Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home Search Assistant Removal


  • Please log in to reply
6 replies to this topic

#1 djholder

djholder

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 25 January 2005 - 04:39 PM

I'm sure you have all seen a lot of this lately. I am comfortable enough to follow someones wonderful instructions, but I am not confident in changing dll files without an expert opionion. I have attached my log file from hijack this. I have read all of the instructions from this site and downloaded all of the tools. I just need to know which files I should alter. Thank you very much.

____________________________________
Logfile of HijackThis v1.99.0
Scan saved at 4:22:20 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\QtVprMtx\QTVPRMTX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\netts32.exe
C:\WINDOWS\system32\Zrdhon.exe
C:\WINDOWS\system32\Qlixmm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\atlhw.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\DHolder\Desktop\Virus Removal Tools\bleepingcomputer\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F2FAA6D4-BBEE-5987-18DD-2FCF87AEA166} - C:\WINDOWS\system32\javabt32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QtVprMtx] C:\PROGRA~1\QtVprMtx\QTVPRMTX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Zrdhon.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Qlixmm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [netts32.exe] C:\WINDOWS\system32\netts32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\atlhw.exe

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 25 January 2005 - 07:39 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 25 January 2005 - 07:53 PM

Thanks for sending your HijackThis log.

You have a nasty infection called CWS About:Blank

It will take several messages to fix and then repair the damage done by it to your system.

Here is the first set of instructions.


1 -- To start, follow this link for instructions to enable 'show all files' for your system.


2 -- This step checks for a service that is part of CWS About:Blank:
  • Download Service Filter
  • Extract it to it's own folder.
  • Click on ServiceFilter.vbs
  • A text file called POST_THIS will be created in the same folder
  • Please use 'Edit>Select All' then 'Edit>Copy' to obtain the contents
  • Please Paste them into this thread using 'Add Reply' at the end of the fix
3 -- Download the stand-alone version of CWShredder from CWShredder from Intermute. After you download the program, unzip it into a directory.
Do not run it yet.


4 -- Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip.

Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet


5 -- Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.


6 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#
37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32
\mkhkr.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#
37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mkhkr.dll/sp.html#
37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\mkhkr.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\mkhkr.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {F2FAA6D4-BBEE-5987-18DD-2FCF87AEA166} - C:\WINDOWS\system32\javabt32.dll

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Zrdhon.exe

O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Qlixmm.exe

O4 - HKLM\..\Run: [netts32.exe] C:\WINDOWS\system32\netts32.exe

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\atlhw.exe


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


7 -- While still in safe mode, use Windows Explorer to delete the following lists of program files and folders, if they still exist.

C:\WINDOWS\atlhw.exe <-- this file

C:\WINDOWS\system32\mkhkr.dll <-- this file

C:\WINDOWS\system32\javabt32.dll <-- this file

C:\WINDOWS\system32\Zrdhon.exe <-- this file

C:\WINDOWS\system32\Qlixmm.exe <-- this file

C:\WINDOWS\system32\netts32.exe <-- this file


c:\program files\180solutions\ <-- this folder

Please let me know about any problems with the file/folder deletes.


8 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


9 -- This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Post the log file in your next reply

10 -- Next copy/paste the contents of the Quote Box below to a Notepad file.
Name the file as fix.reg
Change the 'Save as Type' to All Files, and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

11 -- Reboot your computer back to normal mode and Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

12 -- Post the logs from ServiceFilter and About Buster and your HijackThis log here in this thread with any questions or problems that you have run into.

There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

After reviewing your logs, I'll follow up with the next set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 djholder

djholder
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 January 2005 - 07:49 PM

daveai, you are a life saver. It seems to have cured most of the problems. My norton av is jacked up now, but I downloaded AVG Free Edition so I will deal with that later. If you want to utilize your expertise w/ that problem I will post the errors. Below are my logs. THANKS again for all of your help!

D.J.

