Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Swapx wont die after regedit, restarts IE


  • Please log in to reply
11 replies to this topic

#1 troutslayer59

troutslayer59

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 19 November 2004 - 01:59 PM

After running regedit and deleting all occurances of win-to, spider, and swapx, swapx reloads with startup of IE. Now looks like new version of spyware has infected my PC. I've downloaded ad-aware, but it will not install.
I think I've done all I know how to do. Can you help ? Thanks for your great web site.

Logfile of HijackThis v1.98.2
Scan saved at 11:48:46 AM, on 11/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ktjjwj.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=132122
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=132122
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=132122
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=132122
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\721NVB~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
O4 - HKLM\..\Run: [ldhwkun] C:\WINDOWS\System32\ktjjwj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099340569049
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: k3yvg77z1u2z72.dll

BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:30 AM

Posted 20 November 2004 - 11:26 AM

hi

It is a good idea to print or copy these instructions because you are not able to access the Internet in SafeMode.

1, Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\k3yvg77z1u2z72.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\System32\k3yvg77z1u2z72.dll is still there. If it is repeat step no.6. If not go to the next step.

7. Reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:



R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=132122
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=132122
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=132122
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=132122
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\721NVB~1.DLL

O4 - HKLM\..\Run: [ldhwkun] C:\WINDOWS\System32\ktjjwj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - Global Startup: winlogin.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -
O20 - AppInit_DLLs: k3yvg77z1u2z72.dll



Close all other windows and browsers, and press the Fix Checked button.

8. Search for these files and delete them if found:
C:\WINDOWS\System32\721NVB~1.DLL<-- this file
C:\WINDOWS\System32\ktjjwj.exe<-- this file
C:\WINDOWS\wupdt.exe<-- this file
winlogin.exe<-- this file

Delete these folders:

C:\Program Files\SideFind\<-- this folder
C:\Program Files\VVSN<-- this folder


9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.

15. REBOOT normally. Run HijackThis! again and post a new log.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 22 November 2004 - 04:46 PM

You guys are great !
Thanks for all the time you spend helping people.
Here is my updated log.

Logfile of HijackThis v1.98.2
Scan saved at 2:42:29 PM, on 11/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\kw6c2omtx8ythd.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\kw6c2omtx8ythd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099340569049
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: l26hhc9crv64midll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

#4 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 22 November 2004 - 05:12 PM

Premature celebration.
All was fine until I restarted IE.
Went directly to t.swapx

Here is my latest log.

Logfile of HijackThis v1.98.2
Scan saved at 3:10:40 PM, on 11/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\kw6c2omtx8ythd.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\kw6c2omtx8ythd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099340569049
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: n63tmebr9275yidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:30 AM

Posted 23 November 2004 - 12:40 AM

hi

i thought it would do it as one part from it was not showing in the log

lets do the fix again:

start killbox> copy paste in the field full path of file to delete
C:\WINDOWS\System32\kw6c2omtx8ythd.exe


Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

again copy paste this line in the deletion fieldC:\WINDOWS\System32\n63tmebr9275yidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

again press the red circle with a white X in it.

this time allow it to reboot

when the machine boots back from killbox, begin immediately tapping f8.
select safe mode from the menu using the arrow button and hit enter


once in safe mode start hijackthis. checkmark/fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\kw6c2omtx8ythd.exe
O20 - AppInit_DLLs: n63tmebr9275yidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[/b]
do you recognise the domain milgro.com
if not fix these lines too
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com


reboot back to normal mode and post a new log

Edited by illukka, 23 November 2004 - 12:41 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#6 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 23 November 2004 - 11:45 AM

Hi illukka,

This is a really tough bug.
I ran 3 logs for HJT.
1. After cleaning but before rebooting.
2. After reboot, but before running Internet Explorer.
Although not on this log, my home page is often reset to win-eto without even running IE after a reboot.
The no-name BHO keeps comming back, and the O20 - AppInit_DLLs: d8wy2r79i3xmlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl keeps comming back even though I execute a search and delete using regedit.
Also Spider Solitare keeps reappearing even though I delete it using regedit.
3. After running IE. Was immediately hijacked to t.swapx and saw win-eto loading.
after being hijacked to t.swapx, was able to use my Favorites to go to Bleeping Computer so I could post this log.

