Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log Please Help Diagnose


  • This topic is locked This topic is locked
24 replies to this topic

#1 ronnie

ronnie

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 23 May 2004 - 01:34 PM

The problem I am having is that my browser has been hijacked by greatsearch.biz which has replaced my homepage, and which automatically loads dialers to unwanted web sites. When I try to close them, my screen goes blank white. Below is my HijackThis log. I would appreciate help in deciding which entries to delete.

Logfile of HijackThis v1.97.7
Scan saved at 4:29:12 PM, on 22/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\dl.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dnk.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {047855DE-001D-45BD-8B29-422DC901B749} - C:\WINDOWS\System32\dnk.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 23 May 2004 - 02:57 PM

Hi ronnie, welcome to BC

Looks like you've got one of the new super nasties--a Coolwebsearch variant that's tough to get rid of. We need to find a super-hiddden dll file first and then deal with it next. So please do the following:

Step 1. Download DLLFix from one of the following links. Save it to a folder on your root drive, which is C:\ for most people:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix, open the folder and double-click on start.bat

Step 5. Run Option 1 by pressing 1on the keyboard. The program will now start searching.

Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to your next reply to this post.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#3 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 25 May 2004 - 08:32 AM

This Topic has been merged with the original. Ronnie, please stick to one thread to avoid confusion. It will help us to keep things straight and will help you also. When you want to answer your thread, click the "Add Reply" button. Thanks.
Papakid


As requested by Papakid, I have run the dllfix program and herewith have posted the log. What is the next step?

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

25/05/2004
09:23 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (A829:E19C) - FS:NTFS clusters:4k
Total: 40 015 953 920 [37G] - Free: 34 799 689 728 [32G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
9:23am up 0 days, 0:06
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
30030 2040 norm _Shell_TrayWnd
10106 2040 norm SysFader
100d6 288 norm Norton AntiVirus
10026 616 high NetDDE Agent
4012e 2392 norm C:\WINDOWS\System32\cmd.exe
100fc 2040 norm dllfix
30142 2192 norm Auto Update Client Window
2014e 2040 norm MCI command handling window
300b2 2040 norm Connections Tray
5005a 1480 norm ActiveMovie Window
200a0 1480 norm ActiveMovie Window
200a6 1480 norm MSP PNP Notification Window
300c8 1480 norm CRTCClient
300d0 1480 norm CRTCIMService
300b4 1480 norm DDE Server Window
200cc 2040 norm Power Meter
100c2 2040 norm MS_WebcheckMonitor
20056 248 norm Hidden Main Window
20054 256 norm Agere Systems Soft Modem Monitor
2005c 288 norm ccApp
1007a 1580 norm SYMNAM
10076 1400 norm NISUM Window
200ac 308 norm STM3 TrayIcon
1008a 2040 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{047855DE-001D-45BD-8B29-422DC901B749}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{92C7AE52-6EE9-4C70-8E1F-E08EBA2FF284}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{92C7AE52-6EE9-4C70-8E1F-E08EBA2FF284}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 25 May 2004 - 07:44 PM

OK, ronnie, here's what I want you to do:

1. Open DllFix's Start.bat again.
2. Choose Option 2 (Run Fix)
3. Choose Option 2 in the submenu (Run Fix without Dll Name...). You will get a message that your computer will reboot in 15 seconds.
4. On reboot/login, DllFix will run, scanning for the bad dll & repairing if found. When it's finished a log.txt file will pop up. Copy that and paste it into your next reply. The log will be saved in the DllFix folder if you need it again..
5. Now run CWShredder.
Direct Download of CWShredder

After you download the program, unzip it into a directory (folder). Double click on CWShredder.exe then click on the "Check for Update" button, and if it finds a new version it will download it. Now close it & boot into Safe Mode to run it.

