Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank


  • Please log in to reply
5 replies to this topic

#1 limosforu

limosforu

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 20 June 2005 - 12:44 PM

OS: XP Pro
Celeron 2.4ghz
256 mb sdram

I have run updated versions of NAV, adaware, pestpatrol, spybot, adware away, hijackthis, and spy sweeper in both safe and normal mode, but nothing seems to fix the about:blank problem. I also deleted some entries in hijackthis, but apparently not enough entries. After I deleted the apibo32.exe, it came back when I performed a second hijackthis scan. Could that mean that hijackthis may be ineffective?

I heard from a very reliable resource that I uninstall all spyware programs except Pest Patrol and Adaware Personal SE, so I did. I also un-installed firefox, and after doing all of that, my computer seems to be running better. However, every minute, a Symantec AntiVirus Notification pops up and says the same thing every minute for the past hour or so: Threat found: Trojan Horse. File: C:\WINDOWS\SYSTEM32\craq32.exe

I tried to restore to an earlier date, but the only date I could click on is todays date.



Below is my log file. Could someone please help me with this.

Thanks,
Barth


Logfile of HijackThis v1.99.1
Scan saved at 2:30:16 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\craq32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\ierj32.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mmckenzie\Desktop\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\djoks.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\djoks.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F4E130BF-0A02-9105-6005-91173CBE07AA} - C:\WINDOWS\system32\ntgt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ierj32.exe] C:\WINDOWS\system32\ierj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117319174859
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68511D2-6041-4598-8C15-34977506190E}: NameServer = 129.83.20.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\craq32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:17 AM

Posted 21 June 2005 - 06:20 PM

Oh.. you have one of my favorite infections:

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Printer Icon in the upper LH corner next to the Post Reply button)


Please continue with the next step if you run into a problem with the current one. Just be sure to let me know if any problems occured for each step when you reply.

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/


STEP 2:
Please download CWShredder Version 2.1 here. http://cwshredder.net/bin/CWShredder.exe

Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
http://www.malwarebytes.biz/AboutBuster5.zip



Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.

Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.

NOTE: You might want to view this AboutBuster tutorial here http://www.besttechie.net/forums/index.php?showtopic=1488
first before running the tool.

Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
.
Please configure the program by following these instructions here. http://www.bleepingcomputer.com/tutorials/use-ad-aware-2007-to-remove-spyware/

Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
http://www.spywareinfo.dk/download/mwav.exe

Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite 3.0

NOTE: The Ewido Security Suite 3.0 utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite 3.0 is: Windows 2000 or Windows XP. 1.)

Download and install the Ewido Security Suite 3.0 here
http://download.ewido.net/ewido-setup.exe

2.) Double-click on the new Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.

STEP 7:

You must first STOP and DISABLE the rogue Service:

There are different Display Names to look for:

Workstation NetLogon Service
Remote Procedure Call (RPC) Helper
Remote Access Service
Network Security Service (NSS)


Go to Start => Run and type "Services.msc" (without quotes) then click Ok.

1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.

STEP 8:
copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg.
Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F?? #????`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]





STEP 9:
Please reboot into Safe Mode. For instructions click here
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Get into Safe Mode using the F8 Key on your keyboard:
1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).

STEP 10:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds.
After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe.
1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK.
It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop.
A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK.
After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears.
In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive.
eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed.
To close the interface, click OK, click Exit, then click Exit again.

STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0.

1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.

STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.

Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg
you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file.
Make sure you always perform a Windows search for these files after the cleanup.

Go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows XP, it will be found here:

C:\Windows\System32
C:\Windows\System


Now look for the control.exe file.
For Windows XP it will be found here:

C:\Windows\System32

If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.

For Windows XP, a replacement can be found here:

C:\Windows\System32\dllcache

Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here. http://www.spywareinfo.com/~merijn/winfiles.html

Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.

Please post your HijackThis log, the About:Buster log, the Ewido log for review .

Be sure to tell me how each steps ran or what problems you had with a step.

#3 limosforu

limosforu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 22 June 2005 - 11:43 AM

In reference to stopping the Remote Procedure call, both areas of buttons are greyed/not shaded/not giving me the option to stop them.

I don't suppose you could just email me aboutbuster, because I tried to download it again, and its still not working. You can email it to limosforu-at-yahoo.com if you'd like.

Thanks again,
barth

*** edited email addy to hide it from spambots~g ***

Edited by groovicus, 22 June 2005 - 11:48 AM.


#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:17 AM

Posted 22 June 2005 - 11:50 AM

Try looking for Workstation NetLogon Service instead. I forgot to change the canned response to reflect the correct service. Sorry about that.



