Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
7 replies to this topic

#1 Djerry

Djerry

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 07 December 2004 - 11:33 AM

New to use of your site -- help is welcome.
I followed your excellent instructions titled "Home Search Assistant / CWS_NS3 Removal Guide", but evidently missed a file. When I attempted to restore the missing system files, the Home Search website reappeared. I have re-run Aboutbuster twice and attached the Hijachthis file.

Help, please

Jerry


Logfile of HijackThis v1.98.2
Scan saved at 1:06:22 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HomeSearch Removal\HijackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appau.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [keynet] C:\WINNT\Web\printers\keynet.exe
O4 - HKLM\..\Run: [*vbw] C:\WINNT\Microsoft.NET\vbw.exe
O4 - HKLM\..\Run: [*winxml] C:\WINNT\msagent\intl\winxml.exe
O4 - HKLM\..\Run: [*binav] C:\WINNT\Speech\binav.exe
O4 - HKLM\..\Run: [*wkb] C:\WINNT\system\wkb.exe
O4 - HKLM\..\Run: [*aciis] C:\WINNT\addins\aciis.exe
O4 - HKLM\..\Run: [*mcdos] C:\WINNT\inf\mcdos.exe
O4 - HKLM\..\Run: [*rasutil] C:\WINNT\assembly\rasutil.exe
O4 - HKLM\..\Run: [*cmdreg] C:\WINNT\Registration\cmdreg.exe
O4 - HKLM\..\Run: [*winftp] C:\WINNT\repair\winftp.exe
O4 - HKLM\..\Run: [*vbexp] C:\WINNT\security\vbexp.exe
O4 - HKLM\..\Run: [prQbS0l] C:\documents and settings\renee.renee1\local settings\temp\prQbS0l.exe
O4 - HKLM\..\Run: [e] C:\documents and settings\renee.renee1\local settings\temp\e.exe
O4 - HKLM\..\Run: [*runun] C:\WINNT\AppPatch\runun.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v42/bl...x/blockwerx.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jerryhall.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jerryhall.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jerryhall.net
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINNT\domqllah.dll

Edited by Djerry, 07 December 2004 - 02:07 PM.


BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:41 PM

Posted 08 December 2004 - 05:55 AM

Hi

You have a Virtumondo infection.

Please download and run this tool from Symantec:

http://securityresponse.symantec.com/avcen...moval.tool.html
Follow Symantec's instructions for how to run it.

When the removal process is finished you will find a log on your Desktop . Don't delete it. Please copy & paste the contents of the log as a reply to this post.

Post please also a new HJT log.

When I attempted to restore the missing system files

What files are you trying to restore and how ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Djerry

Djerry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 08 December 2004 - 10:09 PM

Thanks for the response --
Followed your instructions, but no log on the desktop. I did copy the pop-up report at the end:
Trojan Vundo was successfully removed from your computer
Scanned files 51833
Deleted files 14
Viral threads terminated 0
Registry entries fixed 1

