Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirections, Random Reboots And A Phantom Dll.


  • This topic is locked This topic is locked
23 replies to this topic

#1 needles

needles

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 October 2005 - 07:21 PM

Browser redirections, random reboots and a phantom DLL.
-------------------------------------------------------------------

The system:

- XP Home with SP2
- IE-6
- All recent updates installed

The problem:

1 - When browsing on-line with DSL and Internet Explorer, a second browser window will open with a redirected URL taken from the HOST list. The start page never gets hijacked.

2 - After a few minutes of browsing, the PC will shut down and reboot.
NOTE: It only reboots when browsing. There are no reboots when not browsing or when not online via DSL, so it's NOT a power supply problem.

3 - There's a DLL located in the System32 folder which I suspect is causing this but it's locked so that it can't be read or erased.
When booting into SAFE mode or via a boot disk, the DLL disappears. This DLL only loads when XP is running and then it does it's dirty work. The DLL name is 'mrndex.dll' but I can't find anything about it when searching the Internet.
----------
Troubleshooting results (so far):

- I ran SpyBot and Adaware in SAFE mode and cleaned up what was found.

- By running 'Hijack This' (not in SAFE mode), a line for code 20 reads:

"O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\mrndex.dll"

- By running 'Process Explorer' in 'Tree' view, I note that when the second (redirected) browser opens, 'mrndex.dll' appears in the 'winlogon.exe' branch with no description or company name associated with it.

- BHO Demon shows 2 good apps which I run.
-----------
I suspect that all of my problems are tied to this phantom DLL but I can't go any further until I can delete it. I've spent many hours on this and I've run out of ideas, so I'm turning to the experts. I've tried to include all the info I've discovered so far.
I appreciate any tips. Thanks!

Here's my 'Hijack This' log.....

=================

Logfile of HijackThis v1.99.1
Scan saved at 3:11:38 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: Shortcut to cseraserPRO.exe.lnk = C:\Documents and Settings\Family\Start Menu\UTILITIES\cseraserPRO.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4D991907-376B-4930-9090-8876B7E54087} (Application Class) - http://a1776.ff.fullaudio.com.edgesuite.ne...17/MusicNow.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124829985250
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\mrndex.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 21 October 2005 - 04:58 AM

Hi,

Sorry for the late reply.
If you still need some help and because this is already a couple of days ago, please start with posting a new hijackthislog in this thread (don't start another thread), so I can take a look at it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 needles

needles
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 21 October 2005 - 06:52 PM

Hi,

Sorry for the late reply.
If you still need some help and because this is already a couple of days ago, please start with posting a new hijackthislog in this thread (don't start another thread), so I can take a look at it.


Hello....Thanks for helping.

Everything is still the same as in the original post.
The HijackThis log is the same.

Thanks........

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 21 October 2005 - 07:01 PM

Ok, you are dealing with a nasty one, but the latest version of Spysweeper can take care of it.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.
Please don't perform this in safe mode!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 needles

needles
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 30 October 2005 - 11:13 PM

Hi...here are the reports you requested.
Sorry about the delay....storms on the East coast caused some flooding and power outages here.
Yesterday, we had snow!