EDIT2: Another stupid question.. you are unzipping About:Buster to your desktop?

Edited by groovicus, 22 June 2005 - 11:54 AM.


#5 limosforu

limosforu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 23 June 2005 - 10:45 AM

IT WORKED!!!!!!!!!!!!!!!!!!! THANK YOU SOOOOOOO MUCH!!!! Below are the log files. :thumbsup:

However, after reviewing the logs, I noticed some things that might need to be further addressed. In the ewido log, could you please look at the C:\RECYCLER section where it is saying, "Error during cleaning." When I open Internet Explorer, I no longer have the about:blank, and Norton no longer pops up every minute with a notification about a trojan horse exe file.

Thanks again,
barth


Logfile of HijackThis v1.99.1
Scan saved at 10:41:42 AM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\mmckenzie\Desktop\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\djoks.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\djoks.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\djoks.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F4E130BF-0A02-9105-6005-91173CBE07AA} - C:\WINDOWS\system32\ntgt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ierj32.exe] C:\WINDOWS\system32\ierj32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117319174859
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68511D2-6041-4598-8C15-34977506190E}: NameServer = 129.83.20.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\craq32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe





AboutBuster 5.0 reference file 28
Scan started on [6/22/2005] at [4:23:52 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\ACTGPR2.ICO:gecfsf
Removed Stream! C:\WINDOWS\ACTGPR2.ICO:itevdc
Removed Stream! C:\WINDOWS\aslrr.dat:gbiepd
Removed Stream! C:\WINDOWS\BOOTSTAT.DAT:juiqhs
Removed Stream! C:\WINDOWS\Bti.ini:plbtug
Removed Stream! C:\WINDOWS\button0.gif:fetbts
Removed Stream! C:\WINDOWS\button2.gif:imuywq
Removed Stream! C:\WINDOWS\button2.gif:jfnqoa
Removed Stream! C:\WINDOWS\cdPlayer.ini:byxdqc
Removed Stream! C:\WINDOWS\cdPlayer.ini:gacvep
Removed Stream! C:\WINDOWS\cdPlayer.ini:jpckpk
Removed Stream! C:\WINDOWS\cduro.txt:kveuoa
Removed Stream! C:\WINDOWS\cduro.txt:utfhyb
Removed Stream! C:\WINDOWS\CLOCK.AVI:untaen
Removed Stream! C:\WINDOWS\CLOCK.AVI:ztgjxg
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:tnxrsd
Removed Stream! C:\WINDOWS\COM+.log:cwwhil
Removed Stream! C:\WINDOWS\COMSETUP.LOG:ruzwrj
Removed Stream! C:\WINDOWS\COMSETUP.LOG:urfvlx
Removed Stream! C:\WINDOWS\CONTROL.INI:jbnoac
Removed Stream! C:\WINDOWS\corelpf.lrs:fmisuo
Removed Stream! C:\WINDOWS\corelpf.lrs:fvruyd
Removed Stream! C:\WINDOWS\corelpf.lrs:vspkgp
Removed Stream! C:\WINDOWS\dahotfix.log:ccytun
Removed Stream! C:\WINDOWS\dahotfix.log:msyinh
Removed Stream! C:\WINDOWS\DELL.BMP:cvchoe
Removed Stream! C:\WINDOWS\DELL.BMP:gttdcc
Removed Stream! C:\WINDOWS\DELL.BMP:vounub
Removed Stream! C:\WINDOWS\DirectX.log:ymlien
Removed Stream! C:\WINDOWS\DJBDRV.LOG:ndbatp
Removed Stream! C:\WINDOWS\DJBDRV.LOG:okbrld
Removed Stream! C:\WINDOWS\DtcInstall.log:uwfaei
Removed Stream! C:\WINDOWS\edvwe.dat:itxlua
Removed Stream! C:\WINDOWS\EXPLORER.SCF:gpxxro
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:ampqol
Removed Stream! C:\WINDOWS\fpwlj.dat:oivlrs
Removed Stream! C:\WINDOWS\fsbwinst.log:mzzbfk
