Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BACKDOOR-BDD ATTACK


  • Please log in to reply
16 replies to this topic

#1 pnugent

pnugent

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 December 2004 - 10:16 PM

I DONT KNOW HOW THIS GOT THRU MY MCAFEE THAT AUTO UPDATES EVERY THREE DAYS BUT IT DID AND I HAVE NO IDEA WHAT FILES TO REMOVE FROM THIS LOG. I REALLY COULD USE SOME HELP.



Logfile of HijackThis v1.98.2
Scan saved at 10:15:07 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\crxa.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Documents and Settings\Default\Application Data\bpci.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vebtf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2121F517-8EB0-C7D8-66ED-2DA4574066BE} - C:\WINDOWS\msac32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [crxa.exe] C:\WINDOWS\system32\crxa.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKLM\..\RunOnce: [javacj32.exe] C:\WINDOWS\system32\javacj32.exe
O4 - HKLM\..\RunOnce: [apiva.exe] C:\WINDOWS\apiva.exe
O4 - HKCU\..\Run: [Chnb] C:\Documents and Settings\Default\Application Data\bpci.exe
O4 - HKCU\..\Run: [Hrixd] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 06 December 2004 - 02:01 AM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 06 December 2004 - 02:13 AM

pnugent -- Thanks for sending your HijackThis logfile.

You have several infections, the most serious being CWS About:Blank. We're going to concentrate on that first. Please try to minimize the amount of internet you use during the fix process.

There will be some necessary downloads.

The entire fix process will take 3 or 4 response/reply cycles.


Step#1: Add/Remove Programs

Please open 'Control Panel > Add/Remove Programs'

Remove the following if found:

'Uninstall180searchAssistant'


Step#2: GetService

1. Download Service Filter from: http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip

2. Extract it to it's own folder.

3. Click on ServiceFilter.vbs

4. A text file called POST_THIS will be created in the same folder

5. Please use 'Edit>Select all' then 'Edit>Copy' to obtain the contents

6. Please Post them into this thread using 'Add Reply'

Step #3: Current version of HijackThis


Run HijackThis and create a fresh logfile, and paste it into the same reply with the ServiceFilter log.

I'll be notified automatically when that happens and follow up with the next set of fix instructions.


Thanks
daveai

Edited by daveai, 06 December 2004 - 02:16 AM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 06 December 2004 - 12:23 PM

Thanks so much for the help. here are the logs you ask for


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Dec 6, 2004 12:12:43 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AvSynMgr
Display Name: AVSync Manager
Start Mode: Auto
Start Name: LocalSystem
Description: McAfee AVSync ...
Service Type: Own Process
Path: "c:\program files\mcafee\mcafee virusscan\avsynmgr.exe"
State: Running
Process ID: 1252
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: McAfeeFramework
Display Name: McAfee Framework Service
Start Mode: Auto
Start Name: LocalSystem
Description: Shared component framework for McAfee ...
Service Type: Own Process
Path: c:\program files\network associates\common framework\frameworkservice.exe /servicestart
State: Running
Process ID: 1284
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #3
Service Name: McShield
Display Name: McShield
Start Mode: Manual
Start Name: LocalSystem
Description: McAfee On Access ...
Service Type: Own Process
Path: "c:\program files\common files\network associates\mcshield\mcshield.exe"
State: Running
Process ID: 900
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{7e9f02a5-b61d-4845-a49f-9900a7afda9d}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: ZESOFT
Display Name: ZESOFT
Start Mode: Auto
Start Name: LocalSystem
Description: ZESoft ...
Service Type: Own Process
Path: c:\windows\zeta.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: %AF
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\netmd32.exe /s
State: Running
Process ID: 1444
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 76 Win32 services on this machine.
6 were unrecognized.

Script Execution Time: 4.46875 seconds.
much for the help. Here is the logs you ask for.
Logfile of HijackThis v1.98.2
Scan saved at 12:20:57 PM, on 12/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\netmd32.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {79FF8BA5-13A4-3B7B-94CB-934036477AA3} - C:\WINDOWS\system32\atlqs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [Hrixd] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 06 December 2004 - 02:36 PM

Thanks for the information.

Okay...here's the second set of instructions for the About:Blank infection.

It's important that you work through them in one pass.

There are lot of them, but take your time and work through them carefully.

You will not be able to use the internet...and MUST NOT run Internet Explorer during the fix, or it will re-install and we'll need to start over at the beginning.



Step#1:

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available. Starting with Step #5, you must disconnect from the internet totally, as staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer closed throughout as opening it will reinstall the infection. Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please continue with the next step and if you run into any problems with the current one, just keep going through the list step by step. Just be sure to let us know what the problem was when you finally reply.