============================

********
12:36 PM: | Start of Session, Thursday, October 27, 2005 |
12:36 PM: Spy Sweeper started
12:36 PM: Sweep initiated using definitions version 563
12:36 PM: Starting Memory Sweep
12:38 PM: Found Adware: icannnews
12:38 PM: Detected running threat: C:\WINDOWS\system32\mrndex.dll (ID = 125214)
12:39 PM: Detected running threat: C:\WINDOWS\system32\xilprovi.dll (ID = 125214)
12:40 PM: Memory Sweep Complete, Elapsed Time: 00:03:09
12:40 PM: Starting Registry Sweep
12:40 PM: Found Adware: bookedspace
12:40 PM: HKLM\software\configuration manager\cfgmgr52\ (5 subtraces) (ID = 104873)
12:40 PM: Found Adware: media-motor
12:40 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
12:40 PM: Found Adware: seekseek.com hijacker
12:40 PM: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 141574)
12:40 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
12:40 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
12:40 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
12:40 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
12:40 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
12:40 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
12:40 PM: Found Trojan Horse: trojan-backdoor-securemulti
12:40 PM: HKCR\clsid\{2c676b7b-796e-4c59-8209-4d0473e32a17}\ (4 subtraces) (ID = 654021)
12:40 PM: HKLM\software\classes\clsid\{2c676b7b-796e-4c59-8209-4d0473e32a17}\ (4 subtraces) (ID = 654029)
12:40 PM: Found Adware: clkoptimizer
12:40 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
12:40 PM: HKLM\software\qstat\ || brr (ID = 877670)
12:40 PM: Found Adware: enbrowser
12:40 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
12:40 PM: Found Adware: sidesearch
12:40 PM: HKU\S-1-5-21-3034088194-1650020993-583410148-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
12:40 PM: Found Adware: winantispyware 2005
12:40 PM: HKU\S-1-5-21-3034088194-1650020993-583410148-1005\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254)
12:40 PM: HKU\S-1-5-21-3034088194-1650020993-583410148-1005\software\system\sysuid\ (1 subtraces) (ID = 731748)
12:40 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
12:40 PM: Registry Sweep Complete, Elapsed Time:00:00:36
12:40 PM: Starting Cookie Sweep
12:40 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:40 PM: Starting File Sweep
12:41 PM: Found Adware: surf accuracy
12:41 PM: 006c8c82-6ceb-4812-b91b-e486cf (ID = 115677)
12:41 PM: xilprovi.dll (ID = 125214)
12:41 PM: Found Adware: delfin
12:41 PM: d0ea612f-45a2-4c74-8d7a-77e879 (ID = 57718)
12:45 PM: Found Adware: addestroyer
12:45 PM: inneradinstall.log (ID = 49035)
12:45 PM: uninstall_wh.exe (ID = 60133)
12:47 PM: 962344ee-3314-4019-a288-26d51f (ID = 114990)
12:49 PM: Found Adware: golden palace casino
12:49 PM: setup_mdart.exe (ID = 61899)
12:52 PM: mrndex.dll (ID = 125214)
12:52 PM: linun.exe (ID = 60121)
12:53 PM: rqutetab.dll (ID = 125214)
12:53 PM: Found Adware: cws-aboutblank
12:53 PM: a.bat (ID = 54834)
12:53 PM: Found Adware: bho_sep
12:53 PM: sepsd.bin (ID = 75367)
12:53 PM: best casino.  $200 signup bonus!.url (ID = 61881)
12:53 PM: d.bat (ID = 54834)
12:54 PM: File Sweep Complete, Elapsed Time: 00:13:37
12:54 PM: Full Sweep has completed. Elapsed time 00:16:13
12:54 PM: Traces Found: 107
12:56 PM: Removal process initiated
12:56 PM: Quarantining All Traces: clkoptimizer
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST21.tmp". Access is denied.
12:56 PM: Quarantining All Traces: cws-aboutblank
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST23.tmp". Access is denied.
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST24.tmp". Access is denied.
12:56 PM: Quarantining All Traces: trojan-backdoor-securemulti
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST25.tmp". Access is denied.
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST27.tmp". Access is denied.
12:56 PM: Quarantining All Traces: addestroyer
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST29.tmp". Access is denied.
12:56 PM: Quarantining All Traces: bho_sep
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST2A.tmp". Access is denied.
12:56 PM: Quarantining All Traces: bookedspace
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST2B.tmp". Access is denied.
12:56 PM: Quarantining All Traces: delfin
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST2D.tmp". Access is denied.
12:56 PM: Quarantining All Traces: enbrowser
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST2E.tmp". Access is denied.
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST2F.tmp". Access is denied.
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST30.tmp". Access is denied.
12:56 PM: Quarantining All Traces: golden palace casino
12:56 PM: Error: Cannot open file "C:\WINDOWS\temp\SST32.tmp". Access is denied.
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST33.tmp". Access is denied.
12:57 PM: Quarantining All Traces: icannnews
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST34.tmp". Access is denied.
12:57 PM: Quarantining All Traces: media-motor
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST36.tmp". Access is denied.
12:57 PM: Quarantining All Traces: seekseek.com hijacker
12:57 PM: Quarantining All Traces: sidesearch
12:57 PM: Quarantining All Traces: surf accuracy
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST38.tmp". Access is denied.
12:57 PM: Quarantining All Traces: winantispyware 2005
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST39.tmp". Access is denied.
12:57 PM: Error: Cannot open file "C:\WINDOWS\temp\SST3A.tmp". Access is denied.
12:57 PM: Removal process completed. Elapsed time 00:01:18
1:20 PM: Hosts file is too large.
1:21 PM: Processing Internet Explorer Favorites Alerts
1:21 PM: Allowed IE Favorite: Belarc Advisor
1:21 PM: Deleted error log without sending: C:\Documents and Settings\Family\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
********
12:32 PM: | Start of Session, Thursday, October 27, 2005 |
12:32 PM: Spy Sweeper started
12:32 PM: Hosts file is too large.
12:33 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:33 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:33 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:33 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:33 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:33 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:33 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:33 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:34 PM: Your spyware definitions have been updated.
12:35 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:35 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:35 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:35 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:35 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:35 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:35 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:35 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:36 PM: Updating spyware definitions
12:36 PM: Your definitions are up to date.
12:36 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:36 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:36 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:36 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:36 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:36 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:36 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:36 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:36 PM: | End of Session, Thursday, October 27, 2005 |