Please view this tutorial for details: How to remove CoolWebSearch with CoolWeb Shredder

6. Run AdAware. Download it from here: Ad-aware. Make sure it's updated and allow it to fix all that it finds. Ad-Aware Tutorial

7. Scan again with HijackThis and post a new log along with the log.txt from DllFix.

After we clean up with HijackThis we should know if this has worked or not.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#5 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 26 May 2004 - 10:40 AM

Okay, here is the DllFix finished log after running the program. See below...Also, I have been unable to download the CWShredder. I have tried the direct link to the zip file, and also the merijn/downloads.html link and each time I get the "This page cannot be displayed message" Is that because the site is too busy, or is there some other problem? I will continue to try to download the program, but as you know every time I try to access the internet, greatsearch.biz takes over, and it is a little frustrating. I currently use the "ctrl-alt-delete" sequence to stop the program from running while I try to continue. Here is the log....

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
26/05/2004
11:22 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text/plain
Deleting Filter text/html
Running from C:\dllfix\dllfix
Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINDOWS\System32\DNK.DLL
Md5 tested As F952343119E80138A186564389C1F83A
Scanning for Hidden Dll in system32 1st pass
File found was: C:\WINDOWS\System32\DNK.DLL
Md5 Check of C:\WINDOWS\System32\DNK.DLL

Md5 tested As F952343119E80138A186564389C1F83A
File was found but md5 didnt match
MD5 was: F952343119E80138A186564389C1F83A
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\System32\DNK.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\dllfix\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:23 PM

Posted 26 May 2004 - 10:46 AM

Looks like it may have done its Job. Post a new hijackthis log

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 26 May 2004 - 10:55 AM

ronnie, did you try running AdAware? If not try that before you post another log. And I'll see if I can find a better link for CWShredder.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 26 May 2004 - 11:11 AM

OK, try downloading CWShredder from here:
http://www.zerosrealm.com/downloads.php

If you still can't download it or have problems with it let us know, & just run AdAware and post a Hijack|This log.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#9 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 26 May 2004 - 11:33 PM

Okay, I have successfully downloaded and run CWShredder. Interestingly, during the running of the program, a Norton Anitivirus Alert window indicated it had found a Trojan Virus, and I was unable to close the window, so I rebooted and ran a full computer scan. Norton found two virus files in Windows, and was unable to quarantine or delete them. The message said that there are still viruses on my computer. (My Norton is up to date)...anyway, that is another matter.

I ran Adware again, and this time it found just one CoolSearch file, which it quarantined.

I then ran HijackThis again, as instructed, and below is a copy of the new log. Should I now attemp to remove some of the files identified in the log, and if so, which ones?

Here is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 12:22:11 AM, on 27/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {047855DE-001D-45BD-8B29-422DC901B749} - C:\WINDOWS\System32\dnk.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 PM

Posted 27 May 2004 - 02:22 AM

Ok, ronnie, we're making good progress. You've removed the about: blank dll that unlocks these other files. Now we have to remove greatsearch and there is a bit of a trick to that as well. It also has a hidden file which is probably what Norton is seeing. So let's try this:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {047855DE-001D-45BD-8B29-422DC901B749} - C:\WINDOWS\System32\dnk.dll
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -


Reboot your computer into Safe Mode and delete the following file if found:

C:\WINDOWS\System32\dnk.dll

Open Registry Editor--START>Run>type in regedit.
navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Write down the values listed in the pane to the right and post them in your next reply.

Now do a file search for system32.dll and let me know if you find it.

Post another HijackThis log along with the other information requested.

There is something else you need to do as well. Take a look at this part of your log.txt:

Md5 tested As F952343119E80138A186564389C1F83A
File was found but md5 didnt match
MD5 was: F952343119E80138A186564389C1F83A

This just means that there was something different about your file that hasn't been seen before. It would be a great help if you would follow these instructions, also from the log:

File was zipped for submission to Shadowwar
File is located at C:\dllfix\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.



You're almost done. Fixing the above entries with HijackThis should make the hijacker go away. Then we'll get rid of the other hidden file after you post back.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#11 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 27 May 2004 - 02:25 PM

Okay, interesting things have been going on. I ran HijackThis and deleted the files. The new log is posted here, followed by additional comments.