Step#2:


Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigham.zen.co.uk/downloads/xphidden.zip



Step#3:



1. Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip.

2. Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet



Step#4:


Another program to download is Registrar Lite for use later: Please download Registrar Lite ( http://www.resplendence.com/reglite/ ) and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use.



Step#5:


Please disconnect from the Internet and unplug your modem for the duration of this fix

1. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

2. Click on start > control panel > administrative programs > services. Look for a service called Network Security Service (NSS).

Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.



Step#6:


Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\netmd32.exe

C:\WINDOWS\System32\tibs3.exe



Step#7:


I now need you to delete the following files:

Note: The following four files often have *.DAT or *.EXE or .DLL extensions, so the file name should be searched without an extension as all files with these given names need to be deleted.

For example, given a file named C:\WINDOWS\badfilename.exe, use 'Start > Search' to locate all other instances of 'badfilename' and delete them along with the main file.


C:\WINDOWS\netmd32.exe <-- this file

C:\WINDOWS\System32\tibs3.exe <-- this file

C:\WINDOWS\system32\atlqs.dll <-- this file

C:\WINDOWS\system32\xvskq.dll <-- this file


c:\windows\SYSTEM\blank.htm <-- this file

c:\windows\system32\ossproxy.exe <-- this file

C:\WINDOWS\System32\l?gonui.exe <-- this file (note the '?' in this filename...delete ONLY the file with the '?' in the name)


C:\Documents and Settings\Default\Local Settings\Temp\DELDIR0.EXE <-- this file


C:\Program Files\Windows TaskAd\ <-- this folder

c:\program files\180solutions\ <-- this folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#8:


Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#
28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm


R3 - Default URLSearchHook is missing


O2 - BHO: (no name) - {79FF8BA5-13A4-3B7B-94CB-934036477AA3} - C:\WINDOWS\system32\atlqs.dll


O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot

O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program
Files\McAfee\McAfee Shared Components\Guardian\"

O4 - HKCU\..\Run: [Hrixd] C:\WINDOWS\System32\l?gonui.exe


O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.



Step#9:


In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Click Go

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)


3. Copy and paste the bold text below into the address bar of Reglite:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Click Go, and make sure the 'Services' tree in the left-hand pane is expanded by clicking the [+] if needed.

Now look for a service in the left-hand pane with a random=character name that looks like  %AF

4. When you find it in the left pane , highlight it and then right click on it to choose delete from the menu.


5. Copy and Paste the bold text below into the address bar of Registrar Lite:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

6. Click Go, and make sure the 'Root' tree in the left-hand pane is expanded by clicking the [+] if needed.

Now look for a service in the left-hand pane with a random=character name that looks like LEGACY_  %AF

7. When you find it in the left pane, highlight it and then right click on it to choose delete from the menu.


8. If you have trouble deleting a key. Then click once on the key name to highlight it and on the top menu choose Security, then Edit Permissions. Then make sure you are an Administrator and give yourself Full Control of that key. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

9. If you have had to change the permissions on the keys in Registrar Lite then they will have to be returned to the way they were . To do this please navigate to C:\ProgramFiles\Registrar Lite (Reglite) and double-click on Winkey.reg. It will ask if you want to merge this file with the registry, say Yes. Then double-click on Winkey.hiv and merge this file with the Registry. You have now returned the permissions to the way they were.


Step#10:


This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply


When it has completed move on to step 11.


Step#11:


Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.


Step#11:


1.Reboot your computer back to normal mode and Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

2. Post both your log from About Buster and your HijackThis log here in this thread with any questions or problems that you have run into. There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

I'll look forward to your next log, and will follow up witht he next set of intstructions for the fix.
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 06 December 2004 - 11:22 PM

Hi D,
Wow what an ordeal! The only problem i had was not being able to delete the legacy service in step 9 item 6. It would not let me do it no matter what I did in the security settings. other than that and some of the file searches came up empty. Oh the whole time i was in safe mode this darn thing blinked on and off constantly. boy how annoying that was. Well here are the log files for you to look over. I wont go surffing until I get the all clear from you.
Thanks so much!!!!!!!!
Patrick
Logfile of HijackThis v1.98.2
Scan saved at 11:09:31 PM, on 12/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [Hrixd] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

Scanned at: 10:57:31 PM on: 12/6/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#7 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 December 2004 - 10:36 PM

:thumbsup: Hey!
I'm still getting virus watnings when I run my vs. I hope you still can help!!!

#8 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 08 December 2004 - 01:36 AM

Thanks for the update.

Good work so far. It is a long fix, isnt it? But, it looks like we are making progress. However, I still see some remnants of the About:Blank infection in your logfile.

