Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
3 replies to this topic

#1 acerimmer10

acerimmer10

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 27 September 2005 - 04:20 AM

Have run Microsoft Antispyware, Spybot, Adaware now computer will not browse and has a red background which says "Danger Spyware".

Any help diagnosing appreciated, I dont want to format if possible.

Logfile of HijackThis v1.99.1
Scan saved at 7:19:29 PM, on 27/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Bni.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlus.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\\RegistryController.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Qqp] C:\WINDOWS\Bni.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Mrj] C:\WINDOWS\System32\Pai.exe
O4 - HKLM\..\Run: [Lij] C:\WINDOWS\Sgu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pqp] C:\WINDOWS\System32\Jen.exe
O4 - HKCU\..\Run: [Qqp] C:\WINDOWS\Bni.exe
O4 - HKCU\..\Run: [Mrj] C:\WINDOWS\System32\Pai.exe
O4 - HKCU\..\Run: [Lij] C:\WINDOWS\Sgu.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: winupdate95730010[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Mod Edit: Bump has been removed. Please refer to the Forum Guidelines, at the top of this page, for a detailed explanation.

Edited by Scarlett, 28 September 2005 - 08:01 AM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:15 AM

Posted 30 September 2005 - 01:23 PM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:15 AM

Posted 30 September 2005 - 09:07 PM

Before we begin the fix, we need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

We have some work to do.

Please start this fix when you have time to complete it. This infection has a tendency to change the file names when you reboot.

You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

Click on the Start button, then click on Control Panel. When the control panel opens, double-click on the Administrative Tools icon. When the Administrative Tools window opens, double-click on the Services button.

The Services window will contain a listing of all the services that are installed on your machine. We need to find one of the following:

* Network Security Service
* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper

When you see a service of this name, and there should be only one, double-click on that service name. You should now be in that service's properties page. Now please follow these steps:
  • Change the Startup Type drop down box to Disabled.
  • Then press the Stop button.
  • Then write down on a piece of paper the text found in the Path to executable field. This text is the filename for the service and we will need it later. You can ignore the /s at the end of the file name.
  • When you are done, press the OK button to exit the service's properties. Then exit the services window.
Now that we know the file being used as the service, we proceed to the next step.

Step 2

Please download CW-Shredder Save CWShredder.exe in C:\CWS. The first thing you should do is check for updates to CWShredder. You can do this by clicking on the button labeled "Check for update". If updates are found, click on the “Download and open the update” bar. We will use it later in safe mode.
NOTE: If CWShredder does not run, a variant of CWS could be preventing you from running the shredder. Download the CoolWebSearch.Smartkiller Mini Removal Tool and save that to a directory called C:\CWS. Run the downloaded program, called miniremoval_coolwebsearch_smartkiller.exe, to remove the variant of CoolWebSearch that is stopping you from running your removal tool.

Step 3

Please download About: Buster , and unzip it to your desktop.
  • Double-click on aboutbuster.exe
  • Click "Update".
  • Click "Check For Update"
  • Click "Download Update", and wait for it to be installed.
  • Unzip the file to its own folder (C:\AB).
  • We will use it later in safe mode.
Step 4

Please download HSFix Unzip it to a folder on your desktop. Name the folder HSfix.reg. We will use it later in safe mode.

Step 5

Please download the Pocket Killbox Unzip the contents of Pocket Killbox to your desktop. We will use it later.

If needed, Tutorial on Using Pocket Killbox. It will guide you through the installation process and the removal process.

Step 6

To avoid the risk of any of the files or folders not being found due to their having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqhijackthis.htm

Step 7

Disconnect from the internet!!!

Reboot to safe mode. If you don’t know how to boot in safe mode, there is a tutorial HERE

Step 8

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get task manager. Find these processes and 'end task' them.
OR]
Use the process viewer in Hijackthis, Open the Misc Tools Section then Open Process Manager, find these programs and “kill process” the following running processes (Do not worry if they are not there)

Bni.exe

open32.exe

Pai.exe

Sgu.exe

Jen.exe

winupdate95730010[1].exe


Let’s address the HijackThis fixes.

Please run HijackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768

Note: if ljlay.dll has changed names, fix the lines that have sp.html#44768 following the dll

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljlay.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

O2 - BHO: (no name) - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlus.dll (file missing)

O4 - HKLM\..\Run: [Shell] open32.exe

O4 - HKLM\..\Run: [Qqp] C:\WINDOWS\Bni.exe

O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer

O4 - HKLM\..\Run: [Mrj] C:\WINDOWS\System32\Pai.exe

O4 - HKLM\..\Run: [Lij] C:\WINDOWS\Sgu.exe

O4 - HKCU\..\Run: [Pqp] C:\WINDOWS\System32\Jen.exe

O4 - HKCU\..\Run: [Qqp] C:\WINDOWS\Bni.exe

O4 - HKCU\..\Run: [Mrj] C:\WINDOWS\System32\Pai.exe

O4 - HKCU\..\Run: [Lij] C:\WINDOWS\Sgu.exe

O4 - Startup: winupdate95730010[1].exe

O9 - Extra button: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll

O9 - Extra button: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC4F3988-BC32-41AF-B9B0-70BEDFC69320} - C:\WINDOWS\System32\wldr.dll (HKCU)

