Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Azesearch removed, spyware remover still bothering [RESOLVED]

Started by kuuan , Jun 15 2005 06:57 AM

This topic is locked

#1
kuuan

Posted 15 June 2005 - 06:57 AM

Member

Member
27 posts

Got Azesearch today.
I run all the programs as you suggest, quite some files found and deleted. However I have not done any online scanning yet as I am battling with a 1,8 KB connection. Just now I am downloading ewido, I will try if it will work with my slow connection and post that log as soon as available
So far Azesearch toolbar is gone, but there is still that warning in my taskbar with it's popup telling that my computer is infected, and the background of my display still is black with a yellow writing telling that I have spyware, wanting me to connect to install something.

here my hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 20:15:34, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\hookdump.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Andreas\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 213.219.251.81 astalavista.com
O1 - Hosts: 213.219.251.81 www.astalavista.com
O1 - Hosts: 213.219.251.81 astalavista.box.sk
O1 - Hosts: 213.219.251.81 www.astalavista.box.sk
O1 - Hosts: 213.219.251.81 cracks.com
O1 - Hosts: 213.219.251.81 www.cracks.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by kuuan, 15 June 2005 - 07:05 AM.

#2
Guest_thatman_*

Posted 15 June 2005 - 07:10 AM

Guest

Hi kuuan

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
Download nails.cmd fix
Unzip it to the desktop but please do NOT run it yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Now run the nails.cmd fix

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O1 - Hosts: 213.219.251.81 astalavista.com
O1 - Hosts: 213.219.251.81 www.astalavista.com
O1 - Hosts: 213.219.251.81 astalavista.box.sk
O1 - Hosts: 213.219.251.81 www.astalavista.box.sk
O1 - Hosts: 213.219.251.81 cracks.com
O1 - Hosts: 213.219.251.81 www.cracks.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
Click on Fix Checked when finished and exit HijackThis.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\system32\hookdump.exe
Let the system reboot.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
kuuan

Posted 15 June 2005 - 10:30 AM

Member

Topic Starter
Member
27 posts

Finished doing as you told. I am not sure if the Nailfix had gone through, it says the zip file is not complete, though I downloaded twice and tried twice. In the Pocket Killbox nothing was done, maybe I did not know how to operate. Anyhow, after running HijackThis all the files stated could be deleted anyway.
I did NOT run the online scans: While trying to download Pandasoft it was blocked by my Norton, and I was told that I had to download ActiveXcontrol. I did NOT do that beacause allowing that was exactly how I got this problem the first place. The housecall never opens ( I have a VERY slow connection here )

The only thing which apparently still is here is the black background saying: Warning, you are in danger ect. in yellow writing. The red circle with the white cross in the taskbar with it"s popup is gone.

Here my logfiles:
note: error during cleaning could have been caused because my C drive was scanned twice. ( it showed up first, and then I chose add all, it came up a second time and I did not remove it )
the HijackThis log file is from a scan I did after all the procedure.O.K?

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:41:23, 15/06/2005
+ Report-Checksum: 2644FED6

+ Date of database: 15/06/2005
+ Version of scan engine: v3.0

+ Duration: 76 min
+ Scanned Files: 122408
+ Speed: 26.60 Files/Second
+ Infected files: 2
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
C:\
D:\
K:\
L:\
M:\
N:\
O:\

+ Scan result:
C:\RECYCLER\NPROTECT\00126341.DLL -> Spyware.AzSearch.a -> Cleaned with backup
C:\RECYCLER\NPROTECT\00126341.DLL -> Spyware.AzSearch.a -> Error during cleaning

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 00:18:24, on 16/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andreas\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66B4D51-0005-4238-A6A0-2421D571E660}: NameServer = 61.94.192.12 202.134.1.10
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4
Guest_thatman_*

Posted 15 June 2005 - 11:06 AM

Guest

Hi kuuan

Norton is blocking the fix, what was norton doing letting you get infected

Norton and mcrappy are a waste of time.

Look on the forum at the number off people that get infected you will see norton or McCaffe being infected time after time.

Your HijackThis.log is clean to allow the Nail fix to finnish its job you will need to disable norton.

You call

Kc :tazz:

#5
kuuan

Posted 15 June 2005 - 11:37 AM

Member

Topic Starter
Member
27 posts

good to hear it is clean, but one problem persists:
on startup, first an empty screen appears and stays much longer than usual before the icons appear, and then - now - it blinks between white and grey ( my background usually is grey, though darker )
well, I might have made a mistake: before, when the background still was black with that warning, I rightclicked it and found that under properties: Type: HTML document, file://C\WINDOWS\screen.html
So I went ahaed and went into WINDOWS and deleted that file ( together with Icons of a heart - xxx site -, some shoppping and some other icons which originally had popped up on my screen after infection. ) - and I even deleted them from the recycle pin already.
Any idea what's still wrong, and how to make my sreen load normally?
+ I am still not sure if I succeeded in rfunning the Nail sucessfully, not if I disabled Norton correctly.

#6
Guest_thatman_*

Posted 15 June 2005 - 12:01 PM

Guest

Hi kuuan

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download smitfraud.reg. Save it to your desktop.

