Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log -chimera Ran S&d and AD-Adwear


  • Please log in to reply
29 replies to this topic

#1 chimera

chimera

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 07 November 2004 - 10:18 PM

My IE browser hase been hijacked by a search.biz/?wmid=1010. I looked around for some info and found many self help aticles. After following them I am still plauged with the problem.the only thing that changed was the sight changed to"xysearch.biz/?wmid=1010"?

I have ran ad-adwear, search and dsestroy, AntVir XP, cwshredder and spy sweeper, all of witch are curent versions. I also have installed all curent updates from Microsoft including SP2.

Last night I made a post about this under "operating systems/ winds" It was very late and I did not relize my mistake. I appologise for my late night frusterated ignorance.:thumbsup: I do not see a option for me to deleat or remove my post. I'm sorry.

I have done a lot of updating and have installed and ran Search and destroy since that HJT log in my first post here is the recent log.

Logfile of HijackThis v1.98.2
Scan saved at 10:09:09 PM, on 11/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\csrss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS.000\System32\alg.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.000\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799

I hope some one can help me. Thank you for your time.

After posting this post i re ran ad-adwear and spybot search and destroy and found their are some registry problems that will not go away. they keep coming back.

ad-adwear tells me I have 2 "possible browser hijack attempts" one is a regkey and the other a regvalue. they are...

Regkey: HKEY_CURENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info\

and Regvalue:
HKEY_CURENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info"*"

With Spybot search and destroy the following re-appear

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1715567821-507921405-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

I Hope this info helps.

Edited by chimera, 07 November 2004 - 11:15 PM.


BC AdBot (Login to Remove)

 


#2 endurer

endurer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 08 November 2004 - 10:24 AM

I has the same question about http://xysearch.biz/?wmid=1010 at
http://www.bleepingcomputer.com/forums/t/4469/new-hijackthis-log-for-httpxysearchbizwmid1010/

About: aifind.info

please down CoolWeb Shredder and run it under safe mode

Fixes:
O15 - Trusted Zone: *.windupdates.com

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 08 November 2004 - 12:37 PM

Hi chimera,
Please ignore endurer's advice. I know it is well intentioned but it won't solve this infection. I see you and endurer are both posting to HJT logs and while we appreciate your willingness to help others this causes problems--please reread the text box at the top of this post:

If you are not a HJT Team member, please refrain from offering advice on what HJT entries to fix, as it can cause confusion.


I think you should both also have a look at this thread:
http://www.bleepingcomputer.com/forums/t/2322/help-wanted/

Now to the problem at hand. The a-search biz infection has changed and is still changing so the Self Help guide is out of date. There is a new method to fix it, but since it may still be evolving, I would like to try something in the first round. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

Scan again with HijackThis. Put a checkmark by these entries, double-checking to be sure that only these entries are checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=Userinit.exe,
O15 - Trusted Zone: *.windupdates.com

Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Reboot your computer.

Scan again with HijackThis and post the resulting log back here in this thread. Please indicate that this is the log done in Normal mode.

Reboot your computer into Safe Mode. Scan again with HijackThis, save that log and post it in this thread also, indicating that it is the Safe mode log.

I also have a question for you. Your Windows folder has a ".000" added to it's name. Has it always been like that or has this changed?

Thanks. And welcome to BC! :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 08 November 2004 - 03:03 PM

Forgot to mention that you shouldn't worry about the DSO Exploits. It's a small bug in Spybot S&D. As long as you have all your Windows updates DSO Exploits won't be a problem. This should be fixed in SSD soon, just keep it updated.

The thing about people

is they change

when they walk away.--Mipso


#5 chimera

chimera
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 08 November 2004 - 06:13 PM

Papakid Thank you for your help, I think that might have done it. I can now change my home page with out it changing back. I hope it doesnít come back.

As for the posting to other HJT logs, perhaps the wording in the disclaimer should be tweaked a little to avoid confusion but it won't happen again Iím sorry! :thumbsup:


Normal log:

Logfile of HijackThis v1.98.2
Scan saved at 5:51:53 PM, on 11/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799


Safe mode log:

Logfile of HijackThis v1.98.2
Scan saved at 6:19:22 PM, on 11/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799

As for the windows.000 file name I haven't a clue what happened their. This computer crashed after I installed SP2. I hooked up a slave 6 gig HDD from an old computer to retrieve important documents. Then I reformatted, installed 89se then upgraded to XP (I donít have a full version of XP) but it installed on both HDDs filling the 6 gig. I had to yet again reformat and install XP on to this 120gig HDD. Maybe that has something to do with it? I just barley got the computer back online a week or so ago.

Also now that i think of it the OS has given me a error message every now and then every since I installed it.

it says that "The system has recovered from a serious error."
I click on more info and it tells me this.
C:\DOCUME~1\nick\LOCALS~1\Temp\WERa027.dir00\Mini110804-02.dmp
C:\DOCUME~1\nick\LOCALS~1\Temp\WERa027.dir00\sysdata.xml
any ideas?

Than you very much for your time. Sorry again about the hjt log I replied to, it wont happen again.

Edited by chimera, 08 November 2004 - 07:15 PM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 08 November 2004 - 07:24 PM

No problem about the other post--as you said you were frustrated and that's understandable.

So are you still getting redirected?

The thing about people

is they change

when they walk away.--Mipso


#7 chimera

chimera
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 08 November 2004 - 08:06 PM

No, I'm no longer being redirected. Thank you very much!

Any ideas on what I should do with that error message? Should I make another post about it in another topic?

Edited by chimera, 08 November 2004 - 08:08 PM.


