Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Coolwebsearch, Trojan.StartPage.vz and others?


  • Please log in to reply

#1
hrb

hrb

    New Member

  • Member
  • Pip
  • 6 posts
Hi, hoping you guys can help with this - having trouble clearing malware off my PC.

I getting pop-up windows for spyware, casinos and other random stuff. My home page about:blank has the phony links on it. Also getting the RUNDLL error on start-up.

I did have the smitfraud trojan, and was also getting a malware dialler trying to dial an international number but I seem to have got rid of that.

I've followed all the steps suggested, except:
- wasn't able to run an online virus scan despite following their recommendations on Internet Security settings
- wasn't able to download the Windows update and trouble-shooting didn't fix the problem

CWShredder keeps detecting CWSHidden.dll and removing it but it is always there when I restart.

Ewido keeps finding (and cleaning) TrojanStartPage.vz but this doesn't seem to get rid of it.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:57:52 PM, on 5/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\AntiVirus\ewido security suite\ewidoctrl.exe
C:\Program Files\AntiVirus\ewido security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AntiVirus\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xtra.co.nz/we...uckland,00.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {DD192BD0-498E-4A9C-B6AF-8D7BFA89FC9D} - C:\WINDOWS\System32\hpii.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiVirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107897264968
O17 - HKLM\System\CCS\Services\Tcpip\..\{09517581-60CE-4C7B-94C7-6189744B1C98}: NameServer = 203.96.152.4 203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{09517581-60CE-4C7B-94C7-6189744B1C98}: NameServer = 203.96.152.4 203.96.152.12
O18 - Filter: text/html - {F9A7530E-7A2C-45B7-908C-6ACCDEC20246} - C:\WINDOWS\System32\hpii.dll
O18 - Filter: text/plain - {F9A7530E-7A2C-45B7-908C-6ACCDEC20246} - C:\WINDOWS\System32\hpii.dll
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\AntiVirus\ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\AntiVirus\ewido security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Thanks in advance for any help.
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy hrb and Welcome to G2G!!!!

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem!!

Please Create a Folder on the Desktop>>Right Click the Desktop>>Select New>>Select Folder>>Name it whatever you like!

Please Download all the tools to the New Folder but please DO NOT run any of these until asked!!!

Please Download SpSeHjfix112:
http://www.derbilk.de/SpSeHjfix112.zip
or
http://www.trojaner-...gi?file=sphjfix
Once downloaded,Unzip it and Make sure to Extract All Files!

Please Download CWShredder:
http://cwshredder.ne.../CWShredder.exe
Make sure you Update this as soon as you download it!

Please Download AboutBuster by RubbeRDuckY:
http://www.besttechi...?showtopic=1488
Once downloaded,Unzip it and Make sure to Extract All Files!
Make sure you Update this as soon as you download it!

Download and install CleanUp!:
http://downloads.ste...p/CleanUp40.exe

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Run AboutBuster

Click "Start"and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
Please run AboutBuster as many times as it takes until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Run SpSeHjfix112

Click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process! (Make sure you Reboot back into Safe Mode!)
The tool creates a log of the fix which will appear in the new folder!
Please Save that Log,I may ask to see it!

Once you are Rebooted back into Safe Mode again!

Run AboutBuster just as you did before but DO NOT Restart this time!!

Run CWShredder

Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit"

Run CleanUp!. Click "CleanUp" and allow it to delete all the temporary files.
Once it is finished,Click "Close" and Click "No" when prompted to "Log Off"

Run SpSeHjfix112
This time I want you to run it Twice,Restarting back in "Normal Mode" after the Second time!
Please Save the Log from the last pass!

Once all is completed,have the PC Scanned here:
http://www.pandasoft...n_principal.htm

You will need to using Internet Explorer for the Scan to work!!

Save the Report it produces!

Please post these logs:

Both logs from SpSeHjfix112

Pandas Active Scan Log

A Fresh HijackThis Log
  • 0

#3
hrb

hrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK thanks Cretemonster. I'll give this a go.

I've previously tried Panda's Online scan and haven't got it to run properly...I set in security settings to medium as they recommended and it still didn't work. Is this a crucial part of the process, and if so any advice on how I can configure my PC to make it work?

Thanks
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Its a fairly Critical step!!!