Reboot into safemode

Run the smitfraud.reg

Reboot as normal

Let me know if that works

Kc :tazz:

#7
kuuan

Posted 15 June 2005 - 12:24 PM

Member

Topic Starter
Member
27 posts

No, still about the same behaviour ( still slow on startup and blinking, though the colors changed slightly...the backlight of the letters describing the icons has become blue )
smitfraud.reg, on running, asked me if I really wanted to have information added to my registry, which I permitted, right?

#8
Guest_thatman_*

Posted 15 June 2005 - 12:36 PM

Guest

Hi kuuan

Lets try this

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00

Please save the content of the box above to an empty file in Notepad. In RED only
Save is as desktop.reg
Save it to your desktop
type: all files
Close Notepad.

Doubleclick the file click.reg and grant permission to merge the registry entries.

The last entry will reset their color back to the default Windows blue. Note this wont go into effect until after a reboot.

Kc :tazz:

#9
kuuan

Posted 15 June 2005 - 01:00 PM

Member

Topic Starter
Member
27 posts

Something I must have understood wrong and done wrong.
After I was asked if I wanted to merge it in myu registry I permitted, but it would not do it saying that it was not a registry script, and that I can only import binary registry files from within the registry editor.
However I might have done something wrong on saving the file in wordpad:

after pasting I colored it red
as file name I chose: desktop.reg
filetype: rich text format
I saved it

then you told me to type: all files
that I did still inside the wordpad file, so on closing it asked me if I wanted to save the changes.
I both tried with a saved file with and without saving the changes, the result was the same as described.

a further note:
of course I want to have my desktop look normal, but I strongly believe that this might not be the only problem as the computer also still takes much longer time than usual to display the desktop.

could I try to do something opening regedit.exe inside WINDOWS?
also inside WINDOWS I find one folder suspcious, which is a file called mui, inside the folder is muisetup.exe, and how about the folder pchealth ?

Edited by kuuan, 15 June 2005 - 01:10 PM.

#10
Guest_thatman_*

Posted 15 June 2005 - 01:10 PM

Guest

Hi kuuan

I said notepad not wordpad that is why it will not work.

Kc :tazz:

#11
kuuan

Posted 15 June 2005 - 01:20 PM

Member

Topic Starter
Member
27 posts

Oh yes, sorry.
Did it in notepad, now the registry was accepted.
On startup I first thought success as the first color was the blue, but shortly after it again started to blink between white and grey, just as before

note: I had added to my prior post:
could I try to do something opening regedit.exe inside WINDOWS?
also inside WINDOWS I find one folder suspcious, which is a file called mui, inside the folder is muisetup.exe, and how about the folder pchealth

Edited by kuuan, 15 June 2005 - 01:23 PM.

#12
Guest_thatman_*

Posted 15 June 2005 - 01:45 PM

Guest

Hi kuuan

I need to think this over

Will pick this up tomorrow.

Kc :tazz:

#13
kuuan

Posted 15 June 2005 - 01:50 PM

Member

Topic Starter
Member
27 posts

Oh WOW, thank you sooo much for your kind help.
I was just to suggest to give it a brake. Here it soon will be 4 A.M., I am very tired, can"t see propperly anymore, start to make mistakes...
one question though: I do have a registry backup from before the infection. I did not make with Window System Restore however, there is no restore point yet, but I have it saved. On opening it also askes me if I really want to add this information to my registry. How about doing this? ( I guess I would have to reinstall all the tools installed today later, yes? )

#14
Guest_thatman_*

Posted 15 June 2005 - 02:03 PM

Guest

Hi kuuan

Yes that may do the trick yes there will be some item that may need to reinstall

Time to call it a day have be at the Hjt.log for 12 hours

Kc :tazz:

#15
kuuan

Posted 15 June 2005 - 08:30 PM

Member

Topic Starter
Member
27 posts

Hi again,]
adding that reg data did not change he situation.
AdAware did dig out one cooky which was a tracker, after deleting the behaviour changed somewhat Now the screen stays grey, only when the mousepoint goes to any object or the taskbar it changes tro white.he new bachground color, the blue I got with the registry data I had added via notepad was and still is the backgroundcolor of the description of the Icons.

somewhat later:
found this:
Hi again...

EUREKA!!!

I found these instructions in another post:

"Then Click on the upper edge of the screen and drag it down untill you notice a cross in the upper right corner. Click it to close the screen and you will have access to your real desktop and can change the settings"...

... and they worked for me!

But that was just the last piece of the puzzle... thank you, rstones, for giving me all the rest...

somebody having the same problem in this thread:
http://www.geekstogo...c=29965&hl=gold

The screen is back to normal!!

just now I am running the pandasoft scan, the file C:\Windows\System32\hookdump.exe is still waiting in the Killbox to be removed in SafeMode once Panda is done. Sorry, you had instructed me before to remove this file, but something I must have done wrong it is still here, but will be gone soon.

Still later:
Pandasoft result:

Incident Status Location

Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Andreas\Desktop\backups\backup-20050615-203317-562.inf
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\azebar.xml
Adware:Adware/AzeSearch No disinfected M:\tools\protect\backups\backup-20050615-203317-562.inf

I tried to remove them all incl the hookdump with Killbox
All are gone but the last one in the M drive, which did not get deleted with Killbox after 3 tries. I have not tried to simply delete it, only with Killbox. That M dive is an external USB dirve, I could even save all the other data on that drive to another drive temporarily and reformat it, or should I try to simply delete it?Actually I don"t need that whole file anymore.

Edited by kuuan, 15 June 2005 - 11:18 PM.