Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank


  • Please log in to reply
16 replies to this topic

#1 bever426

bever426

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 09 July 2005 - 06:01 PM

Hi everyone Im new to this site and hope to find some help.
Im running windows98 and have been hijacked by about:blank. I cant figure out how to get rid of it.
Thanks in advance
bever426

(moderator edit: moved to log forum for team review. jgweed)

results of hijack this scan:
Logfile of HijackThis v1.99.1
Scan saved at 4:52:29 PM, on 7/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSXO32.EXE
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\IETQ32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yzfrt.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yzfrt.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {734254F4-7995-F3E9-22DA-2120369F27AA} - C:\WINDOWS\APPEM.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [IETQ32.EXE] C:\WINDOWS\IETQ32.EXE
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058df87366c9ef...ip/RdxIE601.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Edited by jgweed, 10 July 2005 - 05:17 AM.


BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 11 July 2005 - 08:30 AM

If you still need help, could you post a fresh log please?

#3 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 11 July 2005 - 10:22 AM

Here is a log I just ran. I appreciate your help in this matter. I had the antivirus gold hijacker earlier in the week and was able to get rid of that but this one is tough.

Bever426


Logfile of HijackThis v1.99.1
Scan saved at 9:10:25 AM, on 7/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSXO32.EXE
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\IETQ32.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\DRIVERS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lygso.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lygso.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lygso.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lygso.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {4822E4EB-9815-46D6-4820-A8C7F30AEABB} - C:\WINDOWS\SYSTEM\IPHE32.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [IETQ32.EXE] C:\WINDOWS\IETQ32.EXE
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O4 - HKLM\..\RunOnce: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunOnce: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunOnce: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058df87366c9ef...ip/RdxIE601.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 11 July 2005 - 10:50 AM

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Print this topic in the upper RH corner.)

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here.

STEP 2:
Please download Trend Micro CWShredder here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.
NOTE: You might want to view this AboutBuster tutorial here first before running the tool.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite
NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP. 1.) Download and install the Ewido Security Suite here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:
  • Workstation NetLogon Service
  • Remote Procedure Call (RPC) Helper
  • Remote Access Service
  • Network Security Service (NSS)
Go to Start => Run and type "Services.msc" (without quotes) then click Ok. 1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
If you are using Windows 2000 or XP, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O.#?´]

If you are using Windows 98, ME, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on cwshredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. 1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK. It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.
STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite.
NOTE: Windows 2000 and XP only. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click the Settings button, under What to scan? click Scan every file, click OK.
4.) Click the Complete System Scan button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file. Make sure you always perform a Windows search for these files after the cleanup. If you are using Windows 2000, or XP, go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows 2000, it will be found here:
  • C:\WINNT\System32
  • C:\WINNT\System
For Windows XP, it will be found here:
  • C:\Windows\System32
  • C:\Windows\System
Now look for the control.exe file.
For Windows 2000 it will be found here:
  • C:\WINNT\System32
For Windows XP it will be found here:
  • C:\Windows\System32
If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.
For Windows 2000, a replacement can be found here:
  • C:\WINNT\System32\dllcache
For Windows XP, a replacement can be found here:
  • C:\Windows\System32\dllcache
Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here.
Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.
If you are using Windows 98, ME please download shell.dll or control.exe from here.
Once the file(s) are downloaded extract the file and copy it to the following locations:
Place control.exe here:
  • C:\Windows
Place shell.dll here:
  • C:\Windows\System
If you are still experiencing problems after completing the removal steps above, please post your HijackThis log in the Spyware/Malware Help forum for review.

#5 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 11 July 2005 - 07:15 PM

Groovicus, first and foremost let me thank you for your help, its really appreciated. I just have a few questions before I get started on the process that you gave me. Im running windows 98 and most of your steps in the latter half of the process refer to win2000 or xp, are the steps diffrent for win98? Also since Ewido wont run on my system what do I do in place of that step?