Removed Stream! C:\WINDOWS\fssgpex.LOG:hiqyrc
Removed Stream! C:\WINDOWS\fssgpex.LOG:kfhes
Removed Stream! C:\WINDOWS\gectk.dat:hbnqlv
Removed Stream! C:\WINDOWS\gectk.dat:yfmtpc
Removed Stream! C:\WINDOWS\hckej.log:skbrop
Removed Stream! C:\WINDOWS\hldvh.log:llmwiz
Removed Stream! C:\WINDOWS\hqhco.log:rdjoke
Removed Stream! C:\WINDOWS\IIS6.LOG:uhbsfh
Removed Stream! C:\WINDOWS\imsins.BAK:qfmkto
Removed Stream! C:\WINDOWS\jvssu.txt:dyefgg
Removed Stream! C:\WINDOWS\KB817611.LOG:aslrrs
Removed Stream! C:\WINDOWS\KB823182.log:nzwkii
Removed Stream! C:\WINDOWS\KB824105.log:teectg
Removed Stream! C:\WINDOWS\KB825119.log:gappcs
Removed Stream! C:\WINDOWS\KB826959.log:japtvd
Removed Stream! C:\WINDOWS\KB826959.log:yazdfd
Removed Stream! C:\WINDOWS\KB828028.log:xepwda
Removed Stream! C:\WINDOWS\KB839643-DirectX9.log:utsdrq
Removed Stream! C:\WINDOWS\KB840374.log:vkbuyq
Removed Stream! C:\WINDOWS\KB873339.log:muljta
Removed Stream! C:\WINDOWS\MSMQINST.LOG:xfuibu
Removed Stream! C:\WINDOWS\NETFXOCM.LOG:ddzjov
Removed Stream! C:\WINDOWS\nsreg.dat:auifn
Removed Stream! C:\WINDOWS\ntdtcsetup.log:bgadla
Removed Stream! C:\WINDOWS\n_alruaz.log:wvplwq
Removed Stream! C:\WINDOWS\n_bsmzub.dat:tyjiin
Removed Stream! C:\WINDOWS\n_dcrkiv.log:oqjrcj
Removed Stream! C:\WINDOWS\n_dcrkiv.log:zwsetk
Removed Stream! C:\WINDOWS\n_dweamc.log:hqueel
Removed Stream! C:\WINDOWS\n_eynbct.log:rpkjnn
Removed Stream! C:\WINDOWS\n_eynbct.log:zrmjzw
Removed Stream! C:\WINDOWS\n_fwurtk.txt:zgxphh
Removed Stream! C:\WINDOWS\n_gcoklb.txt:ojqtub
Removed Stream! C:\WINDOWS\n_gmiuwl.txt:keagxj
Removed Stream! C:\WINDOWS\n_gmiuwl.txt:tniklw
Removed Stream! C:\WINDOWS\n_jemeqh.txt:cvankf
Removed Stream! C:\WINDOWS\n_jemeqh.txt:zlceqn
Removed Stream! C:\WINDOWS\n_jexdmq.txt:catnye
Removed Stream! C:\WINDOWS\n_kaunrr.log:ggveng
Removed Stream! C:\WINDOWS\n_lbnojb.log:dshcde
Removed Stream! C:\WINDOWS\n_lbnojb.log:nqusv
Removed Stream! C:\WINDOWS\n_lksjmr.log:kefwna
Removed Stream! C:\WINDOWS\n_lksjmr.log:ygojir
Removed Stream! C:\WINDOWS\n_mcitlz.log:wtsqxg
Removed Stream! C:\WINDOWS\n_nvtqpq.log:byiylr
Removed Stream! C:\WINDOWS\n_qotlrj.txt:ampjci
Removed Stream! C:\WINDOWS\n_quxhnp.dat:aelwos
Removed Stream! C:\WINDOWS\n_snqzah.dat:dosbzv
Removed Stream! C:\WINDOWS\n_tajcox.txt:vpkhbg
Removed Stream! C:\WINDOWS\n_wevhov.txt:xcpaic
Removed Stream! C:\WINDOWS\n_wyinqg.dat:vzazzr
Removed Stream! C:\WINDOWS\n_ytzfox.txt:gbdrvm
Removed Stream! C:\WINDOWS\n_yxmsgo.txt:tzhypx
Removed Stream! C:\WINDOWS\n_zbpcdm.txt:oxnkzj
Removed Stream! C:\WINDOWS\n_zbpcdm.txt:zbvxyo
Removed Stream! C:\WINDOWS\OCGEN.LOG:lzrdkz
Removed Stream! C:\WINDOWS\OCMSN.LOG:crislx
Removed Stream! C:\WINDOWS\ODBC.INI:gyypbu
Removed Stream! C:\WINDOWS\ODBC.INI:mhaxgs
Removed Stream! C:\WINDOWS\ODBCINST.INI:eakimj
Removed Stream! C:\WINDOWS\OEWABLog.txt:nssxfa
Removed Stream! C:\WINDOWS\ORUN32.INI:fsldhk
Removed Stream! C:\WINDOWS\Paw70.ini:pjeqcf
Removed Stream! C:\WINDOWS\peypa.dat:ytdqbv
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:fkvze
Removed Stream! C:\WINDOWS\pxlov.log:wjscky
Removed Stream! C:\WINDOWS\Q-Klez.log:unblrm
Removed Stream! C:\WINDOWS\Q329909.LOG:bqwzkt
Removed Stream! C:\WINDOWS\Q329909.LOG:enmqmp
Removed Stream! C:\WINDOWS\q812415.log:xoevoz
Removed Stream! C:\WINDOWS\Q816486.LOG:oggweg
Removed Stream! C:\WINDOWS\Q816981.LOG:ppxbik