Booting from this drive, I cannot access the internet to update the NAV defs, so I set it up as a slave to another drive with current defs and did a full scan with the following results:
Category: Virus alerts
Date,Feature,Virus Name,Action Taken,Item Type,Target,Suspicious Action,User Name,Computer Name,Details
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\system32\child.dll,Description: The file D:\WINNT\system32\child.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\cngkdddg.exe,Description: The file D:\WINNT\cngkdddg.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\domqllah.dll,Description: The file D:\WINNT\domqllah.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\load.exe,Description: The file D:\WINNT\Downloaded Program Files\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.1\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.1\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.2\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.2\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.3\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.3\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.4\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.4\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.5\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.5\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.6\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.6\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\Downloaded Program Files\CONFLICT.7\load.exe,Description: The file D:\WINNT\Downloaded Program Files\CONFLICT.7\load.exe is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan Horse,Quarantined,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\npokrbum.exe.bak,Description: The file D:\WINNT\npokrbum.exe.bak is infected with the Trojan Horse virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\mstaskss.exe,Description: The file D:\WINNT\mstaskss.exe is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\hlfjnnoe.exe,Description: The file D:\WINNT\hlfjnnoe.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\jljpmahd.dll,Description: The file D:\WINNT\jljpmahd.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Keylogger.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\cmid32.dll,Description: The file D:\WINNT\cmid32.dll is infected with the Keylogger.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\kenbocad.exe,Description: The file D:\WINNT\kenbocad.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\mdpecmid.dll,Description: The file D:\WINNT\mdpecmid.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\lblqoidn.exe,Description: The file D:\WINNT\lblqoidn.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\nljdbfhh.dll,Description: The file D:\WINNT\nljdbfhh.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\icjnahhf.exe,Description: The file D:\WINNT\icjnahhf.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\khjhnfej.dll,Description: The file D:\WINNT\khjhnfej.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Trojan dropper,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\clgbekni.exe,Description: The file D:\WINNT\clgbekni.exe is infected with the Trojan dropper virus."
12/8/2004 8:47:30 PM,Virus scanner,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\eemoiciq.dll,Description: The file D:\WINNT\eemoiciq.dll is infected with the Backdoor.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\n_jjsolb.dat,Description: The file D:\WINNT\n_jjsolb.dat is infected with the Download.Trojan virus."
12/8/2004 8:47:30 PM,Virus scanner,Download.Trojan,Automatically deleted,File,N/A,N/A,Jerry Hall,USER-56I300999G,"Source: D:\WINNT\n_tbbivm.dat,Description: The file D:\WINNT\n_tbbivm.dat is infected with the Download.Trojan virus."
Plus one file - ndokrbum.exe.bak was quarantined (don't know path)

Per your request - HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:06:54 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\HomeSearch Removal\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\lalpr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\lalpr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\lalpr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\lalpr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\lalpr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\lalpr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appau.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [keynet] C:\WINNT\Web\printers\keynet.exe
O4 - HKLM\..\Run: [*vbw] C:\WINNT\Microsoft.NET\vbw.exe
O4 - HKLM\..\Run: [*winxml] C:\WINNT\msagent\intl\winxml.exe
O4 - HKLM\..\Run: [*binav] C:\WINNT\Speech\binav.exe
O4 - HKLM\..\Run: [*wkb] C:\WINNT\system\wkb.exe
O4 - HKLM\..\Run: [*aciis] C:\WINNT\addins\aciis.exe
O4 - HKLM\..\Run: [*mcdos] C:\WINNT\inf\mcdos.exe
O4 - HKLM\..\Run: [*rasutil] C:\WINNT\assembly\rasutil.exe
O4 - HKLM\..\Run: [*cmdreg] C:\WINNT\Registration\cmdreg.exe
O4 - HKLM\..\Run: [*winftp] C:\WINNT\repair\winftp.exe
O4 - HKLM\..\Run: [*vbexp] C:\WINNT\security\vbexp.exe
O4 - HKLM\..\Run: [prQbS0l] C:\documents and settings\renee.renee1\local settings\temp\prQbS0l.exe
O4 - HKLM\..\Run: [e] C:\documents and settings\renee.renee1\local settings\temp\e.exe
O4 - HKLM\..\Run: [*runun] C:\WINNT\AppPatch\runun.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [crpg.exe] C:\WINNT\system32\crpg.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [crph.exe] C:\WINNT\crph.exe
O4 - HKLM\..\RunOnce: [taflya.dat] C:\WINNT\taflya.dat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v42/bl...x/blockwerx.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jerryhall.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jerryhall.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jerryhall.net
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINNT\domqllah.dll (file missing)

Per your question re: replacing missing files -- the two files are Hoster.exe and shell.dll and were downloaded and copied as shown in "Home Search Assistant / CWS_NS3 Removal Guide" from your site.

After going through the instructions in this document, if I open IE, it is still hijacked to the Home Search Assistant site and attempts to go there, but cannot since I have disconnected access to the internet. From the HJT log can you tell me which files are causing this hijack?