#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 08 November 2004 - 09:00 PM

Well, I'm not too good at reading memory dumps :thumbsup: it could be related to this malware or any number of other issues. For some reason memory is not getting released. Feel free to post about it in one of our other forums.

I still don't like the looks of that (those) logs so if the redirections come back be sure to post a log back here.

In fact I still would like for you to run two online virus scans. And post back here what was found. These two have logs that you can post:

Panda ActiveScan

BitDefender

Run those scans and post the results and go ahead and post one last (hopefully) HJT log.

The thing about people

is they change

when they walk away.--Mipso


#9 chimera

chimera
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 08 November 2004 - 11:09 PM

I noticed that IE redirects on every username except this one. Will I have to post a hjt log for every user or can I delete the other users and remake them?

Running online virus scans nowÖ

Panda ActiveScan log:

Incident Status Location

Virus:Trj/Downloader.LP Disinfected C:\Documents and Settings\nick\Desktop\2.dat
Virus:Trj/StartPage.FH Disinfected C:\Documents and Settings\Travis\Local Settings\Temp\sp.html
Virus:Trj/StartPage.FH Disinfected C:\Documents and Settings\FAMILY\Local Settings\Temp\sp.html



bitdefender tells me "BitFailed to load interface -- You must have administrative rights on this computer; you also must have the Internet Explorer security settings to the Medium level. " I am an administrater on this computer and IE seting are set to medium level?

curent HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:38:34 PM, on 11/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.000\system32\lexpps.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\system32\wpabaln.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Edited by chimera, 08 November 2004 - 11:39 PM.


#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 08 November 2004 - 11:52 PM

Post another HijackThis log from normal mode please.

You can delete those files that Panda found if they still exist.

Do me a favor and make a new reply whenever you add information. Using edit to modify your posts gets confusing to anyone reviewing the thread and could lead to mistakes.

I may need to see logs from your other accounts, but let's see what this next log looks like. How many accounts are you running? Are they all Administrator?

The thing about people

is they change

when they walk away.--Mipso


#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 09 November 2004 - 12:03 AM

OK, I see you've added the log before I posted.

Do this--Run Disk Cleanup. Type cleanmgr in the run box by going to Start>Run. Have it clean out the following three:

Temporary Files
Temporary Internet Files
Recycle Bin

Log into all your other accounts and repeat the process.

Scan again with HijackThis. If there are no changes in the log, go to one of your other accounts that gets redirected and make a log from there and post it.

The thing about people

is they change

when they walk away.--Mipso


#12 chimera

chimera
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 10 November 2004 - 01:35 AM

Including my account their are 3 accountds and they are all admins.

I ran Disk Cleanup on all accounts and they are all diffrent, but no longer redirect!

Here is the log from the account named "travis".

Logfile of HijackThis v1.98.2
Scan saved at 1:30:22 AM, on 11/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.000\system32\lexpps.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Travis\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Travis\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Travis\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab






Here is another log from the acount named "family".






Logfile of HijackThis v1.98.2
Scan saved at 1:40:36 AM, on 11/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.000\system32\lexpps.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FAMILY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FAMILY\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FAMILY\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vv3.s13.topx.cc/open_console_out.php?n=21&pin=319
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099883572799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


Do you need the log from my account?
Again thank very much for your time and help!!!

Edited by chimera, 10 November 2004 - 01:52 AM.


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 10 November 2004 - 10:44 AM

OK, chimera, it shouldn't make any difference which account you are logged into but let's try moving HijackThis out of your Document and Settings directory. You have a nasty CWS infection but I want to make sure that the a search.biz/?wmid=1010 is gone before we fix it. Please do the following:

First, create a folder for HijackThis in the root folder of your hard drive.
1. Click START>My Computer>right click Local Disk (usually (C:) for most people)>Explore.
2. Right click an open area in the main pane.
3. Select New>Folder.
4. Type in HJT & press Enter.

Now navigate to C:\Documents and Settings\nick\My Documents\New Folder\HijackThis.exe, right click on HijackThis.exe and chose Cut. Open the HJT folder you just created on the C: drive, right click and choose Paste. Please run HijackThis from this location from now on.

Please download Reglook from here:

http://computercops.biz/modules.php?name=F...ownload&id=3618

Save it to C:\HJT. Right click on reglook.zip and chose Extract All... , then Next and paste in the following bold text in the "Files to be extracted to..." field:
C:\HJT\Reglook

Log into your nick account.
Run Reglook. It will make a log.
Scan again with HijackThis and save the log.

Log into your FAMILY account.
Run Reglook.
Scan again with HijackThis and save the log.

Reply to this thread and include in this order:

1. First Reglook log.
2. HJT log from nick account.
3. Second Reglook log.
4. HJT log from FAMILY account.

Please DO NOT click on "Add Reply" until all of those logs are pasted in and whatever important information and questions have been added. If you think of something later, open this thread, click Add Reply and make a new post.

The thing about people

is they change

when they walk away.--Mipso


#14 chimera

chimera
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 10 November 2004 - 07:56 PM

Papakid I apologize about the post. I thought you didnít want me to add more info to a post that you had previously replied to but I understand now. Sorry for the inconvenience


I moved hjt.exe to C:\HJT but I was unable to find Reglook at http://computercops.biz/modules.php?name=F...ownload&id=3618
I clicked on downloads and searched for "reglook" but found nothing?

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 10 November 2004 - 09:29 PM

Hi chimera,
There seems to be a problem with that RegLook download page with Internet Explorer. I can get the download to work fine in Mozilla but not IE. I'll let you know when that's straightened out. We'll just have to do without it right now.

Please post the two logs from HijackThis that I asked for and I'll run you thru the fix that should work for the a-search.biz infection if it's still there. Then we'll with deal with the temp/sp.html infection..

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users