Bever426
In my beginning is my end

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 11 July 2005 - 07:22 PM

Skip the steps that refer to XP or 2000. Instead of Ewido, you should run Adaware SE, and Panda's online scanner:
PandaSoft

The important parts of this fix are the reg file that you need to create, and running about:buster. Once you are done, there will probably still be some things to clean up, and sometimes the fix doesn't work the first time, so we will probably have a couple of sessions left.

I'm impressed. Nobody has ever taken the time to clarify steps before they started the fix. Usually they wait until halfway through, and then complain that they don't think it is working. :thumbsup:

#7 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 12 July 2005 - 11:02 PM

Groovicus, I ran through the steps you gave me and encountered a few problems. I understand that you said it may not work the first time and that there would probably be follow up sessions. So here are the problems I encountered. First being that I couldnt get online while in safe mode so I couldnt run the Panda scan. Second when I tried to merge the cwsresfix.reg file that I created it gave me an error stating: "The specified file is not a registry script. You can only import registry files." Thirdly when I tried to extract the shell.dll files to C:\windows\system it wouldnt let me stating that the shell.dll was currently in use.
After rebooting back into normal mode my homepage is still being hijacked. I ran a fresh hijack this log and here it is for you to examine.

Thanks for your continuing help
Bever426
In my beginning is my end...


Logfile of HijackThis v1.99.1
Scan saved at 9:53:01 PM, on 7/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSXO32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\IETQ32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APPOL.EXE
C:\WINDOWS\APPOL.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pyswk.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {C4231720-D5E3-2E2C-DD24-B4A3712541F6} - C:\WINDOWS\SYSTEM\D3MD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [IETQ32.EXE] C:\WINDOWS\IETQ32.EXE
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunServices: [APPOL.EXE] C:\WINDOWS\APPOL.EXE /s
O4 - HKLM\..\RunServices: [WINTW32.EXE] C:\WINDOWS\SYSTEM\WINTW32.EXE /s
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058df87366c9ef...ip/RdxIE601.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 13 July 2005 - 06:43 AM

Run the fix again....

When you save the reg file this time, right under the box where you type in the file name is another box that asks file type. You want to save it as type All Files. Otherwise you get the error message that you got.

You will have to reboot to run Panda's scan. I should have mentioned that in the first place. Sorry.

Were you in safe mode when you tried to extract the files?

Yep, you're still infected. When you run About:Buster, please make sure to save the log. About:Buster will say something about your system not being NTFS... that is not an error message. Just let it run. It still knows what to do. :thumbsup:

#9 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 13 July 2005 - 09:05 AM

I was in safe mode when I tried to extract the shell.dll files. I will run the fix again.

Thanks
bever426
In my beginning is my end

#10 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 15 July 2005 - 07:44 PM

Groovicus, I ran the fix two more times. I am still unable to extract the shell.dll files however I was able to merge the reg fix. Im still getting the same problems. Any ideas for the next steps???