Some of the basic functions of the OS are not working - cut and paste, search, etc. My desire is to get this machine working well enough to upgrade it to XP without taking the chance of re-infection. It won't let me upgrade now - error message that it can't find the OS I'm trying to upgrade.

Thanks greatly for you help.

Jerry

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:41 PM

Posted 09 December 2004 - 05:54 AM

so I set it up as a slave to another drive with current defs and did a full scan with the following results

Please follow only my instructions ! If not, CWS_NS3 will be very difficult or impossible to remove !

Follow this link to download ServiceFilter: ServiceFilter download

Unzip the content to a folder, such as c:\ServiceFilter.

Navigate to c:\ServiceFilter folder and (double)click the ServiceFilter.vbs file.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run. Allow the script to run.

Note: The script DOES NOT find bad services, it simply filters out what is known to be ok.

Follow the instructions on the screen and WordPad will open.

In WordPad click
Edit menu --> Select All
then
Edit menu --> Copy


Right click in the message area and click on the paste option to paste the log into the post.

The trojan mutates on every reboot, post please also a fresh HJT log.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work.

Edited by cryo, 09 December 2004 - 05:55 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Djerry

Djerry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 09 December 2004 - 07:53 AM

In my last post I said that the infected computer is not connected to the internet and has lost much functionality, ie: copy & paste, etc.
I downloaded Service Filter, expanded it to a USB memory stick and attempted to run it in the problem machine. the OS is in such bad shape that servicefilter.vbs will not open, even by using Start, Run, servicefilter.vbs.
I've already spent too much time on this machine and will reformat the drive and reload from scratch. I have been able to take all the valuable files from the machine by using another HD as the master and the infected drive as the slave. My main concern is in protecting against transferring an infected file. How can I be sure this doesn't happen? I normally run Spybot, Ad-Aware, Spyware Blaster, and NAV on my machines and update and scan weekly. If these are pre-loaded will they protect against an infected file being transferred ?

Thanks,

Jerry

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:41 PM

Posted 09 December 2004 - 08:05 AM

How can I be sure this doesn't happen?

You cannot be sure :thumbsup:

Install XP SP2, keep your Windows and all other programs up-to-date, install a firewall and run an antivirus + other programs like Ad-Aware, Spybot Search & Destroy & Spyware Blaster. Use an alternative browser, like Firefox. Keep it up-to-date.

More recommendations here:
How did I get infected ? With steps so it does not happen again!

Edited by cryo, 09 December 2004 - 08:11 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Djerry

Djerry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 09 December 2004 - 09:35 AM

1. Is the XP SP2 firewall adequate or should I run Zonealarm or another firewall.
2. Is there strong value in Firefox vs IE? Is there a link available for a comparison?
3. Same questions for alternative e-mail clients to Outlook 2003.

Thanks for the "How Did I Get Infected" link. May I pass it along to others? If so, will they need to register to view it?

Thanks,

Jerry

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:41 PM

Posted 09 December 2004 - 10:03 AM

1. Is the XP SP2 firewall adequate or should I run Zonealarm or another firewall.

ZoneAlarm offers inbound & outbount protection, recommended for beginners. SP2 firewall only inbound. If you are not a beginner try Sygate or Kerio Personal Firewall.

2. Is there strong value in Firefox vs IE? Is there a link available for a comparison?

I would answer YES. Read this: Mozilla Firefox 1.0 - CNET Review.
Switching from Internet Explorer to Firefox - Bleeping Computer Tutorial
Enhancing Firefox with Browser Extensions - Bleeping Computer Tutorial

3. Same questions for alternative e-mail clients to Outlook 2003.

I'm using Mozilla Thunderbird and Outlook 2003.

Thanks for the "How Did I Get Infected" link. May I pass it along to others?

You're welcome ! Yes, you may pass it. :thumbsup:

If so, will they need to register to view it?

No.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users