Here are the logs:

Log1 - After cleanign but before reboot.

Logfile of HijackThis v1.98.2
Scan saved at 9:24:37 AM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: d8wy2r79i3xmlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Log 2 After reboot
Logfile of HijackThis v1.98.2
Scan saved at 9:27:29 AM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: d8wy2r79i3xmlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Log 3 - IE after hijacked to t.swapx
Logfile of HijackThis v1.98.2
Scan saved at 9:37:32 AM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: d8wy2r79i3xmlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

I reran the fix you gave me earlier, including clearing the temp and temp internet files. I think the problem is imbedded in IE, but don't know if I can reload IE or I'd have to reload XP.

#7 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 30 November 2004 - 10:52 AM

I re-ran the fixes in Safe Mode and everything looked great.
When I re-booted into normal operating mode, I started Internet Explorer with the startpage=about.com and clicked on the red X immediately in order to prevent IE going to sites that I had not specifically chosen.
Immediately, the hourglass icon came on anyway and evidently re-loaded a bunch of adult sites to my Favorites that I had previously deleted.
I think my IE is corrupted because my HJT log looked clean.
Here it is after starting IE for the first time after cleaning up.

Logfile of HijackThis v1.98.2
Scan saved at 8:50:29 AM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=132122
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\7GT6DN~1.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com
O20 - AppInit_DLLs: dyrgwpytiluc.dll.dll

#8 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:30 AM

Posted 01 December 2004 - 04:50 AM

hi

this is a really nasty bugger!!!

luckily one of our team member came up witha new fix for this b*******d

Open Notepad (Start>All Programs>Accessories>NotePad)
Copy/paste the following quote (bold) to Notepad:

@echo off
if exist %SYSTEMDRIVE%\baddlllist.txt del %SYSTEMDRIVE%\baddlllist.txt
dir %SYSTEMROOT%\System32\*.dll.dll > %SYSTEMDRIVE%\baddlllist.txt
notepad %SYSTEMDRIVE%\baddlllist.txt
cls
exit


-Go up to the Notepad File menu, and select: Save As
-In the Save As dialogue box:
--Save in: Desktop
--File Name: find_bad_dlls.bat
--Save as Type: use right side arrow to select: All Files
-Click: Save button

Now, go to the Desktop
-Double click on find_bad_dlls.bat
-A baddlllist - NotePad text will appear with the contents of: Directory of C:\WINDOWS\System32
-Copy and paste the contents of the resulting text file and post them back to this thread

From the moment you post the find_bad_dll log do not shut down your computer! Doing so will cause the file names to change and the fix to fail
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#9 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 01 December 2004 - 10:31 AM

Hi,

I hope you had a nice holiday.
Let me know if the additional postings I made were helpful.
Here are the results from the bat file.
Thanks again for your help.

Volume in drive C has no label.
Volume Serial Number is 1C0F-0CDA

Directory of C:\WINDOWS\System32

11/30/2004 08:28 AM 6,656 dyrgwpytiluc.dll.dll
11/22/2004 08:21 AM 6,656 nhxtmpfbb26g9.dll.dll
11/30/2004 08:28 AM 6,656 rc3xxomwty4c.dll.dll.dll
11/30/2004 08:28 AM 6,656 4ue1z3cbz27l7dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 29r524p12xhbridll.dll.dll.dll.dll
11/30/2004 08:28 AM 6,656 w19rtcz9e7vt7dll.dll.dll.dll.dll
11/30/2004 08:28 AM 6,656 djh4vp1w73vt7dll.dll.dll.dll.dll.dll
11/30/2004 08:28 AM 6,656 5fxfxtcs43u25dll.dll.dll.dll.dll.dll.dll
11/30/2004 08:28 AM 6,656 f86rze8s6rx87dll.dll.dll.dll.dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 3lgk9hjpbppslidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 82dxr9wk8ccrlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 y3xsicrb4mnclidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 gid15x6eno2rlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/22/2004 08:21 AM 6,656 uciieskklg9zxjdll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
14 File(s) 93,184 bytes
0 Dir(s) 35,785,179,136 bytes free

#10 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:30 AM

Posted 01 December 2004 - 02:04 PM

hi

this is a really nasty one, like you see its 14 bad dlls !

this also has a trojan downloader, which "phones home".

as you noticed, it affects IE, if you have trouble surfing, download/install an alternative browser like mozilla, opera or firefox

Alright... this is a new hijacker and it is pretty difficult to remove. If you follow these directions tho, we should be able to remove it. Please follow each direction EXACTLY. If, for some reason you can't follow a particular step, keep going and post your problem in a new reply.
also you have some of the required files already, in those cases skip the download part but pay specific attention on how we use those files!