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.horse-active.net

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.horse-active.net (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted Zone: *.ysbweb.com (HKLM)

O15 - Trusted IP range: 64.62.171.156

O15 - Trusted IP range: 64.62.171.156 (HKLM)

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll


Close all browsers and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Step 9

Run CWShredder.
  • Close all programs and windows.
  • Navigate using windows explorer or My Computer to the C:\CWS folder and double click on the file CWShredder.exe.
  • Click on the “Fix” icon and let it scan your computer.
  • CWShredder will then start scanning your hard drive for the various CoolWebSearch variants and remove them if they are found. If one is found it will tell you, otherwise it will state that it is "not present". When it is done you will be presented with a button labeled "Next".
  • When you are finished examining the results, press the “Next” button to see a summary of the fixing process.
Step 10

Run About:Buster.
  • Click "Start".
    (Wait for the initial ADS scan to complete.)
  • Click "Yes", to shutdown any IE session currently open.
    (Wait for the about:blank scan to complete.)
  • Click "Ok", to scan once more.
  • Click "Yes", to shutdown any IE sessions currently open.
  • Click "Yes", to begin the second pass.
  • Click "Save log", and post this log back along with your new log.
  • Click "Exit".
Step 11

Reboot to safe mode.

Step 12

Doubleclick HSfix.reg to merge the info to the registry.

Step 13

Run Pocket Killbox.
  • Disconnect from internet and shut down all running programs
  • Double-click on KillBox.exe.
  • Click on Tools > Delete Temp Files and click ok.
  • Use Pocket Killbox to end process on all instances of explorer.exe and rundll32.exe
    Your desktop will disappear but that's normal. It will come back after Reboot part of this fix
  • As you Paste each entry into Killbox, place a check by any of these Selections available
    "Delete on Reboot"
    "Unregister .dll before Deleting"
    "End Explorer Shell while Killing File"
  • Paste this file into the top "Full Path of File to Delete" box.

    C:\WINDOWS\system32\ljlay.dll/sp.html#44768

    Note: if ljlay.dll has changed names, delete the file that has sp.html#44768 following it.

  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:

    C:\WINDOWS\System32\wldr.dll

    C:\WINDOWS\System32\snim.dll

    C:\WINDOWS\atlus.dll

    C:\WINDOWS\Bni.exe

    C:\WINDOWS\blank.htm

    C:\WINDOWS\System32\open32.exe

    C:\WINDOWS\System32\Pai.exe

    C:\WINDOWS\Sgu.exe

    C:\WINDOWS\System32\Jen.exe

    C:\WINDOWS\System32\winupdate95730010[1].exe


  • Click the "Delete File" button which looks like a stop sign.
  • Killbox will tell you that all listed files will be deleted on next reboot, click YES
  • When it asks if you would like to Reboot now, click YES
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • After rebooting back to safe mode, double-click on find.bat and post the new output.txt in your next reply.
Please note that we may need to repeat this process a few times before we kill all the files.

The KillBox creates a folder called "!submit" in C:\ , after you are done, you can delete the folder.

Step 14

Clean out temporary files:
  • Start | Run | type cleanmgr | OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked
  • Click OK to remove them.
  • Click Yes to confirm the deletion.
Step 15

Reboot into normal mode.

Step 16

Please download and install Ewido Security Suite v3.5
If Ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them - these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch Ewido by double-clicking the "e" icon on your desktop.
  • The program will now go to the main screen.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on "Start Update".
    • The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, use Update Ewido
    • After the update finishes, the status bar at the bottom will display "Update successful"
  • After the updates are installed do the following:
    • Click on Scanner and select "Settings"
    • Under the bottom section "What to Scan?" select "Scan every file"
    • Select "OK" and you will return to scanning options
    • Click on "Complete System Scan" [This can take a while to complete so please be patient]
    • While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then CHECK or UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually
  • After the scan has completed, Ewido will create a report.
  • There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop] and post it in your next response.
  • Exit Ewido Security Suite when done.
If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and uncheck "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
Ewido offers a FREE 14 day full working trial. After the 14 day trial the only option that will be disabled is the "real-time" scanning which we did not install anyway and the automatic updating. You will have to do the updating manually by clicking on the “Update button” and then “Start Update”.

Step 17

Run this free online virus scan.

TrendMicro
Make sure you check "AutoClean"

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 18

Please post a new HiJackThis log and the log from Ewido.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:15 AM

Posted 17 October 2005 - 11:45 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users