Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please help diagnose


  • Please log in to reply
5 replies to this topic

#1 Barberian

Barberian

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 17 November 2004 - 11:49 PM

Logfile of HijackThis v1.98.2
Scan saved at 11:35:58 PM, on 11/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\WINDOWS\System32\prqwsp.exe
C:\temp\salm.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINDOWS\system32\appon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mark\Application Data\eetu.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\apizi.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mark\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cijwp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3AF7AF61-E9EC-FF85-4730-D2B5711A9B30} - C:\WINDOWS\iprn32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [coalapopyzfb] C:\WINDOWS\System32\prqwsp.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [winpf32.exe] C:\WINDOWS\system32\winpf32.exe
O4 - HKLM\..\Run: [appon.exe] C:\WINDOWS\system32\appon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mark\Application Data\eetu.exe
O4 - HKCU\..\Run: [Bdxs] C:\WINDOWS\System32\?hkdsk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...937c6314a45eb37
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01092e57d8ddbc...ip/RdxIE601.cab

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 18 November 2004 - 03:10 AM

Hi Barberian,

Don't run HijackThis directly from a temporary file. Unzip it/move it to a folder all of its own. HijackThis makes back-ups of everything you fix in case something should go wrong. This way you can restore the back-ups if need be. Running from a temporary file doesn't save back-ups.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Move HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy so it can't be used.

You have a nasty CoolWebSearch infection which requires precise steps to fix:

Please download ServiceFilter.zip. This will reveal potential unauthorized running services in your system. Extract it to a new folder on your desktop. Double-click ServiceFilter.vbs. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here along with a new Hijackthis log.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 Barberian

Barberian
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 20 November 2004 - 02:21 PM

Thanks for your help.

Pursuant to your instructions, I have moved my HiKackTHis to a permanent file. I have run the service filter and run another script of HiJackThis. I have copied the service filter and hijackthis scans back to back.

Here is the file I got from running service filter:



The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Nov 20, 2004 2:16:16 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: O?rtȲ$
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\apizi.exe /s
State: Running
Process ID: 1620
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: GoToMyPC
Display Name: GoToMyPC
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\program files\expertcity\gotomypc\g2svc.exe" -service
State: Running
Process ID: 1580
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{1bfc9618-281a-4ae5-83ea-254663503fbf}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 85 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 1.8125 seconds.


HERE IS THE SCAN FROM HIJACKTHIS

Logfile of HijackThis v1.98.2
Scan saved at 2:20:25 PM, on 11/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\apizi.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\WINDOWS\System32\prqwsp.exe
C:\temp\salm.exe
C:\WINDOWS\croh32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mark\Application Data\eetu.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C366C9F-DCEA-5233-2D82-F45056550ACB} - C:\WINDOWS\apptu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [winpf32.exe] C:\WINDOWS\system32\winpf32.exe
O4 - HKLM\..\Run: [appon.exe] C:\WINDOWS\system32\appon.exe
O4 - HKLM\..\Run: [croh32.exe] C:\WINDOWS\croh32.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\Mark\LOCALS~1\Temp\djebmm350.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mark\Application Data\eetu.exe
O4 - HKCU\..\Run: [Bdxs] C:\WINDOWS\System32\?hkdsk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01092e57d8ddbc...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100972326078

#4 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 20 November 2004 - 02:55 PM

Go to Add/Remove in your control panel and remove Ebates Moe Money Maker.

Copy and paste the contents of the quotebox to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop, we'll use it a bit later:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later.

Download AboutBuster. Unzip it to C:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode.

You may want to print out the rest of these steps to refer to as you go. IMPORTANT: Please stay offline until instructed otherwise, connecting to the internet could cause this fix to fail.

Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok.

Scroll down and find the services called:

Remote Procedure Call (RPC) Helper Only this service, nothing similar!

Double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

apizi.exe

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bfjad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1C366C9F-DCEA-5233-2D82-F45056550ACB} - C:\WINDOWS\apptu32.dll


O4 - HKLM\..\Run: [winpf32.exe] C:\WINDOWS\system32\winpf32.exe
O4 - HKLM\..\Run: [appon.exe] C:\WINDOWS\system32\appon.exe
O4 - HKLM\..\Run: [croh32.exe] C:\WINDOWS\croh32.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\Mark\LOCALS~1\Temp\djebmm350.exe"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mark\Application Data\eetu.exe
O4 - HKCU\..\Run: [Bdxs] C:\WINDOWS\System32\?hkdsk.exe

O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01092e57d8ddbc...ip/RdxIE601.cab

Navigate to and delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):

C:\WINDOWS\apizi.exe <-------- Delete this file.
C:\WINDOWS\apptu32.dll <-------- Delete this file.
C:\WINDOWS\bfjad.dll <-------- Delete this file.
C:\WINDOWS\croh32.exe <-------- Delete this file.
C:\WINDOWS\system32\winpf32.exe <-------- Delete this file.
C:\WINDOWS\system32\appon.exe <-------- Delete this file.
C:\WINDOWS\System32\?hkdsk.exe <-------- Delete this file.
C:\Documents and Settings\Mark\Application Data\eetu.exe <-------- Delete this file.
C:\Program Files\Ebates_MoeMoneyMaker <-------- Delete this folder.
C:\Program Files\SideFind <-------- Delete this folder.

Still in Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of that Temp folder (do this for all usernames).

Finally, go to Control Panel>Internet Options.
On the General tab under: Temporary Internet Files, click: Delete Files
Place a check by: Delete Offline Content when the prompt appears, and click OK.
Next, click on the Programs tab, then click: Reset Web Settings button.
Click Apply, then OK.