SERVICE FILTER

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 28, 2005 7:29:53 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Disabled
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1068
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{36f56527-92fc-4413-a30a-9e865b29a1cd}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 75 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 2.429688 seconds.




____________________________________________________________________ABOUT BUSTER

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

____________________________________________________________________
HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 7:39:32 PM, on 1/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\DHolder\Desktop\Virus Removal Tools\bleepingcomputer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 28 January 2005 - 09:33 PM

You are welcome...There is still more to do. Good work so far :thumbsup:

You still have an infection to clean up and some repair work to do from the damage CWS About:Blank caused.

I'd be interested to know about the Norton problmes. AVG is well thought of as an anti-virus package.

And, your HijackThis log looks wrong. Not enough running processes. Did you take it in Safe Mode?

Anyway...here are the repair instructions for CWS. When you complete them, we'll go after the remaining infection (the persistant O15's).


The CWS infection appears to be gone. Nice work so far.


1 -- If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32


2 -- Now we need to see if we need to restore some deleted files:

Please check for the following files using the Windows Search Engine:

* control.exe
* rundll32.exe
* wmplayer.exe
* msconfig.exe
* notepad.exe
* shell.dll
* SDHelper.dll


If any are missing or not working properly then you can download new copies from Merijn's Files and following the instructions at that site to have them where they belong for your OS.


* Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

* This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one is Windows (WINNT) and one in Windows\System32. It does not delete the ones in Windows\System so it does not affect Win9x/ME. If you find it missing please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .

* The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and if not please check for the existence of this file by going to to Merijn's Files (control) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information. The control.exe is more often deleted in Win9x/ME.

* If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button


3 -- Run an online antivirus scan at:

Trend Micro Online AV

Reboot


4 -- Please follow this tutorial and use Ad-Aware SE to Perform a full system scan and fix anything that is found.

5 -- Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

6 -- To prevent any remnants of the problems hiding out in your restore files, please disable Windows System Restore, then reboot, then re-enable Windows System Restore by following the instructions at: "How to turn off or turn on Windows XP System Restore"

Then, create a new Restore Point for your newly cleaned system.

7 -- Additionally, please check your ActiveX security settings in Internet Explorer. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in IE as recommended below.

In IE, click on "Tools" => "Internet Options" and under the "Security" tab, click on "Custom Level" and make sure that the following settings are correct:

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

8 -- And, be sure to check your Favorites list, as this infection is known to add in a bunch of pornography links which you will want to delete.

Finally, please create another HijackThis log, and post it in your reply to this message. I'll follow up wioth the next set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 djholder

djholder
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 29 January 2005 - 05:10 PM

Here is my new hijack log. I will try to get you some info on the norton problem soon. Thanks.


Logfile of HijackThis v1.99.0
Scan saved at 5:08:22 PM, on 1/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DHolder\Desktop\Virus Removal Tools\bleepingcomputer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 29 January 2005 - 08:36 PM

Thanks.

Good job on the CWS repair.

Now we'll knock down the Trusted Zone Hijack infection (the persistant O15 entries in HJT).


1 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


2 -- Next, launch Notepad, and copy/paste the contents of the CODE box below
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.


Note that since the Restricted Domains are deleted by this fix, SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, and you will also have to re-install IE-SpyAd if installed. See the instructions below.


3 -- Reboot and create a fresh HijackThis log and send it back to me in your reply.



Then, please allow me to suggest some general prevention steps to keep one's computer clean and secure. You have already taken a few of the steps, but it never hurts to take a quick look :thumbsup:

1 -- Be sure you update your anti-virus software at least once a week. There are several very good free programs available. Grinler offers an outstanding overview at Virus, Spyware, and Malware Protection and Removal Resources

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Be sure to enable all of the SpywareBlaster protections once you get the latest updates.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

Be sure to update Spybot and use the 'Immunize' function on your system.

4 -- It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users