================================

Logfile of HijackThis v1.99.1
Scan saved at 12:41:36 PM, on 10/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\aim\aim.exe
C:\Documents and Settings\Family\Start Menu\UTILITIES\cseraserPRO.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Family\Desktop\Spyware Removal\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - Startup: Shortcut to cseraserPRO.exe.lnk = C:\Documents and Settings\Family\Start Menu\UTILITIES\cseraserPRO.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4D991907-376B-4930-9090-8876B7E54087} (Application Class) - http://a1776.ff.fullaudio.com.edgesuite.ne...17/MusicNow.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124829985250
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\mrndex.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=======================

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 31 October 2005 - 03:23 AM

Hello,

The infection is still present, that's why I want you to run spysweeper once again.
But first, let's clean up a bit in hijackthis first:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {4D991907-376B-4930-9090-8876B7E54087} (Application Class) - http://a1776.ff.fullaudio.com.edgesuite.ne...17/MusicNow.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\mrndex.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then start the spysweeper scan again and save the log. A really important thing is that you REBOOT before posting the logs. Because Spysweeper really needs that reboot to get rid of those files.

Then, after reboot, post the spysweeperlog together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 needles

needles
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 04 November 2005 - 09:20 PM

GREAT NEWS....I'VE SOLVED THE PROBLEM!!

As I mentioned in my initial post, I noticed that when the second hijacked browser window opened, a filename would pop up next to 'WinLogon' in Process Explorer.

The filename is "mrndex.dll". None of the usual ways of deleting this file would work and it would disappear in SAFE mode and then reload itself when starting XP.

I had to find a way to get rid of this file and I finally did this week.
Here's how.....

I downloaded a program named 'KillBox' and it allows you to kill a selected program when XP starts.
I ran KillBox, typed in the name of the file (mrndex.dll) along with the location of it (System32) and ran it. On the next XP restart, it deleted it and I haven't had the problem since.

Thanks for taking the time to help solve this puzzle and if you ever find someone with a similar situation, you can suggest using KillBox.

It's available everywhere. Just do an Internet search and you'll find it.

Thanks again..........

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 05 November 2005 - 01:16 AM

Hello,

Yes, I know that was the stubborn file and normally spysweeper deals with it if you reboot when asked.
Can you post a new hijackthislog please? Because we still need to restore some things. The problem maybe looks solved, but it isn't though. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 10 November 2005 - 10:57 AM

Since there is no feedback anymore and although it was important that some things needed to get restored to prevent problems in the future, so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 11 November 2005 - 01:40 AM

Reopened at users request. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 needles

needles
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 11 November 2005 - 08:45 PM

Hello,

Yes, I know that was the stubborn file and normally spysweeper deals with it if you reboot when asked.
Can you post a new hijackthislog please? Because we still need to restore some things. The problem maybe looks solved, but it isn't though. :thumbsup:


You may be right. Although the redirection and rebooting problems have disappeared, I now notice that I can't get any Windows Updates. It will open the 'searching' page, but then give an error message with an error number of 0x8ddd0004.
Searching the web for this number produces several 'fixes' but none that have worked so far.

Perhaps the answer lies within this 'hijackthis' log......


Logfile of HijackThis v1.99.1
Scan saved at 12:38:18 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Documents and Settings\Family\Start Menu\UTILITIES\cseraserPRO.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Family\Desktop\Spyware Removal\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: Shortcut to cseraserPRO.exe.lnk = C:\Documents and Settings\Family\Start Menu\UTILITIES\cseraserPRO.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4D991907-376B-4930-9090-8876B7E54087} (Application Class) - http://a1776.ff.fullaudio.com.edgesuite.ne...17/MusicNow.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124829985250
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59288124-B176-4F42-8056-E00E06535EFE}: NameServer = 71.243.0.12 151.202.0.85
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\mrndex.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 12 November 2005 - 02:03 AM

Hello,

First we need to deal with the leftovers from this infection and restore some settings.

We also need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\mrndex.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts.
Then open the newly added l2mfix folder on your desktop.
Doubleclick second.bat present in that folder.
This will deal with the leftovers and restore default settings.

When done, open notepad and copy and paste next bold part in it:

net.exe stop wuauserv
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 msxml3.dll
regsvr32 jscript.dll
regsvr32 atl.dll
regsvr32 Mshtml.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 initpki.dll
net.exe start wuauserv


Save this as wu.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look afterwards: Posted Image
Doubleclick wu.bat and you must get a message saying: "DllRegisterServer ... succeeded" everytime. (about 13 times)
Then try the windows update again.
If you get a message where it gives an error while running wu.bat, please let me know for what file it gives you that error.

Edited by miekiemoes, 12 November 2005 - 02:03 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 needles

needles
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 November 2005 - 06:28 PM

A quick note to let you know that all of the procedures which you suggested ran perfectly.
All appears to be in good order and there is happiness in the world again!


Thanks for your patience and excellent help.

Cheers........"needles"

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 16 November 2005 - 06:33 PM

Glad to hear that. :thumbsup:

Can you post a last hijackthislog as a final checkup?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 PM

Posted 27 November 2005 - 07:09 AM

Everything OK here?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users