Try this link and see if it helps any:
http://support.microsoft.com/kb/883255

Just make sure you reset any changes you made after the Scan is complete!
  • 0

#5
hrb

hrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, that all seemed to go work and Activescan worked too.

The only weird thing was that when rebooting after running SpSeHjfix the first time, my keyboard wasn't working so I had to restart again (into Safe mode). This has happened a few times since my PC got infected.

Note when running SpSeHjfix my PC didn't reboot automatically so I had to Close and restart manually.

Here are all the logs and current HJT log:

(5/19/05 4:19:28 PM) SPSeHjFix started v1.1.2
(5/19/05 4:19:28 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/19/05 4:19:28 PM) Language: english
(5/19/05 4:19:28 PM) Win-Path: C:\WINDOWS
(5/19/05 4:19:28 PM) System-Path: C:\WINDOWS\System32
(5/19/05 4:19:28 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/19/05 4:19:33 PM) Disinfection started
(5/19/05 4:19:33 PM) Bad-Dll(IEP): (not found)
(5/19/05 4:19:33 PM) Bad-Dll(IEP) in BHO: (not found)
(5/19/05 4:19:33 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:19:33 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:19:33 PM) Bad IE-pages: (none)
(5/19/05 4:19:33 PM) Stealth-String not found
(5/19/05 4:19:33 PM) Not infected->END


(5/19/05 4:20:21 PM) SPSeHjFix started v1.1.2
(5/19/05 4:20:21 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/19/05 4:20:21 PM) Language: english
(5/19/05 4:20:21 PM) Win-Path: C:\WINDOWS
(5/19/05 4:20:21 PM) System-Path: C:\WINDOWS\System32
(5/19/05 4:20:21 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/19/05 4:20:24 PM) Disinfection started
(5/19/05 4:20:24 PM) Bad-Dll(IEP): (not found)
(5/19/05 4:20:24 PM) Bad-Dll(IEP) in BHO: (not found)
(5/19/05 4:20:24 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:20:24 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:20:24 PM) Bad IE-pages: (none)
(5/19/05 4:20:24 PM) Stealth-String not found
(5/19/05 4:20:24 PM) Not infected->END


(5/19/05 4:22:03 PM) SPSeHjFix started v1.1.2
(5/19/05 4:22:03 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/19/05 4:22:03 PM) Language: english
(5/19/05 4:22:03 PM) Win-Path: C:\WINDOWS
(5/19/05 4:22:03 PM) System-Path: C:\WINDOWS\System32
(5/19/05 4:22:03 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/19/05 4:22:05 PM) Disinfection started
(5/19/05 4:22:05 PM) Bad-Dll(IEP): (not found)
(5/19/05 4:22:05 PM) Bad-Dll(IEP) in BHO: (not found)
(5/19/05 4:22:05 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:22:05 PM) UBF: 4 - UBB: 0 - UBR: 12
(5/19/05 4:22:05 PM) Bad IE-pages: (none)
(5/19/05 4:22:05 PM) Stealth-String not found
(5/19/05 4:22:05 PM) Not infected->END

Activescan log:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Virus:JS/Kak.Worm Disinfected Archive Folders\Sent Items\Re: Duathlon results\MSG_HTML.TXT
Virus:Exploit/iFrame Disinfected Archive Folders\Sent Items\RE: RE : Mr. Kweon, Young Ju\MSG_HTML.TXT
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\mailing error\error-mail_info.zip[Winzipped-Text_Data.txt .pif]
Adware:Adware/Aureate-Radiate No disinfected D:\WINDOWS\SYSTEM\adimage.dll
Adware:Adware/Aureate-Radiate No disinfected D:\WINDOWS\SYSTEM\tfde.dll
Virus:JS/Kak.Worm Disinfected Archive Folders\Sent Items\Re: Duathlon results\MSG_HTML.TXT
Virus:Exploit/iFrame Disinfected Archive Folders\Sent Items\RE: RE : Mr. Kweon, Young Ju\MSG_HTML.TXT
Logfile of HijackThis v1.99.1
Scan saved at 6:04:43 PM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xtra.co.nz/we...uckland,00.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTIVI~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiVirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107897264968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09517581-60CE-4C7B-94C7-6189744B1C98}: NameServer = 203.96.152.4 203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{09517581-60CE-4C7B-94C7-6189744B1C98}: NameServer = 203.96.152.4 203.96.152.12
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\AntiVirus\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Nice work!!!! :tazz:

Little bit more to go!!

