Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Startup TROJAN


  • This topic is locked This topic is locked
3 replies to this topic

#1 JAMOs

JAMOs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 October 2004 - 03:11 PM

This is the result from the HJT scan.
I would really appreciate some advice on this.
@MSITStore:C:\spe\start.chm::/start.html# is the web address that shows when I open Internet Explorer. I can't seem to get rid of it. I've tried everything I know and nothing is working, shy of digging into the registry that is.

Thanks.
JAMOs

Logfile of HijackThis v1.98.2
Scan saved at 1:38:51 PM, on 10/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
F:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
F:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4355
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Aaron Moore\Application Data\Mozilla\Profiles\default\7epjcaq5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Aaron Moore\Application Data\Mozilla\Profiles\default\7epjcaq5.slt\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {CE500569-7E3B-4351-89F6-CB92E5D01C9D} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINNT\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OEu.exe] F:\temp\OEu.exe
O4 - HKLM\..\Run: [LATPxe.exe] F:\temp\LATPxe.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cyberfree.exe] F:\temp\emjp.dat
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AVGCtrl] F:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] F:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhlp.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0S...%49%5A/find.htm (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0S...42%49%5A/av.htm (file missing)
O9 - Extra button: PILLS - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0S...2%49%5A/med.htm (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0S...49%5A/check.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0S...4LD%2E%42%49%5A (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {ABF63B2C-F7CD-4D30-8CE8-77DDF72B0002} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {ABF63B2C-F7CD-4D30-8CE8-77DDF72B0002} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {ABF63B2C-F7CD-4D30-8CE8-77DDF72B0002} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {ABF63B2C-F7CD-4D30-8CE8-77DDF72B0002} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...44b809d52872622
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://gsnmalbm01.cr.usgs.gov/iNotes.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://lopes.armstrong.com/ib/databases/actimage40803.cab




BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 25 October 2004 - 09:35 PM

Hi JAMOs,

Download
CWShredder. Don't run it yet.

Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later. Also download the free VX2 Cleaner at http://updates.ls-servers.com/plvx2cleaner.exe and install it.

Please download this tool to fix the start.chm hijack.
http://tools.zerosrealm.com/startchmfix.exe.

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode.

Extract the startchmfix file to your desktop

Open the folder and click on the fix bat.

Make sure all Internet Explorer windows are closed.

Run it, Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.

If no files show in the bad file listing then reboot and perform a search for any of these files and delete them:

C:\Windows\System\C_10230.DLL <-------- Delete this file.
C:\WINDOWS\System\CRTV2_32.DLL <-------- Delete this file.
C:\WINDOWS\CRTV2_32.DLL <-------- Delete this file.
C:\WINDOWS\System\CRT32_V2.DLL <-------- Delete this file.
C:\WINDOWS\CRT32_V2.DLL <-------- Delete this file.

Delete the following folder: C:\SPE <-------- delete this folder.

Now run run CWShredder, click Fix, don't just scan. Let it fix everything it asks about.

Now run Ad-Aware.

Run the VX2 Cleaner plug in:

How to use Lavasoft's VX2 Cleaner plug-in

- Start Ad-Aware
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer.

Reboot, then post a new log and let us know how things are running.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 JAMOs

JAMOs
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 26 October 2004 - 04:57 PM

Thanks Nirvana. It worked!!
Didn't have any bad files to post, but no more hijacked startup.
Thanks again!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 26 October 2004 - 07:09 PM

You may want to post a new log so that nirvana can make sure its completely clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users