1) Show hidden files/folders:
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

2) Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it fix.reg.

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1]

[-HKEY_CLASSES_ROOT\redalert.here]

[-HKEY_CLASSES_ROOT\redalert.here.1]

[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]




3) Download CleanUp! from here. Install it but do not run it yet.

4) Install Ad-Aware SE 1.05 from here. Install it but do not run it yet. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run. You may want to print out this tutorial: http://www.bleepingcomputer.com/forums/ind...showtutorial=48 so you can refer to it later. At the very least skim it over it.

5) Download CWShredder from here. Extract/save it to your desktop but do not run it yet.

6) Download the Grisoft AVG Anti-Virus from here (direct link). Install it but do not run it yet.
note:this will be very useful for you in the future as i noticed that you don't have an abtivirus there !

7) Next, download KillBox.zip (Removal Tool #15) from here:
http://www.subratam.org/?page=removal
Place it in a folder on your Desktop.
Extract it from the zip file and then double-click on Killbox.exe to run it.
Select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\7GT6DN~1.DLL
Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.


Repeat the directions above for the following files:

C:\WINDOWS\System32\dyrgwpytiluc.dll.dll

C:\WINDOWS\System32\nhxtmpfbb26g9.dll.dll

C:\WINDOWS\System32\rc3xxomwty4c.dll.dll.dll

C:\WINDOWS\System32\4ue1z3cbz27l7dll.dll.dll.dll

C:\WINDOWS\System32\29r524p12xhbridll.dll.dll.dll.dll

C:\WINDOWS\System32\w19rtcz9e7vt7dll.dll.dll.dll.dll

C:\WINDOWS\System32\djh4vp1w73vt7dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\5fxfxtcs43u25dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\f86rze8s6rx87dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\3lgk9hjpbppslidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\82dxr9wk8ccrlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\y3xsicrb4mnclidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\gid15x6eno2rlidll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\uciieskklg9zxjdll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

after you've copy pasted the last entry from above:
Press the button with a red circle and a white X.
When asked to Reboot, select Yes.

notedo not let killbox reboot until you have copy pasted all of those above!

***Do not open IE while doing the following fix. Doing so may cause the fix to fail. In the following steps your internet connection will be temprorarily disabled so you may want to print out the instructions. This fix may and probably will take a LONG time, so please be patient.***

8) Reboot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

9) Now we get to run AVG that you download before. Check for updates and run a Full System Scan.

10) After the full scan above is done and it removes everything it finds update and run a full system scan with Ad-Aware. For a in depth tutorial on how to do this see the tutorial I refered you to earlier (Do NOT open Internet Explorer).

11) Run CWShredder. Click "Fix" and let CWShredder remove all traces of CoolWebSearch.

12) Run CleanUp! on Standard Mode. When it asks to reboot/log off, decline.

13) Double-click on the fix.reg that you previously saved on the desktop. Accept any changes to the registry.

14) Reboot your computer so you're back in normal mode.

15) Run HJT and place a check next to the following items if they still exist:


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=132122
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\7GT6DN~1.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab


Close any open browsers and windows and click "Fix Checked".

16) Reboot one last time into normal mode and post a new log.

Good luck :thumbsup:

Edited by illukka, 01 December 2004 - 03:34 PM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#11 troutslayer59

troutslayer59
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 02 December 2004 - 12:26 PM

Hey, looks pretty good to me !!!
Awesome job guys.
What can I do to help or contribute ?
Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 10:22:57 AM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: Domain = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{368BD4FA-CA4A-41AA-824A-F64999525078}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = milgro.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = milgro.com

#12 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:30 AM

Posted 03 December 2004 - 05:09 PM

hi

man great job there, youre awesome !


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users