Thanks in advance
bever426
In my beginning is my end


Fresh hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:35:29 PM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSXO32.EXE
C:\WINDOWS\APPOL.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\CRNQ32.EXE
C:\WINDOWS\SYSTEM\NTJE32.EXE
C:\WINDOWS\SYSTEM\ADDGT32.EXE
C:\WINDOWS\IPVZ.EXE
C:\WINDOWS\SYSTEM\JAVAZA.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\IETQ32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\APPOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\NTVK.EXE
C:\WINDOWS\SYSTEM\NTVK.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\APIVT32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\NTVK.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ngetk.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D1A14912-94F2-8EFF-E312-9A038C5F0FC6} - C:\WINDOWS\WINXJ32.DLL
O2 - BHO: Class - {E0C18BC0-1202-8747-343F-BA677E05684E} - C:\WINDOWS\APIAY32.DLL
O2 - BHO: Class - {6CA12FC9-1F76-F5E6-8D4E-9B4CDBD3F3D0} - C:\WINDOWS\SYSTEM\SYSRE.DLL
O2 - BHO: Class - {F45672AA-5BCB-168F-8F4C-4B17FD2623E8} - C:\WINDOWS\MSMF.DLL
O2 - BHO: Class - {2D6D4A6A-8763-FF8E-035E-E400588B823F} - C:\WINDOWS\SYSTEM\ATLOG32.DLL
O2 - BHO: Class - {EB604330-061B-8BFC-8801-1E88E0A67778} - C:\WINDOWS\SYSTEM\IPAF.DLL
O2 - BHO: Class - {3EB79716-BC8C-A65F-5E2B-31BD61248EA1} - C:\WINDOWS\NTID32.DLL
O2 - BHO: Class - {C8C69528-DCF0-EAE8-04F8-ADE94307B6EE} - C:\WINDOWS\IPIG.DLL
O2 - BHO: Class - {9350B908-510A-7040-0081-64766EE64B4F} - C:\WINDOWS\SYSTEM\ADDIB.DLL
O2 - BHO: Class - {2005B9B5-C183-DBA7-D764-F4CD01F0DAA3} - C:\WINDOWS\SDKLY32.DLL
O2 - BHO: Class - {EB85181B-E50E-372A-BFD3-C99F9DB12559} - C:\WINDOWS\SYSTEM\ATLNI32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [IETQ32.EXE] C:\WINDOWS\IETQ32.EXE
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunServices: [APPOL.EXE] C:\WINDOWS\APPOL.EXE /s
O4 - HKLM\..\RunServices: [WINTW32.EXE] C:\WINDOWS\SYSTEM\WINTW32.EXE /s
O4 - HKLM\..\RunServices: [CRNQ32.EXE] C:\WINDOWS\SYSTEM\CRNQ32.EXE /s
O4 - HKLM\..\RunServices: [NTJE32.EXE] C:\WINDOWS\SYSTEM\NTJE32.EXE /s
O4 - HKLM\..\RunServices: [ADDGT32.EXE] C:\WINDOWS\SYSTEM\ADDGT32.EXE /s
O4 - HKLM\..\RunServices: [IPVZ.EXE] C:\WINDOWS\IPVZ.EXE /s
O4 - HKLM\..\RunServices: [JAVAZA.EXE] C:\WINDOWS\SYSTEM\JAVAZA.EXE /s
O4 - HKLM\..\RunServices: [APPBP.EXE] C:\WINDOWS\SYSTEM\APPBP.EXE /s
O4 - HKLM\..\RunServices: [JAVARX.EXE] C:\WINDOWS\SYSTEM\JAVARX.EXE /s
O4 - HKLM\..\RunServices: [NTVK.EXE] C:\WINDOWS\SYSTEM\NTVK.EXE /s
O4 - HKLM\..\RunServices: [NETKT.EXE] C:\WINDOWS\SYSTEM\NETKT.EXE /s
O4 - HKLM\..\RunServices: [APIVT32.EXE] C:\WINDOWS\SYSTEM\APIVT32.EXE /s
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058df87366c9ef...ip/RdxIE601.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 15 July 2005 - 10:05 PM

What the....?? I know why you can't extract the files..you still have the infection. :thumbsup:

I still have a few things to try, but I am a little puzzled. Did you skip any of the steps that pertained to your system at all? Or on the last round, did you just run the .reg fix, or did you go through the entire fix again?

#12 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 July 2005 - 03:13 PM

I ran the complete fix 2 more times. I didnt skip any steps. I rebooted to safe mode> ran cwsshredder>ran about buster> ran escan antivirus (took forever)> ran adaware se twice>merged the reg fix> rebooted to windows>cleared the temp files> extracted the control files try to extract the shell.dll files couldnt do that and that was it. I did save the about:buster log if you need it.

Thanks in advance
bever426
In my beginning is my end...

#13 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 16 July 2005 - 05:31 PM

I do need to see a HJT log again....