I appreciate your keeping the surfing to a minimum while we work on this. The About:Blank infection is a very bad one, and staying off the internet helps make it easier to kill.

Please do the following:

1 -- Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\System32\l?gonui.exe



2 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\xvskq.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Hrixd] C:\WINDOWS\System32\l?gonui.exe

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.



3 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.


C:\WINDOWS\system32\xvskq.dll <-- this file (also search for and delete xvskq.exe and xvskq.dat if they exist)


C:\WINDOWS\System32\l?gonui.exe <-- this file (note the '?' in this filename...delete ONLY the file with the '?' in the name)


Please let me know about any problems with the file/folder deletes, including any files that are missing.


3 -- Then reboot normally and send me another HijackThis log.

If the About:Blank infection is gone from that log, we can go after the remaining infections and start repairing the damage A:B has done to your system.

If A:B comes back, we'll have to run through the fix again.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#9 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 08 December 2004 - 06:25 PM

Hey Again,
Everything whent fine. Did not find the two file in system 32 (xvskq.dll and l?gonui.3exe).
Here is the log file.
Thanks,
P

#10 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 08 December 2004 - 09:14 PM

Sorry I forgot to post the log!


Logfile of HijackThis v1.98.2
Scan saved at 6:20:17 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

#11 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 09 December 2004 - 02:20 AM

Thanks for the response and the new log.

The CWS infection appears to be gone. Nice work so far.


There is still another infection in there, associated with that O15 entry in your log.

We'll fix it in the next reply.

But first, we need to start repairing the damage to your system from the CWS infection.

So...

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32

Step#1:

Now we need to see if we need to restore some deleted files:

Please check for the following files using the Windows Search Engine:

* control.exe
* rundll32.exe
* wmplayer.exe
* msconfig.exe
* notepad.exe
* shell.dll
* SDHelper.dll


If any of these files are missing or not working properly then you can download new copies from Merijn's Files and following the instructions at that site to have them where they belong for your OS.


* Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

* This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one is Windows (WINNT) and one in Windows\System32. It does not delete the ones in Windows\System so it does not affect Win9x/ME. If you find it missing please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .

* The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and if not please check for the existence of this file by going to to Merijn's Files (control) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information. The control.exe is more often deleted in Win9x/ME.

* If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:

Run an online antivirus scan at:

Trend Micro Online AV

Reboot


Step#3:

1. Scan again with HijackThis

2. POST your new log file to see if there is anything left to fix, and I will follow up with the next set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#12 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 10 December 2004 - 06:54 PM

Here is the latest log. Sorry for the delay but i could not post.




Logfile of HijackThis v1.98.2
Scan saved at 11:24:35 AM, on 12/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

#13 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 11 December 2004 - 01:34 PM

For persistant O15 entry infection:

Copy and paste the text from the code box below into a text editor such as Notepad.

Save this text as RemoveDomains.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on 'RemoveDomains.reg'. When it asks you to merge the information to the registry click Yes.

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7]
"http"=dword:00000004

Fix provided by Line of Fire


Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again. You will also have to re-install IE-SpyAd

Post a new log HijackThis log, please, and I'll follow up with the final clean up instructions.

You are almost done :thumbsup:

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#14 pnugent

pnugent
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 12 December 2004 - 08:49 PM

New Log

Logfile of HijackThis v1.98.2
Scan saved at 8:29:57 PM, on 12/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

#15 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 December 2004 - 09:01 PM

Thanks.

Here are the final steps to finish up your fix:




1 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


2 -- Please follow this tutorial and use Ad-Aware SE to Perform a full system scan and fix anything that is found.


3 -- Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.


4 -- To prevent any remnants of the problems hiding out in your restore files, please disable Windows System Restore, then reboot, then re-enable Windows System Restore by following the instructions at: "How to turn off or turn on Windows XP System Restore"

Then, create a new Restore Point for your newly cleaned system.


5 -- Additionally, please check your ActiveX security settings in Internet Explorer. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in IE as recommended below.

In IE, click on "Tools" => "Internet Options" and under the "Security" tab, click on "Custom Level" and make sure that the following settings are correct:

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)


6 -- And, be sure to check your Favorites list, as this infection is known to add in a bunch of pornography links which you will want to delete.


7 -- Finally, please create one last HijackThis log, and post it in your reply to this message.





And, now that your system is cleaned, please allow me to suggest some prevention steps to keep your computer clean and secure going forward. You may have already taken a few of the steps (Anti-Virus and Firewall), but it never hurts to take a quick look :thumbsup:

1 -- Be sure to keep your anti-virus software uptodate.

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- Continue to make sure that both Internet Explorer and XP are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls
http://boards.cexx.org/viewtopic.php?t=957


An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!


Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users