Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack browser and search page


  • This topic is locked This topic is locked
15 replies to this topic

#1 twin

twin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 30 June 2004 - 01:28 PM

I have also been having problems with hijacked IE home page being reset and search page being set to search-all-fast.com with the same message in the address bar: res://ktmdq.dll/index.html#37794.

I have downloaded and run adaware 6.181 reference file: 01R32527.06.2004
I have run a program called Adware Spy
I have run Spybot S+D
I have run Panda online active scan

Also I have been having problems using my CD drives with corrupt system file messages and missing shell.dll file messages. Probably my own doing - I know - didn't have these problems before I started trying to clean up the Malware on my own.

Can someone please help me fix my computer?

Here is the post from Hijack This

Logfile of HijackThis v1.97.7
Scan saved at 1:08:04 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\msil32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\atldy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ktmdq.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {76262037-1236-D9CA-785D-06289CAADCDE} - C:\WINDOWS\system32\netat32.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [atldy.exe] C:\WINDOWS\system32\atldy.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [ipev.exe] C:\WINDOWS\system32\ipev.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 30 June 2004 - 02:44 PM

Out of curiousity did you add these into the logs:
NOT USED (OK)

?

=======

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\msil32.exe
C:\WINDOWS\system32\atldy.exe

Step 3:
I now need you to delete the following files:


C:\WINDOWS\system32\msil32.exe
C:\WINDOWS\system32\atldy.exe
The file from the services above. Probably C:\WINDOWS\system32\msil32.exe already listed. Need to make sure though
C:\WINDOWS\ktmdq.dll
C:\WINDOWS\system32\atldy.exe
C:\WINDOWS\system32\ipev.exe

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ktmdq.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
O2 - BHO: (no name) - {76262037-1236-D9CA-785D-06289CAADCDE} - C:\WINDOWS\system32\netat32.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [atldy.exe] C:\WINDOWS\system32\atldy.exe
O4 - HKLM\..\RunOnce: [ipev.exe] C:\WINDOWS\system32\ipev.exe

Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://hbsax.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


#3 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 30 June 2004 - 03:40 PM

I did not add the not used (OK) into the log

I got as far as step two, but couldn't delete atldy.dll because it was in use. I also couldn't find the windows\system 32\msil32.exe/s files. I clicked on my computer, windows folder, system 32 folder.

I rebooted into safe mode to see if that would give me access but it didn't. So I have copied the hijack this log here again. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 3:35:32 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\msil32.exe
C:\WINDOWS\sdkcz32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT

USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

res://ktmdq.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {76262037-1236-D9CA-785D-06289CAADCDE} -

C:\WINDOWS\system32\netat32.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no

file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no

file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton

SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [atldy.exe] C:\WINDOWS\system32\atldy.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe

/s /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [ipev.exe] C:\WINDOWS\system32\ipev.exe
O4 - HKLM\..\RunOnce: [appnt32.exe] C:\WINDOWS\system32\appnt32.exe
O4 - HKLM\..\RunOnce: [apijc32.exe] C:\WINDOWS\apijc32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton

SystemWorks\Norton Utilities\SYSDOC32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 30 June 2004 - 04:08 PM

Please remind me to help you fix the shell.dll when we are done so I dont forget :thumbsup:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\msil32.exe
C:\WINDOWS\sdkcz32.exe

Step 3:
I now need you to delete the following files:


C:\WINDOWS\system32\msil32.exe
C:\WINDOWS\sdkcz32.exe
The file from the services above.
C:\WINDOWS\system32\netat32.dll
C:\WINDOWS\system32\ipev.exe
C:\WINDOWS\system32\atldy.exe
C:\WINDOWS\system32\appnt32.exe
C:\WINDOWS\apijc32.exe

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:

Then run hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ktmdq.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ktmdq.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {76262037-1236-D9CA-785D-06289CAADCDE} - C:\WINDOWS\system32\netat32.dll
O4 - HKLM\..\Run: [atldy.exe] C:\WINDOWS\system32\atldy.exe
O4 - HKLM\..\RunOnce: [ipev.exe] C:\WINDOWS\system32\ipev.exe
O4 - HKLM\..\RunOnce: [appnt32.exe] C:\WINDOWS\system32\appnt32.exe
O4 - HKLM\..\RunOnce: [apijc32.exe] C:\WINDOWS\apijc32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://hbsax.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


#5 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 30 June 2004 - 06:02 PM

I think I have been able to successfully complete all the steps.

I did have the issue with my CD drives. Media player won't open - simply gives me the microsoft "ding" with no error messages.

Another program that I have on CD won't load and says, "cannot find shell.dll" then says system dlls corrupt or missing. I haven't rebooted yet.

Thanks

Here is my post from hijack this after completing all the steps:

Logfile of HijackThis v1.97.7
Scan saved at 5:55:36 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jon\Local Settings\Temp\Temporary Directory 1

for AboutBuster.zip\AboutBuster.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.netscape.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://windowsupdate.microsoft.com/
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no

file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no

file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton

SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe

/s /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe /0
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton

SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D0E12A59-3B42-4F7F-8837-64E8A6219E1D

}: NameServer = 66.44.144.10 65.222.44.10

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 30 June 2004 - 06:41 PM

Looks great. Now do this to get shell.dll back:

Click on start, then, run and type cmd in the field and press the ok button.

At the cmd prompt type the follow. Substitute any $ you see with a space from your spacebar.

copy$\windows\system32\dllcache\shell.dll$\windows\system32

Then press enter.

It should say one file copied, which is the shell.dll file. If that does not work, let me know.

#7 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 30 June 2004 - 06:59 PM

I copied the file. But it didn't work. Still get the File error message: "Cannot find shell.dll" and corrupt system and INSTALL "system DLLs corrupt or missing" message.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 30 June 2004 - 07:41 PM

Make sure you have the windows xp cd handy and do the following. Click on start, then run, and type the following: (substitute spaces with the $)

sfc$/scannow

Let it do its thing, inserting the cd as needed.

That should replace all the system files that the malware deleted

#9 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 30 June 2004 - 08:47 PM

my computer, from Best Buy, only came with a set of restore CD's. It will take me a while to get an XP CD. Also, I am noticing sluggish response when typing that wasn't there before.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 30 June 2004 - 10:51 PM

Post a new log. The restore cd's may do the trick btw

#11 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 01 July 2004 - 07:20 PM

Here is my latest hijack this log:

I will also try the restore CD's. Is there something specific I need to do there? Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 7:19:12 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Documents and Settings\jon\Local Settings\Temp\Temporary Directory 1 for AboutBuster.zip\AboutBuster.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscape.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E12A59-3B42-4F7F-8837-64E8A6219E1D}: NameServer = 66.44.144.10 65.222.44.10

#12 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 01 July 2004 - 08:05 PM

I executed sfc$/scannow but it didn't call for any CD and gave me no report. I am still getting the missing shell messages.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 01 July 2004 - 10:50 PM

Download this shell.dll file, which is from my computer, and extract it to c:\windows\system32.

http://www.bleepingcomputer.com/files/winfiles/shell-dll.zip

#14 twin

twin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 02 July 2004 - 12:16 PM

Thanks, that seemed to do the trick on the shell issue. Now the last issue that I notice is that my windows media player won't open. When I click on it or play audio CD, it just simply gives me the "ding." No error messages.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 02 July 2004 - 01:48 PM

A lot of people have been having this problem after we clean up the infection. You may want to uninstall windows media player and reinstall it from :

http://www.microsoft.com/windows/windowsme...oad/default.asp




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users