Removed Stream! C:\WINDOWS\Q816981.LOG:svmvxk
Removed Stream! C:\WINDOWS\Q828026.log:ghqbyr
Removed Stream! C:\WINDOWS\qjciz.txt:zhjhab
Removed Stream! C:\WINDOWS\REGLOCS.OLD:fssxbq
Removed Stream! C:\WINDOWS\River Sumida.bmp:dxpouf
Removed Stream! C:\WINDOWS\River Sumida.bmp:ribmue
Removed Stream! C:\WINDOWS\River Sumida.bmp:xtklds
Removed Stream! C:\WINDOWS\rnevent.rel:tcjqnp
Removed Stream! C:\WINDOWS\rqvab.dat:pliqok
Removed Stream! C:\WINDOWS\ryfmh.dat:nxitoh
Removed Stream! C:\WINDOWS\SchedLgU.Txt:cbstxi
Removed Stream! C:\WINDOWS\SchedLgU.Txt:wpnqge
Removed Stream! C:\WINDOWS\setupapi.log.0.old:zmtjkf
Removed Stream! C:\WINDOWS\SETUPERR.LOG:edmjjc
Removed Stream! C:\WINDOWS\SETUPERR.LOG:ggrzri
Removed Stream! C:\WINDOWS\SETUPERR.LOG:ymtqwb
Removed Stream! C:\WINDOWS\SetupPestPatrolCorporate.mif:sneoeh
Removed Stream! C:\WINDOWS\Sti_Trace.log:jiusov
Removed Stream! C:\WINDOWS\Sti_Trace.log:pextgw
Removed Stream! C:\WINDOWS\TSOC.LOG:bimxqf
Removed Stream! C:\WINDOWS\TSOC.LOG:ifizaz
Removed Stream! C:\WINDOWS\TUTOR.ICO:ujzsnp
Removed Stream! C:\WINDOWS\VB.INI:gurby
Removed Stream! C:\WINDOWS\VBADDIN.INI:gjlvbu
Removed Stream! C:\WINDOWS\VMUNINST.LOG:nkrxhz
Removed Stream! C:\WINDOWS\VPC32.INI:ztllzq
Removed Stream! C:\WINDOWS\WIASERVC.LOG:zmagqv
Removed Stream! C:\WINDOWS\WINHLP32.INI:kuownl
Removed Stream! C:\WINDOWS\wininit.ini:kdhtzs
Removed Stream! C:\WINDOWS\wininit.ini:prktmb
Removed Stream! C:\WINDOWS\WINNT256.BMP:dvhjpn
Removed Stream! C:\WINDOWS\wmsetup.log:hmkzfj
Removed Stream! C:\WINDOWS\WRQ.INI:ajvsog
Removed Stream! C:\WINDOWS\ymtqw.dat:snvrbw
Removed Stream! C:\WINDOWS\zwdvp.dat:kofwdg
Removed Stream! C:\WINDOWS\zwdvp.dat:lkyllt
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:agtgfh
------------------------------------------------
Removed File! : C:\Windows\aslrr.dat
Removed File! : C:\Windows\bzlmc.dat
Removed File! : C:\Windows\djoks.dll
Removed File! : C:\Windows\edvwe.dat
Removed File! : C:\Windows\fjcuj.dat
Removed File! : C:\Windows\fpwlj.dat
Removed File! : C:\Windows\hkcov.dat
Removed File! : C:\Windows\idbkw.dat
Removed File! : C:\Windows\ilnyp.dat
Removed File! : C:\Windows\lowke.dat
Removed File! : C:\Windows\maweq.dat
Removed File! : C:\Windows\peypa.dat
Removed File! : C:\Windows\rqvab.dat
Removed File! : C:\Windows\ryfmh.dat
Removed File! : C:\Windows\thhis.dat
Removed File! : C:\Windows\vaukr.dat
Removed File! : C:\Windows\wicfp.dat
Removed File! : C:\Windows\wktqu.dat
Removed File! : C:\Windows\wpxxm.dat
Removed File! : C:\Windows\zrjof.dat
Removed File! : C:\Windows\zwdvp.dat
Removed File! : C:\Windows\System32\blbog.dll
Removed File! : C:\Windows\System32\febgk.dat
Removed File! : C:\Windows\System32\hcvwf.dat
Removed File! : C:\Windows\System32\ifmzt.dat
Removed File! : C:\Windows\System32\iowis.dat
Removed File! : C:\Windows\System32\lbwiv.dll
Removed File! : C:\Windows\System32\leqxu.dll
Removed File! : C:\Windows\System32\plevo.dat
Removed File! : C:\Windows\System32\pliqo.dat
Removed File! : C:\Windows\System32\qxzjs.dat
Removed File! : C:\Windows\System32\usgpg.dat
Removed File! : C:\Windows\System32\uycjp.dat
Removed File! : C:\Windows\System32\wbgmn.dat
Removed File! : C:\Windows\System32\xrcnt.dat
Removed File! : C:\Windows\System32\zqymv.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:26:48 PM

