[electrochimp]

Hi,
here are some from windows\system

eepa.dll
winsusrm.dll
hocj.dll

now to try the program

[Advertisements]

Reboot into Safe Mode!

*While in Safe Mode, Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) :

C:\Windows\System\eepa.dll
C:\Windows\System\winsusrm.dll
C:\Windows\System\hocj.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." click "NO" please restart your computer manually if it doesn't do it automatically.

After your computer restarts go into your system folder and make sure those files are gone!

[Michelle]

Reboot into Safe Mode!

*While in Safe Mode, Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) :

C:\Windows\System\eepa.dll
C:\Windows\System\winsusrm.dll
C:\Windows\System\hocj.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." click "NO" please restart your computer manually if it doesn't do it automatically.

After your computer restarts go into your system folder and make sure those files are gone!

[electrochimp]

Hi !
I removed those three files...and here is a HJT. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:42:57 PM, on 4/28/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {81981788-B812-4BAD-B919-EFAA76B8956F} - C:\WINDOWS\SYSTEM\EEPA.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: STRINGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
O18 - Filter: text/plain - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL

[Michelle]

Did you get DLLCompare to work?? If you did please run it and post the log as in my previous instructions.

Run HiJackThis, put a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {81981788-B812-4BAD-B919-EFAA76B8956F} - C:\WINDOWS\SYSTEM\EEPA.DLL (file missing)

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: STRINGS.EXE

O18 - Filter: text/html - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
O18 - Filter: text/plain - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL

Close HiJackThis. Delete this file:

C:\WINDOWS\TEMP\se.dll

Then, make sure these files are gone, if not, DELETE THEM!
C:\Windows\System\winsusrm.dll
C:\Windows\System\hocj.dll
C:\Windows\System\eepa.dll

Reboot and post a new HiJackThis log.

Edited by bananafanafo, 28 April 2005 - 09:18 PM.

[electrochimp]

Hi
There wasn't anything on the bottom box of the dilcompare. The file
C:\WINDOWS\TEMP\se.dll said it couldn't be deleted on the prompt.
Logfile of HijackThis v1.99.1
Scan saved at 10:36:43 PM, on 4/28/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[Michelle]

Reboot into Safe Mode.

While still in safe mode, run HiJackThis, place a check next to the following item and clicked FIX CHECKED

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Close HiJackThis.

Then while still in safe mod delete this file:

C:\WINDOWS\TEMP\se.dll

If it won't let you, try renaming it and deleting it.

Reboot into normal mode and post a new HiJackThis log (crossing fingers this worked!!)

Did you find those other 3 files or were they gone?

[electrochimp]

Hi

Well , the three dll files seem to be staying off! .....one thing that puzzles me
(doesn't take much) is when signing on to AOL it gets through checking password the goes "Goodbye" ....but then works the second time no problem.
here's the HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:35:14 PM, on 4/29/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[Michelle]

By gosh!! I think we got it!! Nice detective work - stupid hidden file

I don't know what would be causing that with AOL, but I'm quite sure it's just AOL and not any kind of malware problem.

Post one more log for me and let me know how it's running!!

[Michelle]

We need to re-enable TeaTimer now!!
* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* CHECK Teatimer.
* Click ALLOW CHANGE.

[electrochimp]

Hi Bananafanafo! Well I checked the tea-timer and here is the HJT. The little 3x5
windows explorer pops on for a few seconds and a pop up for Expedia travel comes on. I'll never use them! other than that things work ok

Logfile of HijackThis v1.99.1
Scan saved at 1:22:04 PM, on 4/30/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {072E18B1-FE01-459B-AA03-F06616B02357} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O18 - Filter: text/plain - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL

[Michelle]

You probably don't want to hear this, but it's back!!

Another staff member was telling me how to find the hidden file with DOS, so I'm going to talk to her to see if we can get rid of this. It is also quite possible that we got the hidden file and you just got re-infected because of vulnerabilities in such an old operating system. I'll get back to you asap!

Edited by bananafanafo, 30 April 2005 - 03:20 PM.

[electrochimp]

yuk!
there is a new dll file in SYSTEM.....ebocla.dll got in there today ...rats!

[Michelle]

Download the program from the link below:
-StartDreck

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name, and post the log!

[electrochimp]

Jawohl ! Here is the Startdreck log

StartDreck (build 2.1.7 public stable) - 2005-04-30 @ 16:45:11 (GMT -07:00)
Platform: Windows 95 (Win 4.0.1212 B)
Internet Explorer: 5.50.4807.2300
Logged in as eric at DEFAULT

»Registry
»Run Keys
»Current User
»Run
*ccWasher=C:\Program Files\Cookie Washer\aolwasher.exe /0
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Default User
»Run
*ccWasher=C:\Program Files\Cookie Washer\aolwasher.exe /0
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*BrowserWebCheck=loadwc.exe
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*SmcService=C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*SmcService=C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
»RunServicesOnce
**gzh=rundll32 C:\WINDOWS\ONLINETE.GRP,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*{072E18B1-FE01-459B-AA03-F06616B02357}
`InprocServer32=C:\WINDOWS\SYSTEM\EBOCLA.DLL
»Files
»System/Drivers
»Running Processes
+FFCFD6AF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF893=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF8DA3=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFA4DF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFB72B=C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
+FFFE84AF=C:\WINDOWS\RUNDLL32.EXE
+FFFE8E37=C:\WINDOWS\EXPLORER.EXE
+FFFD6AD3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD7873=C:\WINDOWS\SYSTEM\LOADWC.EXE
+FFFD03CB=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFD271F=C:\WINDOWS\RUNDLL32.EXE
+FFFD3BE3=C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
+FFFDE6FB=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFDDDC7=C:\IBMAV95\IBMAVTIM.EXE
+FFFDFDE3=C:\LOTUS\REGISTER\REMIND32.EXE
+FFFD93D7=C:\IMSI\WD30\RUNDLG.EXE
+FFFB71A7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF95C5F=C:\WINDOWS\SYSTEM\tapiexe.exe
+FFF9D6FF=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF9E91B=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFFB1B6F=C:\UNZIPPED\STARTDRECK217\STARTDRECK.EXE
»Application specific

[Michelle]

I need you to disable Teatimer again!

Ok, now we finally have the actual hidden file!! Here is what we need to do now:

Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {072E18B1-FE01-459B-AA03-F06616B02357} - C:\WINDOWS\SYSTEM\EBOCLA.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL
O18 - Filter: text/plain - {633B964C-CF2D-412B-9092-0AF466860CB4} - C:\WINDOWS\SYSTEM\EBOCLA.DLL

Reboot into Safe Mode and delete the following files:

C:\WINDOWS\SYSTEM\EBOCLA.DLL
C:\WINDOWS\TEMP\SE.DLL

Here is the important part!:

* We are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type (make sure it's exact!):

del C:\WINDOWS\ONLINETE.GRP

Then, hit Enter.

Exit DOS.

Reboot your system and ignore the errors you WILL get after reboot.

Post a new HiJackThis log.