Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Here is my log for Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#61
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi,
here are some from windows\system

eepa.dll
winsusrm.dll
hocj.dll

now to try the program :tazz:
  • 0

Advertisements


#62
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Reboot into Safe Mode!

*While in Safe Mode, Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) :

C:\Windows\System\eepa.dll
C:\Windows\System\winsusrm.dll
C:\Windows\System\hocj.dll


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." click "NO" please restart your computer manually if it doesn't do it automatically.

After your computer restarts go into your system folder and make sure those files are gone!
  • 0

#63
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi !
I removed those three files...and here is a HJT. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:42:57 PM, on 4/28/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {81981788-B812-4BAD-B919-EFAA76B8956F} - C:\WINDOWS\SYSTEM\EEPA.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: STRINGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
O18 - Filter: text/plain - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
  • 0

#64
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you get DLLCompare to work?? If you did please run it and post the log as in my previous instructions.

Run HiJackThis, put a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {81981788-B812-4BAD-B919-EFAA76B8956F} - C:\WINDOWS\SYSTEM\EEPA.DLL (file missing)

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: STRINGS.EXE

O18 - Filter: text/html - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
O18 - Filter: text/plain - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL


Close HiJackThis. Delete this file:

C:\WINDOWS\TEMP\se.dll

Then, make sure these files are gone, if not, DELETE THEM!
C:\Windows\System\winsusrm.dll
C:\Windows\System\hocj.dll
C:\Windows\System\eepa.dll

Reboot and post a new HiJackThis log.

Edited by bananafanafo, 28 April 2005 - 09:18 PM.

  • 0

#65
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi
There wasn't anything on the bottom box of the dilcompare. The file
C:\WINDOWS\TEMP\se.dll said it couldn't be deleted on the prompt.
Logfile of HijackThis v1.99.1
Scan saved at 10:36:43 PM, on 4/28/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#66
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Reboot into Safe Mode.

While still in safe mode, run HiJackThis, place a check next to the following item and clicked FIX CHECKED

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Close HiJackThis.

Then while still in safe mod delete this file:

C:\WINDOWS\TEMP\se.dll

If it won't let you, try renaming it and deleting it.

Reboot into normal mode and post a new HiJackThis log (crossing fingers this worked!!)

Did you find those other 3 files or were they gone?
  • 0

#67
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi

Well , the three dll files seem to be staying off! :tazz: .....one thing that puzzles me
(doesn't take much) is when signing on to AOL it gets through checking password the goes "Goodbye" ....but then works the second time no problem.
here's the HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:35:14 PM, on 4/29/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#68
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
;) By gosh!! I think we got it!! Nice detective work - stupid hidden file ;)

I don't know what would be causing that with AOL, but I'm quite sure it's just AOL and not any kind of malware problem.

Post one more log for me and let me know how it's running!! :tazz:
  • 0

#69
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We need to re-enable TeaTimer now!!
* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* CHECK Teatimer.
* Click ALLOW CHANGE.
  • 0

#70
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Bananafanafo! Well I checked the tea-timer and here is the HJT. The little 3x5
windows explorer pops on for a few seconds and a pop up for Expedia travel comes on. I'll never use them! other than that things work ok :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:04 PM, on 4/30/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {072E18B1-FE01-459B-AA03-F06616B02357} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O18 - Filter: text/plain - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
  • 0

Advertisements


#71
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You probably don't want to hear this, but it's back!! :tazz:

Another staff member was telling me how to find the hidden file with DOS, so I'm going to talk to her to see if we can get rid of this. It is also quite possible that we got the hidden file and you just got re-infected because of vulnerabilities in such an old operating system. I'll get back to you asap!

Edited by bananafanafo, 30 April 2005 - 03:20 PM.

  • 0

#72
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
yuk!
there is a new dll file in SYSTEM.....ebocla.dll got in there today ...rats!
  • 0

#73
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Download the program from the link below:
-StartDreck

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name, and post the log!
  • 0

#74
electrochimp

electrochimp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Jawohl ! Here is the Startdreck log

StartDreck (build 2.1.7 public stable) - 2005-04-30 @ 16:45:11 (GMT -07:00)
Platform: Windows 95 (Win 4.0.1212 B)
Internet Explorer: 5.50.4807.2300
Logged in as eric at DEFAULT

舞egistry
舞un Keys
翟urrent User
舞un
*ccWasher=C:\Program Files\Cookie Washer\aolwasher.exe /0
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
舞unOnce
聞efault User
舞un
*ccWasher=C:\Program Files\Cookie Washer\aolwasher.exe /0
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
舞unOnce
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*BrowserWebCheck=loadwc.exe
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*SmcService=C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
舞unOnce
舞unServices
*SmcService=C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
舞unServicesOnce
**gzh=rundll32 C:\WINDOWS\ONLINETE.GRP,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*{072E18B1-FE01-459B-AA03-F06616B02357}
`InprocServer32=C:\WINDOWS\SYSTEM\EBOCLA.DLL
肇iles
艋ystem/Drivers
舞unning Processes
+FFCFD6AF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF893=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF8DA3=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFA4DF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFB72B=C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
+FFFE84AF=C:\WINDOWS\RUNDLL32.EXE
+FFFE8E37=C:\WINDOWS\EXPLORER.EXE
+FFFD6AD3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD7873=C:\WINDOWS\SYSTEM\LOADWC.EXE
+FFFD03CB=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFD271F=C:\WINDOWS\RUNDLL32.EXE
+FFFD3BE3=C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
+FFFDE6FB=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFDDDC7=C:\IBMAV95\IBMAVTIM.EXE
+FFFDFDE3=C:\LOTUS\REGISTER\REMIND32.EXE
+FFFD93D7=C:\IMSI\WD30\RUNDLG.EXE
+FFFB71A7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF95C5F=C:\WINDOWS\SYSTEM\tapiexe.exe
+FFF9D6FF=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF9E91B=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFFB1B6F=C:\UNZIPPED\STARTDRECK217\STARTDRECK.EXE
翠pplication specific
  • 0

#75
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to disable Teatimer again!

Ok, now we finally have the actual hidden file!! Here is what we need to do now:

Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {072E18B1-FE01-459B-AA03-F06616B02357} - C:\WINDOWS\SYSTEM\EBOCLA.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O18 - Filter: text/plain - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL


Reboot into Safe Mode and delete the following files:

C:\WINDOWS\SYSTEM\EBOCLA.DLL
C:\WINDOWS\TEMP\SE.DLL

Here is the important part!:

* We are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type (make sure it's exact!):

del C:\WINDOWS\ONLINETE.GRP

Then, hit Enter.

Exit DOS.

Reboot your system and ignore the errors you WILL get after reboot.

Post a new HiJackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP