]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\nCase.zip
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.

These would be the quarantined backup files Spybot created. You can clear these: Open Spybot. On the 'Spybot-S&D' tab, select "Recovery". Check all 'Backup' items then click on "Purge Slected Items".

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask
This file couldn't be scanned because it contains encrypted files. Please decrypt the file(s) and scan them manually.

I've never seen Ad-aware's 'skins' being flagged as malware. This is probably being flagged only because it is a compressed file Freedom isn't able to look at. Remove Ad-aware and download/install a fresh copy to be sure if you are concerned about this one.


C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP160\A0080034.exe
File infected with "W32/Downloader.CRL" virus and was successfully deleted.
[.....]
C:\System Volume Information\_restore{A816CE00-8BCE-436D-8D77-5743AF79146C}\RP162\A0081705.exe
File infected with "W32/Downloader.CRK" virus and was successfully deleted.

WindowsXP periodically creates partial backups (snapshots) of the system to provide data for 'System Restore'. These files are all in that _restore folder.

I normally do not ask to have the system restore files purged in my cleanups. My philosophy is that having an infected backup is better than no backup at all. But if you wish to clear these then:

Purge Restore points:

XP System Restore periodically creates a partial system backup. It is quite likely that some of the now removed malware has been 'backed up' in those files.

Disable System Restore by following the instructions here,
Reboot,
Re-enble System Restore by following the instructions here.


If you delete the unwanted IE Favorites, do they return?

Your HJT log remains clean. It is troubling that you would get an a pop-up visiting PandaSoft. HJT is very usefull, but it does not find everything. Let's use another tool to look:

Download Silent Runners and unzip it into it's own folder. Do not run it yet.

Run SilentRunners.vbs.
Some AV programs attempt to protect you from unsolicited and possibly malicious scripts. If your antivirus complains about this one, tell it to allow.

Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply.
Derfram
~~~~~~

#13 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 15 June 2005 - 04:07 PM

hi,when i clicked on the link for panda from this site it took me to that other page so i typed it in and got there OK than retried your link and it worked OK. yes the links come back the same ones but only when i use ie not when i use AOL.
If you don't think it necessary to purge the restore points i won't?
I uninstalled ad-aware and spy bot and downloaded fresh copies of both, and FYI ad-aware still freezes up so i just untick the deep reg scan and it works.
im running another virus scan and will dowload and install silent runners as soon as its down thank you for you help elm

#14 Elm

Elm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 15 June 2005 - 04:35 PM

Here is the log
"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"3DMouse" = "C:\PROGRA~1\3DMouse\3DMouse.EXE" ["Dritek System Inc."]
"Lexmark X74-X75" = ""C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"" ["Lexmark International, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" ["Zero-Knowledge Systems Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" ["Zero-Knowledge Systems Inc."]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll" ["Zero-Knowledge Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q1478355_disk.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csriy.exe" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\mike\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "mike" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"NetMedia" -> shortcut to: "C:\Program Files\NetMedia\Versato.exe" ["WayTech Development, Inc."]
"InterVideo WinScheduler" -> shortcut to: "C:\Program Files\InterVideo\WinDVR\WinScheduler.exe" ["InterVideo Inc."]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.shopnbc.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE" ["America Online, Inc."]
DvpApi, dvpapi, "C:\Program Files\Common Files\Command Software\dvpapi.exe" ["Command Software Systems, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

#15 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:31 AM

Posted 16 June 2005 - 09:46 AM

Sorry for the delay, I needed to get a consult on this one.

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}]

[-HKEY_CLASSES_ROOT\CSLID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Reboot your PC.


Download http://www.bleepingcomputer.com/files/pfind.php
- Create a folder C:\pfind and extract pfind-new.zip into it.
- Then open c:\pfind and double-click on pfind.bat.

When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

Edited by ddeerrff, 16 June 2005 - 09:58 AM.

Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users