#14 bever426

bever426
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 July 2005 - 08:31 PM

Heres a new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:23:18 PM, on 7/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSXO32.EXE
C:\WINDOWS\APPOL.EXE
C:\WINDOWS\SYSTEM\WINTW32.EXE
C:\WINDOWS\SYSTEM\CRNQ32.EXE
C:\WINDOWS\SYSTEM\NTJE32.EXE
C:\WINDOWS\SYSTEM\ADDGT32.EXE
C:\WINDOWS\IPVZ.EXE
C:\WINDOWS\SYSTEM\JAVAZA.EXE
C:\WINDOWS\SYSTEM\APPBP.EXE
C:\WINDOWS\SYSTEM\NTVK.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\APIVT32.EXE
C:\WINDOWS\SYSTEM\IPPH.EXE
C:\WINDOWS\WINDD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\IETQ32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\APPOL.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\NETKT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\JAVARX.EXE
C:\WINDOWS\SYSTEM\SDKHG32.EXE
C:\WINDOWS\SYSTEM\SDKHG32.EXE
C:\WINDOWS\SYSTEM\CRVJ.EXE
C:\WINDOWS\SYSTEM\SDKHG32.EXE
C:\WINDOWS\SYSTEM\IPHX32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uycvc.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {F18F0B4F-306C-429D-2EE2-68F7A0FF446C} - C:\WINDOWS\SYSTEM\NETLK32.DLL
O2 - BHO: Class - {2D99E3D3-BC93-F791-AD58-605B6FA5AAF3} - C:\WINDOWS\IEWF32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [IETQ32.EXE] C:\WINDOWS\IETQ32.EXE
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSXO32.EXE] C:\WINDOWS\SYSXO32.EXE /s
O4 - HKLM\..\RunServices: [APPOL.EXE] C:\WINDOWS\APPOL.EXE /s
O4 - HKLM\..\RunServices: [WINTW32.EXE] C:\WINDOWS\SYSTEM\WINTW32.EXE /s
O4 - HKLM\..\RunServices: [CRNQ32.EXE] C:\WINDOWS\SYSTEM\CRNQ32.EXE /s
O4 - HKLM\..\RunServices: [NTJE32.EXE] C:\WINDOWS\SYSTEM\NTJE32.EXE /s
O4 - HKLM\..\RunServices: [ADDGT32.EXE] C:\WINDOWS\SYSTEM\ADDGT32.EXE /s
O4 - HKLM\..\RunServices: [IPVZ.EXE] C:\WINDOWS\IPVZ.EXE /s
O4 - HKLM\..\RunServices: [JAVAZA.EXE] C:\WINDOWS\SYSTEM\JAVAZA.EXE /s
O4 - HKLM\..\RunServices: [APPBP.EXE] C:\WINDOWS\SYSTEM\APPBP.EXE /s
O4 - HKLM\..\RunServices: [JAVARX.EXE] C:\WINDOWS\SYSTEM\JAVARX.EXE /s
O4 - HKLM\..\RunServices: [NTVK.EXE] C:\WINDOWS\SYSTEM\NTVK.EXE /s
O4 - HKLM\..\RunServices: [NETKT.EXE] C:\WINDOWS\SYSTEM\NETKT.EXE /s
O4 - HKLM\..\RunServices: [APIVT32.EXE] C:\WINDOWS\SYSTEM\APIVT32.EXE /s
O4 - HKLM\..\RunServices: [IPPH.EXE] C:\WINDOWS\SYSTEM\IPPH.EXE /s
O4 - HKLM\..\RunServices: [WINDD.EXE] C:\WINDOWS\WINDD.EXE /s
O4 - HKLM\..\RunServices: [SDKHG32.EXE] C:\WINDOWS\SYSTEM\SDKHG32.EXE /s
O4 - HKLM\..\RunServices: [CRVJ.EXE] C:\WINDOWS\SYSTEM\CRVJ.EXE /s
O4 - HKLM\..\RunServices: [IPHX32.EXE] C:\WINDOWS\SYSTEM\IPHX32.EXE /s
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058df87366c9ef...ip/RdxIE601.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#15 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:58 PM

Posted 16 July 2005 - 08:39 PM

Could I see the about:buster log please? Something here is fishy.....

EDIT: Can I see your eScan log too please?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users