Please temporily disable TeaTimer in Spybot S&D as it may prevent part of this fix:

Open Spybot and click on Mode>> Advanced Mode
Then on the left panel
Tools >> Resident
Remove the check mark for Resident "TeaTimer"
Reboot the system and TeaTimer will no longer be resident
.


Once restarted,Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Bold Text below into the Open Box and Click OK!

regsvr32 /u tfde.dll
If you get an error message,try it like this:
regsvr32 /u D:\WINDOWS\SYSTEM\tfde.dll

Do the same for this one:

regsvr32 /u adimage.dll
or
regsvr32 /u D:\WINDOWS\SYSTEM\adimage.dll

Locate and Delete these files:

c:\ex.cab<< File Only!

c:\eied_s7.cab<< File Only!

D:\WINDOWS\SYSTEM\adimage.dll<< File Only!

D:\WINDOWS\SYSTEM\tfde.dll<< File Only!

Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe (Located in System or System32 folder)

Shell.dll (Located in System or System32 folder)

SDHelper.dll (if you are using Spybot Search & Destroy)

Hosts file (no extension)


If control.exe, shell.dll or SDHelper is missing
Go here http://spywareinfo.c...n/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here:
http://www.funkytoad...load/hoster.zip

Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins

Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)


I am assuming that this is a Dual Booting Computer by the Entries that Panda Identified at:

D:\WINDOWS\SYSTEM

If so,be precautious,you may want to run the SPSeHjFix on D drive,to be honest,I am unsure if the SPSeHjFix scans all drives!

One more scan and please run this on both drives!!

Download rkfiles.zip and unzip it to its own permanent folder.
http://skads.org/special/rkfiles.zip

Restart the computer in Safe Mode.

Locate the rkfiles.bat file and double-click it to Run it.

It will start scanning your computer and could take a little while so be patient. When the DOS window Closes, Reboot back to normal mode.

Post the contents of C:\log.txt back here!

Make sure to follow the same process for D drive!

Post back with the RKFiles logs and a fresh HijackThis log!!
  • 0

#7
hrb

hrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I recently upgraded my PC with new hard drive, OS etc etc and have kept the old hard drive installed - that's my D: drive. That has Windows 98 installed, I believe I could boot under that OS but wouldn't know how to do it to be honest. Windows XP is installed on the C drive which is what I always use.

(Never had any trouble with viruses under Windows 98, there's a lot to be said for being a Luddite!).

A couple of questions with the help you gave me:

Started following your instructions but haven't been able to unregister the DLL's - I get the error msg "The specified module could not be found". (Tried both formats you gave me). However I can see in Explorer that both files are in that directory. Should I just go ahead and delete them?

I've looked for the 4 files you mentioned. They are all still present on my C drive, but Control.exe is not on my D drive and the only hosts file is Hosts.sam. Should I fix this up?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and delete the.dll that wouldnt unregister!

Run the RKFiles Scan,post the log from that and a fresh HijackThis log!
  • 0

#9
hrb

hrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Cretemonster

I've followed those steps, with the following exceptions:

- couldn't de-register those two dll files (but did delete them)
- not sure if I ran rkfiles.bat on both drives - I installed it on D: drive but I can't boot into this drive. The results were the same when I ran both versions.

Here are the logfiles:

D:\Program Files\AntiVirus\Rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 10:27:04 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xtra.co.nz/we...uckland,00.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ADMINI~1\Desktop\ANTIVI~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107897264968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\AntiVirus\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

How does it look?
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks Peachy to me>I take it the PC is Happier?

Install these 2 programs>Both links have an explanation of what each program does and how to keep them up to date!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and then renable it!

This will flush out all old Restore Points!

Let me know if you have any other questions?
  • 0

#11
hrb

hrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Everything is running sweet :tazz:

Thanks for your help with this. This is the first time I've had some serious malware, I've got to say it's pretty frustrating and takes a [bleep] of a long time to fix! But it would take even longer without you guys, I have to say the team at geekstogo do a great job. Thanks for giving up your time to help out with this, much appreciated!
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Glas to be of service.....Make sure you Renable System Restore!

Here a few links tto help you on your way!

http://forums.thetec...read.php?t=4544

http://www.pcstats.c...?articleID=1579

http://forums.thetec...read.php?t=8859
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP