Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan horse Startpage.19.J

Started by Neil R , May 27 2005 03:18 AM

Please log in to reply

#1
Neil R

Posted 27 May 2005 - 03:18 AM

Member

Member
10 posts

From: [email protected]

Hi everyone

Help!

I had the trojan horse Startpage.19.J virus -- very nasty and it took me all day to clear it. (Mind you, I'm an ignoramus -- and I feel I've only had partial success).

I download loads of spyware and followed the instructions on this site to the best of my ability - though not everything seeme dto apply to ME and I can't download the Lavasoft....

Anyway, two things the virus did:
One: reset my homepage to a search engine
Two: destroyed my desktop background with something blue, saying fault in IE explorer.

Now my computer works fine ... but I can no longer save any pictures to my background. "Desktop themes" in Control Panel also won't open - and there appear to be no clues.

Can anyone help? Or is it possible I've killed some vital driver by accident...

Thanks in advance,
Neil

PS... Here's my hi-jack log. I'm worried that it may be less useful than it otherwise would've been - as I've killed some files already when going through the spyware download process..... And I didn't note down those I'd killed from the Hijack log.

Still, here it is. Any advice would be gratefully appreciated..

Logfile of HijackThis v1.99.1
Scan saved at 00:38:11, on 27/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Program Files\Netscape\Users\neiljroberts\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYDOCU~1\ANT-VI~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABTB.DLL (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf3 2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab

PPS. I have run AboutBuster, CWShredder, Stinger, TDS3, Spybot and Dr Delete -- but for some reason I can't download Lavasoft Ad-Aware, so I ran SuperAdBlocker as well...

#2
Wizard

Posted 28 May 2005 - 02:34 AM

Retired Staff

Retired Staff
5,661 posts

Howdy Neil and Welcome the Geeks to Go Forums!

I am going to walk you through 2 basic fixes for what I think you had or may still have on the PC!

Mind you...these will cover a broad spectrum of possibilities!

Here is Step 1

Please Download SpSeHjfix112:
http://www.derbilk.de/SpSeHjfix112.zip
or
http://www.trojaner-...gi?file=sphjfix
Once downloaded,Unzip it and Make sure to Extract All Files!

Run SpSeHjfix112

Click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Once in Safe Mode> Run SpSeHjfix112 again!

Click on "Start Disinfection".

The tool creates a log of the fix which will appear in the new folder!

I need to see the logs from both Scans please!

#3
Neil R

Posted 28 May 2005 - 03:39 AM

Member

Topic Starter
Member
10 posts

Hi there!

Thanks for your reply.
I followed your instructions.
(Once in safe mode, the comuter re-booted into normal mode following the second disinfection. Is this correct?)

Anyway, sadly the problem still exists.
I have lost the option of customizing my desktop -- (background is still blue, showing IE Explorer fault, or something similar, in the corner)

Also, I have discovered a problem with my printer... so tried uninstalling and re-installing. Now can't re-install!! The computer can't find a port the printer is connected to.
Oh dear!

Anyway, if you can be of further assistance, I'd be so grateful.... If we can get through this, I'll definitely make a donation!!

PS. I have to work til 11pm tonight UK time so won't be able to log on til late.....
But here are the two logs you asked for...

Thanks again,
Neil

First log

(5/28/05 10:18:20) SPSeHjFix started v1.1.2
(5/28/05 10:18:20) OS: WinME (4.90.3000)
(5/28/05 10:18:20) Language: english
(5/28/05 10:18:20) Win-Path: C:\WINDOWS
(5/28/05 10:18:20) System-Path: C:\WINDOWS\SYSTEM
(5/28/05 10:18:20) Temp-Path: C:\WINDOWS\TEMP\
(5/28/05 10:18:25) Disinfection started
(5/28/05 10:18:25) Bad-Dll(IEP): (not found)
(5/28/05 10:18:25) Bad-Dll(IEP) in BHO: (not found)
(5/28/05 10:18:25) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:18:25) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:18:25) Bad IE-pages: (none)
(5/28/05 10:18:25) Stealth-String found: C:\WINDOWS\OEWABLLG.TXT
(5/28/05 10:18:25) File added to delete: c:\windows\oewabllg.txt
(5/28/05 10:18:25) Reboot
(5/28/05 10:19:17) SPSeHjFix 2nd Step
(5/28/05 10:19:17) Stealth-String not present. Disinfection succesfully
(5/28/05 10:22:05) Cleaned

Second log

(5/28/05 10:18:20) SPSeHjFix started v1.1.2
(5/28/05 10:18:20) OS: WinME (4.90.3000)
(5/28/05 10:18:20) Language: english
(5/28/05 10:18:20) Win-Path: C:\WINDOWS
(5/28/05 10:18:20) System-Path: C:\WINDOWS\SYSTEM
(5/28/05 10:18:20) Temp-Path: C:\WINDOWS\TEMP\
(5/28/05 10:18:25) Disinfection started
(5/28/05 10:18:25) Bad-Dll(IEP): (not found)
(5/28/05 10:18:25) Bad-Dll(IEP) in BHO: (not found)
(5/28/05 10:18:25) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:18:25) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:18:25) Bad IE-pages: (none)
(5/28/05 10:18:25) Stealth-String found: C:\WINDOWS\OEWABLLG.TXT
(5/28/05 10:18:25) File added to delete: c:\windows\oewabllg.txt
(5/28/05 10:18:25) Reboot
(5/28/05 10:19:17) SPSeHjFix 2nd Step
(5/28/05 10:19:17) Stealth-String not present. Disinfection succesfully
(5/28/05 10:22:05) Cleaned

(5/28/05 10:26:44) SPSeHjFix started v1.1.2
(5/28/05 10:26:44) OS: WinME (4.90.3000)
(5/28/05 10:26:44) Language: english
(5/28/05 10:26:44) Win-Path: C:\WINDOWS
(5/28/05 10:26:44) System-Path: C:\WINDOWS\SYSTEM
(5/28/05 10:26:44) Temp-Path: C:\WINDOWS\TEMP\
(5/28/05 10:26:48) Disinfection started
(5/28/05 10:26:48) Bad-Dll(IEP): (not found)
(5/28/05 10:26:48) Bad-Dll(IEP) in BHO: (not found)
(5/28/05 10:26:48) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:26:48) UBF: 4 - UBB: 2 - UBR: 9
(5/28/05 10:26:48) Bad IE-pages: (none)
(5/28/05 10:26:48) Stealth-String found: C:\WINDOWS\OEWABLLG.TXT
(5/28/05 10:26:48) File added to delete: c:\windows\oewabllg.txt
(5/28/05 10:26:48) Reboot
(5/28/05 10:27:34) SPSeHjFix 2nd Step
(5/28/05 10:27:34) Stealth-String not present. Disinfection succesfully
(5/28/05 10:27:52) Cleaned

#4
Wizard

Posted 28 May 2005 - 04:04 AM

Retired Staff

Retired Staff
5,661 posts

Pointer problems?

Are the controls reversed on the pointer?

That scan showed me what I wanted to see,now for the next step!

This one is a bit more complex but we are just covering all the bases!

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\OEWABLLG.TXT

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3448633F-3D4F-45AB-B3AB-190FF20CA818} - (no file) (HKCU)

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

#5
Neil R

Posted 28 May 2005 - 07:18 PM

Member

Topic Starter
Member
10 posts

Hello!!!

You are a very clever man!

What can I say except thank you? I will make a donation - you have saved my computer and I'm very grateful for your efforts.

An error occurred during download of the Panda Scan so unfortunately I'm unable to provide you with a log for that.

But everything seems perfect -- and I'll try to re-install my printer tomorrow (it's so late now!! And work tomorrow .....)

Anyway, here's my final Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 02:13:15, on 29/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\MY DOCUMENTS\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btinternet.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Program Files\Netscape\Users\neiljroberts\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\My Documents\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABTB.DLL (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\My Documents\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#6
Neil R

Posted 29 May 2005 - 01:15 AM

Member

Topic Starter
Member
10 posts

PS....
Finally got the Active Scan to complete.
Here's the log:

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\help_?cc.dll
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\WINDOWS\Downloaded Program Files\Q330995.exe
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys???.exe
Adware:Adware/IGuard No disinfected Windows Registry
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\IBMH.DLL
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\nblj.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\gfbc.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1014.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll
Adware:Adware/CWS No disinfected C:\WINDOWS\Downloaded Program Files\Q330995.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPdpPlugin.log
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\help_dcc.dll
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\help_ecc.dll
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\S4BAREQ.EXE
Adware:Adware/BlueScreenWarningNo disinfected C:\My Documents\ANTI-VIRUS AND SPYWARE DOWNLOADS\Quarantine\Quarantine - 05-26-2005 - 21-47-13.SBU[{2F3DDDFC-3269-491F-939F-578D99595A14}]
Adware:Adware/FunWeb No disinfected C:\unzipped\hijackthis\backups\backup-20050526-204629-610.inf
Virus:Trj/Downloader.Z Disinfected C:\gdmrujwhvsq.exe

#7
Wizard

Posted 29 May 2005 - 04:23 AM

Retired Staff

Retired Staff
5,661 posts

Good Deal.....what was it? Did you have to set your Active X to accept the content for Panda to work?

Couple of these will be tricky,so below is a link to a utility called Pocket Killbox

http://www.bleepingc...les/killbox.php

Once Downloaded,you just Highlight>>Right Click and Copy the list below!
(You will have to Copy them to Notepad and remove all my writing and all spaces between the listings)

Open Killbox>>Click File>>Click Paste from Clipboard>>PLace a tick by any of these available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!!

It will confirm whether the file was deleted!

Please Make sure Windows is Showing Hidden Files!

Locate and Delete

C:\Program Files\MySearch<< Folder

C:\Program Files\Common FilesTotem Shared<< Folder

C:\WINDOWS\SYSTEM\IBMH.DLL<< File!

C:\WINDOWS\SYSTEM\nblj.dll<< File!

C:\WINDOWS\SYSTEM\gfbc.dll<< File!

C:\WINDOWS\SYSMON.EXE<< File!(Only in Windows Folder!)

C:\WINDOWS\help_ecc.dll << File!

C:\WINDOWS\GatorPdpPlugin.log<< File!

C:\WINDOWS\GatorHDPlugin.log-old.log<< File!

C:\WINDOWS\Downloaded Program Files\HDPlugin1014.dll<< File!

C:\WINDOWS\Downloaded Program Files\Q330995.exe<< File!

Post back and let me know how it goes!

#8
Neil R

Posted 29 May 2005 - 07:38 AM

Member

Topic Starter
Member
10 posts

Thanks for this....

I will give it a go when I get home from work, some time tonight.
PS.. my printer problem is still persisting...

I try to re-install, then it tells me: "no ports found", with no options...

any ideas, or do you think a further clean-up will help?

Cheers!
PS. Not too sure what you mean by killing the spaces and your writing... do you mean
eg. StandardFileKill instead of Standard File Kill

#9
Neil R

Posted 29 May 2005 - 01:32 PM

Member

Topic Starter
Member
10 posts

Hello again!

Well we seem to have gone backwards a few steps.
First of all, these files weren't deleted -- the computer just threw up "Search Assistant" (whatever that is...)

C:\WINDOWS\SYSTEM\gfbc.dll
C:\WINDOWS\SYSTEM\IBMH.DLL
C:\WINDOWS\SYSTEM\nblj.dll

Then, of course, I realised that I needed to click ALL those boxes for every single file to delete, right? (Which of course I forgot to do.... though the Standard File Kille box was always checked....)

Anyway, the other files were deleted... (but sufficiently?)

The reason I say a backward step is because when I re-nooted, I got an eror message I received during the embryonic period of this virus:

"Error loading C:\WINDOWS\TEMP\SE.DLL Access is denied"

Plus, then my AVG found the Trojan horse Starpage.19.AN virus,,,,,,,

So who knows where I am!? (Though the computer appears to work, apart from the occasional freeze on start-up... and the background is working again....)

The printer still won't re-install though (No ports found)

Have we gone backwards / have I done something wrong / is there yet further hope?

Cheers for all your help so far...
Neil

#10
Wizard

Posted 29 May 2005 - 01:41 PM

Retired Staff

Retired Staff
5,661 posts

No you havent done anything wrong!!!

Just dont restart until I ask!!!

Let me see another HijackThis log first!

While you are waiting,Scan the PC again with SpSeHjfix112

Just one Scan and post the log!!!

I will get ya ficked up here shortly! :tazz:

#11
Neil R

Posted 29 May 2005 - 01:48 PM

Member

Topic Starter
Member
10 posts

Hello!

Gosh you were quick off the mark with this reply.....
I actually DID restart -- because the computer froze up -- but only after I'd managed to kill those three extra files (I opened Killbox in normal mode, this time........ I reckon I'm taking too many risks!)

Anyway, those files are gone but the "Access denied" message persists and so does the printer problem. (Background now ok...)

I will go into safe mode and post another Hijack log....

Then I'll go back into normal mode and run SpSeHjfix again...

#12
Neil R

Posted 29 May 2005 - 01:58 PM

Member

Topic Starter
Member
10 posts

OK here goes...

SpSehjfix tells me my computer is disinfected....

And here's my hijack log (I haven't re-tested the printer problem but will do so while awaiting your reply)...

Thanks in the meantime!

Logfile of HijackThis v1.99.1
Scan saved at 20:48:50, on 29/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Program Files\Netscape\Users\neiljroberts\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\My Documents\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABBHO.DLL (file missing)
O2 - BHO: (no name) - {1D3C9CF0-BBA9-4E0A-9CE9-808E0927C21F} - C:\WINDOWS\SYSTEM\IBMH.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\MY DOCUMENTS\ANT-VIRUS AND SPYWARE DOWNLOADS\SABTB.DLL (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\My Documents\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {6E8ADC13-AF8D-41A0-9BFC-9A9FB3199A35} - C:\WINDOWS\SYSTEM\IBMH.DLL
O18 - Filter: text/plain - {6E8ADC13-AF8D-41A0-9BFC-9A9FB3199A35} - C:\WINDOWS\SYSTEM\IBMH.DLL

#13
Wizard

Posted 29 May 2005 - 02:25 PM

Retired Staff

Retired Staff
5,661 posts

OK...You sure you killed this
C:\WINDOWS\SYSTEM\IBMH.DLL

Please download ABout Buster
http://www.besttechi...?showtopic=1488

The tutorial inside will explain everything....Make sure to Update it and dont use it until Safe Mode!

Please temporily disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Close Spybot

Retsart in Safe Mode

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u IBMH.DLL
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\SYSTEM\IBMH.DLL

Do the same for these:

regsvr32 /u se.dll
or
regsvr32 /u C:\WINDOWS\TEMP\se.dll

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

Navigate and Visibly ID this file and Kill it!!!

C:\WINDOWS\SYSTEM\IBMH.DLL<< File!

Navigate to this Folder and Empty the entire contents of it

C:\WINDOWS\TEMP<<After you open it...delete all the contents inside!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Program Files\Netscape\Users\neiljroberts\prefs.js)

O2 - BHO: (no name) - {1D3C9CF0-BBA9-4E0A-9CE9-808E0927C21F} - C:\WINDOWS\SYSTEM\IBMH.DLL (file missing)

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {6E8ADC13-AF8D-41A0-9BFC-9A9FB3199A35} - C:\WINDOWS\SYSTEM\IBMH.DLL

O18 - Filter: text/plain - {6E8ADC13-AF8D-41A0-9BFC-9A9FB3199A35} - C:\WINDOWS\SYSTEM\IBMH.DLL

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Please Run AboutBuster just as described in the link and Save those logs!!

Run Cleanup while in Safe Mode and after the log off....Restart Normal!

Download Symantecs Backdoor.Agent.B Removal Tool
To repair any registry entries that may have been changed!

http://securityrespo...er/FxAgentB.exe

Close all the running programs.

If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Double-click the FxAgentB.exe file to start the removal tool.

When the following message appears

Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Then click OK!

Post back and let me know how we did!

#14
Neil R

Posted 29 May 2005 - 04:27 PM

Member

Topic Starter
Member
10 posts

Hello!

Sorry for the delay in replying. Some family responsibilities took over.

Firstly, yes Killbox definitely claimed to have killed this file: C:\WINDOWS\SYSTEM\IBMH.DLL

Secondly, I have followed your instructions to the very letter.

1
When I tried to unregister this:
regsvr32 /u IBMH.DLL (plus alternative)
and this:
regsvr32 /u se.dll (plus alternative), I got a box back saying "load library failed" (both occasions)

2
When running HijackThis again, the only two files I found in your list were:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant, and
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Program Files\Netscape\Users\neiljroberts\prefs.js)

3
When I ran the Symantec scan, the program told me my System Restore was enabled (but in fact the disable System Restore Box had already been ticked) so I proceeded as normal.
After the scan, it told me that Backdoor Agent.B was not present on my computer.

At this point, I expected the computer to re-start for me but it didn't. I did this manually.

4
Here is the About:Buster log:

Scanned at: 23:00:42 on: 29/05/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

I think that's it for now --- where are we up to!!??
PS. Last time I checked, printer still not working (no ports found) -- though everything else appears normal at the moment...

Cheers!

#15
Wizard

Posted 29 May 2005 - 07:15 PM

Retired Staff

Retired Staff
5,661 posts

All that looks good to me!

Lets see what we can figure out about the printer!

First Check to make sure the Print Spooler is starting!

Click Start>>Click Run>>Type in Services.msc and Click OK!

Scroll that list until you see Print Spooler>>Right Click and Select Properties!

Make sure it is Started and Make sure the Startup type is Automatic!

If any changes were made>>Restart and try printer!

Next will be to check the Device Manager

Right Click My Computer>>Select Properties>>Click Harware>>Device Manager

Click on Ports and Make sure all is enabled!

Click on System Devices and Universal Serial Bus Controllers and Make sure nothing is disabled there!

Any Changes>>Restart and Try Printer!

Last>>Make sure the USB cord for the printer is good!!

Test it on something else that connects through a USB Chord!

Let me know how it goes!

Go back to System Restore>>Confirm it is Disabled>>If Available>Move the Slider all the way to Minimun position!

Install these 2 programs

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Post back and let me know how the printer issue is!