Also, empty the Recycle Bin.

Next, we will remove the offending service. Go to Start | Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

O?‑rtȲ$ or Remote Procedure Call (RPC) Helper

If any are listed, right-click that entry in and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY O?‑rtȲ$ or LEGACY Remote Procedure Call (RPC) Helper

If any are listed, right-click the entry and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Browse to C:\aboutbuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.

Then double-click on the fix.reg file we created earlier on your desktop and when it prompts to merge say yes, this will clear some registry entries left behind by the process.

Now run Ad-Aware.

Reboot into normal mode.

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


Do an online scan at TrendMicro's site. Let it remove any infected files found.

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#5 Barberian

Barberian
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 21 November 2004 - 01:46 AM

Thanks for your help. Here are the aboutbuster log and the HJT log (in order)


ABOUTBUSTER LOG:

Scanned at: 12:33:12 AM on: 11/21/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\addrs32.exe:fnljj
C:\WINDOWS\addxr32.exe:xgvwl
C:\WINDOWS\apikj.exe:qhobf
C:\WINDOWS\apind.exe:ahhgi
C:\WINDOWS\FeatherTexture.bmp:zzbbe
C:\WINDOWS\Gone Fishing.bmp:kibec
C:\WINDOWS\hh.exe:rzmgy
C:\WINDOWS\imsins.BAK:xwunz
C:\WINDOWS\IsUninst.exe:qxmat
C:\WINDOWS\Live.ico:fkwca
C:\WINDOWS\mfcph32.exe:tzmlg
C:\WINDOWS\mfcuo.exe:mawya
C:\WINDOWS\mspp32.exe:oychj
C:\WINDOWS\mstu32.exe:hzvmd
C:\WINDOWS\netcg32.exe:hyrgi
C:\WINDOWS\netkd.exe:zzklk
C:\WINDOWS\ntew.exe:auonp
C:\WINDOWS\ntmu32.exe:smzsj
C:\WINDOWS\ntsh.exe:lnrxd
C:\WINDOWS\ntyi32.exe:dokdf
C:\WINDOWS\sdkhe32.exe:cthpf
C:\WINDOWS\sdkjl.exe:muruz
C:\WINDOWS\setupapi.log:zjcba
C:\WINDOWS\system.ini:klnmx
C:\WINDOWS\tsoc.log:bwztb
C:\WINDOWS\twain.dll:ddyrz
C:\WINDOWS\twunk_16.exe:upjhe
C:\WINDOWS\twunk_32.exe:uitje
C:\WINDOWS\unvise32qt.exe:veqet
C:\WINDOWS\wiaservc.log:gfupp


Removed 2 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\kumul.dat
Removed! : C:\WINDOWS\msme.dll
Removed! : C:\WINDOWS\ntob.dll
Removed! : C:\WINDOWS\xulrn.dat
Removed! : C:\WINDOWS\System32\hyrgi.dat
Removed! : C:\WINDOWS\System32\javafj.dll
Removed! : C:\WINDOWS\System32\winzb32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\addrs32.exe:fnljj
C:\WINDOWS\addxr32.exe:xgvwl
C:\WINDOWS\apikj.exe:qhobf
C:\WINDOWS\apind.exe:ahhgi
C:\WINDOWS\FeatherTexture.bmp:zzbbe
C:\WINDOWS\Gone Fishing.bmp:kibec
C:\WINDOWS\hh.exe:rzmgy
C:\WINDOWS\imsins.BAK:xwunz
C:\WINDOWS\IsUninst.exe:qxmat
C:\WINDOWS\Live.ico:fkwca
C:\WINDOWS\mfcph32.exe:tzmlg
C:\WINDOWS\mfcuo.exe:mawya
C:\WINDOWS\mspp32.exe:oychj
C:\WINDOWS\mstu32.exe:hzvmd
C:\WINDOWS\netcg32.exe:hyrgi
C:\WINDOWS\netkd.exe:zzklk
C:\WINDOWS\ntew.exe:auonp
C:\WINDOWS\ntmu32.exe:smzsj
C:\WINDOWS\ntsh.exe:lnrxd
C:\WINDOWS\ntyi32.exe:dokdf
C:\WINDOWS\sdkhe32.exe:cthpf
C:\WINDOWS\sdkjl.exe:muruz
C:\WINDOWS\setupapi.log:zjcba
C:\WINDOWS\system.ini:klnmx
C:\WINDOWS\tsoc.log:bwztb
C:\WINDOWS\twain.dll:ddyrz
C:\WINDOWS\twunk_16.exe:upjhe
C:\WINDOWS\twunk_32.exe:uitje
C:\WINDOWS\unvise32qt.exe:veqet
C:\WINDOWS\wiaservc.log:gfupp


Attempted Clean Of Temp folder.
Pages Reset... Done!


LAST HJT LOG:


Logfile of HijackThis v1.98.2
Scan saved at 1:44:33 AM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100972326078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab


THANKS AGAIN. LET ME KNOW IF I NEED TO DO ANYTHING ELSE TO PREVENT THIS FROM HAPPENING AGAIN.

#6 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 21 November 2004 - 04:43 AM

Good work, that's a clean log :thumbsup:

It's a good idea to Flush your System Restore after ridding yourself of malware:

1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab.

When you are sure you are clean create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm


Click here to make sure that you have the latest patches for Windows. Click here to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks.

You may also want to read Tony Klein's article on "How I got Infected in the First Place":
http://forums.net-integration.net/index.php?showtopic=3051
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users