Logfile of HijackThis v1.97.7
Scan saved at 2:59:56 PM, on 27/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF897A54-A4F6-49FD-B256-3D5DD9962C49}: NameServer = 209.115.142.9 209.115.142.132

You asked to safe boot and search for the "dnk.dll" file, which I did, and IT WAS NOT FOUND.

You also asked to search for "system32.dll" which I DID find.

I locaed the Registry files you asked for and as you did not specify which particiular file you were interested in, I am including them all here.

DEFAULT: (value not set)

CD BURN: fbeb8a05-beee-4442-804e-409d6c4515e9

POST BOOT REMINDER: 7849596a-48ea-486e-8937-a2a3009f31a9

SYSTEM: ADA5D103-157E-4B7E-BCD3-7B8F0F5451E3

SYS TRAY: 35CEC8A3-2BE6-11D2-8773-92E220524153

WEBCHECK: E6FB5E20-DE35-11CF-9C87-00AA005127ED


Now, here is the interesting part, when I rebooted the computer Norton detected a Trojan.KillAV virus in C:\WINDOWS\System32\system32.dll" and posted an "Access to the file was denied" message" a new window popped up suggesting I should reboot using "the modified boot ini". Another window popped up indicating that because I had used the System Config Utilty to make changes, I needed to "choose the Normal Startup mode on the General tab...etc. which I did and the reboot seems normal.

So, how are we doing? I sure am learning a lot of interesting things about the behind the scenes of a computer. Thanks for all your help so far. I am trying my best to follow your instructions.

#12 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 27 May 2004 - 02:47 PM

Ok please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]


Click File and then save as, and give it the name clear.reg.

Then under the filename set file types to all files.

Then save it to the desktop.

Go to your desktop and double-click on clear.reg. When it asks if you would to install it press the Yes button.

Reboot the computer.

Then using my computer we need to find and delete system32.dll

It will in be in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll

When you find it, delete it.

Then post a new hijackthis log and we will clean you further.

#13 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 27 May 2004 - 10:42 PM

I followed the instructions above, but when I double clicked on the clear.reg icon on my desktop I got the following message.

"Cannot import C:\Documents_1\RONHUD~1\Desktop\clear.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

I then repeated the entire process to see if I had made an error, and I got the same message.

I then deleted the "clear.reg" icon from my desktop, and await your further instructions. As I was not able to successfully install the clear.reg, I did not proceed with the steps that followed that item.

Your comments please.

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 27 May 2004 - 11:10 PM

That's OK, ronnie, we'll do it this way:

1. Open regedit and navigate to the key as I instructed before.
2. Highlight ShellServiceObjectDelayLoad in the left pane, then right click SYSTEM: ADA5D103-157E-4B7E-BCD3-7B8F0F5451E3
3. Choose delete, close Regedit and reboot. Be careful in here and only delete that one thing.
4. Find that system32.dll--which is now unlocked--and delete it. If Norton pops up wanting to handle it, that's OK, have it delete it.
5. Post another HijackThis log.

So, how are we doing?

You're doing fine ronnie. I was going to ask you the same--are things running smoother yet? After cleaning up with HT you should be in good shape. You will need to check on your antivirus, but don't worry about that just yet.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#15 ronnie

ronnie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 28 May 2004 - 02:05 PM

Okay, hopefully this is the last time I need to post a HijackThis log. Everything seems to running properly, and I successfully deleted the files your recommended in your last post (SYSTEM: AD....) AND (system32.dll) My browser is now opening to my blank home page - goodbye greatsearch...you rotten S.O.B.! and I have not noticed any unwanted redirects. I think I am ready to breath a sigh of relief. Just a little more than week ago I was "fit to be tied". I really do appreciate all the help you have been giving.

I currently have the SP1 package installed with my XP operating system, and understand that I should download SP1a to help prevent future hijackings. As this could take up to 3 hours to download with my modem receiving at only 44.0 I will put that into action at a later date.

I now have two questions. The first, is are there still some left-over tasks I need to do to finalize this challenge....quest... problem?

AND, How do you guys benefit from all your time. Is there somewhere, or some way that I can show my appreciation in a monetary way?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users