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:59:21 AM, 6/23/2005
+ Report-Checksum: DC4890A8

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 918 min
+ Scanned Files: 298839
+ Speed: 5.42 Files/Second
+ Infected files: 123
+ Removed files: 43
+ Files put in quarantine: 43
+ Files that could not be opened: 0
+ Files that could not be cleaned: 80

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\
C:\

+ Scan result:
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.vnuemedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@S137315[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@S147980[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\melissam\Cookies\melissam@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@adv.webmd[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@counter.mycomputer[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@S146738[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050615160832.zip/Documents and Settings/mmckenzie/Cookies/mmckenzie@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189177.CPY -> Spyware.180solutions -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189372.CPY -> Spyware.WebSearch.aj -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189375.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189405.CPY -> Spyware.WebSearch.aj -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189408.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189411.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189420.CPY -> Spyware.Websearch -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189425.CPY -> Spyware.WebSearch -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189426.CPY -> Spyware.WebSearch.aj -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189430.CPY -> Spyware.WebSearch -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192405.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192408.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0193405.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197405.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197408.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197515.CPY -> Spyware.Wintol.y -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\COMMON.0 -> Spyware.WebSearch.aj -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TBPS.1 -> Spyware.WebSearch.aj -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TOOLBAR.0 -> Spyware.WebSearch -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\U6F6UF~1.0 -> Spyware.Sahat.o -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001141.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001142.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001143.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001144.dll -> Spyware.SearchPage -> Cleaned with backup
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.vnuemedia[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@geocities[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@S137315[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@S147980[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\melissam\Cookies\melissam@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@adv.webmd[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@counter.mycomputer[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@link[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@myway[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@S146738[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Program Files\PestPatrol\Quarantine\20050615160832.zip/Documents and Settings/mmckenzie/Cookies/mmckenzie@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189177.CPY -> Spyware.180solutions -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189372.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189375.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189405.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189411.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189420.CPY -> Spyware.Websearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189425.CPY -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189426.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189430.CPY -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0193405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197515.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\COMMON.0 -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TBPS.1 -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TOOLBAR.0 -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\U6F6UF~1.0 -> Spyware.Sahat.o -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001141.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001142.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001143.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001144.dll -> Spyware.SearchPage -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@ads.vnuemedia[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@geocities[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@S137315[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@S147980[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\lfuller\Cookies\lfuller@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\melissam\Cookies\melissam@myway[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@adv.webmd[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@counter.mycomputer[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@link[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@myway[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@S146738[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\mmckenzie\Local Settings\Temp\Cookies\mmckenzie@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Program Files\PestPatrol\Quarantine\20050615160832.zip/Documents and Settings/mmckenzie/Cookies/mmckenzie@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189177.CPY -> Spyware.180solutions -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189372.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189375.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189405.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189411.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189420.CPY -> Spyware.Websearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189425.CPY -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189426.CPY -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0189430.CPY -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0192408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0193405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197405.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197408.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\A0197515.CPY -> Spyware.Wintol.y -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\COMMON.0 -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TBPS.1 -> Spyware.WebSearch.aj -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\TOOLBAR.0 -> Spyware.WebSearch -> Error during cleaning
C:\RECYCLER\S-1-5-21-2068140930-1445342054-1606240830-1221\Dc4\TEMP\U6F6UF~1.0 -> Spyware.Sahat.o -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001141.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001142.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001143.dll -> Spyware.SearchPage -> Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001144.dll -> Spyware.SearchPage -> Error during cleaning


::Report End

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:17 AM

Posted 23 June 2005 - 11:33 AM

It didn't work. The cause of the infection is still there, and the service is still the same. You will have to go through all of the steps again...

Isn't this fun :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users