Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Explorer & IE Crippled...Help! [RESOLVED]


  • This topic is locked This topic is locked

#16
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,

csrss.exe is in c:\WINNT\ServicePackFiles\i386 and CSRSS.exe is in c:\WINNT\system32.

iexplore.exe is in c:\WINNT\ServicePackFiles\i386 and c:\Program Files\Internet Explorer.

As it stands I can't get into the control panel(no browsing is possible in the file system I'm afraid and the connections aren't accessible in Safe Mode at all)...:tazz:

Is there a way to do this using the Command Prompt?

Here is the other log you asked for...

C:\unzipped\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\msexnpfi.exe: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


Thanks again
Colm
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'm not understanding why you can't get into the control panel from "new task" in Task Manager. What exactly does it say when you click "new task" then type control?

I need you to delete the file in bold:

C:\WINNT\system32\msexnpfi.exe

I also need you to open HiJackThis. Click "View list of backups", put a check next to everything in that window and click "restore". Then reboot and post a new HiJackThis log.

I did find two copies of iexplore.exe in different folders and replaced one with the other but I also found two copies of explorer.exe

Both of those locations of iexplore.exe are completely legit, there was no need to replace one with the other. Did you do anything with explorer.exe?

The virus you read up is not in your system. Did you do anything else with any of your system files? Is there anything else you did to the system besides what you've posted here?
  • 0

#18
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi there,

It says:

"Cannot find the file'(null)' (or one of its components). Make sure the path and filename are correct and that all required libraries are available."

I will delete the file and restore the HJT backups as soon as I can and will try to post the new log this evening (I may be away from the computer for the weekend so apologies in advance if I can't post sooner).

As for the Internet Explorer files I know AntiVir had picked up on an infection but IE was still inoperable so when I came across this description I decided to see if this would solve it (A little knowledge is a dangerous thing!) and worst case IE still wouldn't work, it is onlyt a program file i intend to get rid of anyway.

That said I wasn't going to touch Explorer unless someone with real knowledge of these things said it was a good idea.

As for the System files I had the Smitfaud.C hijacker before and followed a set of instructions to remove it, not sure what that would do to the system really, I don't think there was anything else I did.


I am sorry that I'm such a pain, I realise that if I was a complete novice then this would probably be much simpler to fix so I'm sorry to you(both) for the hassle...

Back ASAP
Colm
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Also, go to "new task", type cmd Then type control into the black window and hit enter. Does the control panel open then?
  • 0

#20
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Me again,
Logfile of HijackThis v1.99.1
Scan saved at 17:15:48, on 15/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\cmd.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jpxiw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {00940338-283A-958B-BD44-3DF5D827FC41} - C:\WINNT\system32\syseg.dll (file missing)
O2 - BHO: Class - {09654538-575D-CAF1-092C-D9EFEDA52D3E} - C:\WINNT\d3vo32.dll
O2 - BHO: Class - {22899D9C-F6B1-2839-5062-6E4569A8BE67} - C:\WINNT\ntso.dll (file missing)
O2 - BHO: Class - {3B08A512-4197-8507-2FEA-CB55C2E0FF49} - C:\WINNT\netpy32.dll (file missing)
O2 - BHO: Class - {429E6A82-518F-E35D-3A26-9EE2CBB2AEAD} - C:\WINNT\atlrm32.dll (file missing)
O2 - BHO: Class - {589E7E09-3425-BAD2-24E4-12E0E7087440} - C:\WINNT\ntzi32.dll (file missing)
O2 - BHO: Class - {6251FEA0-8A2F-5960-41DE-9090971210C3} - C:\WINNT\system32\sdkky32.dll (file missing)
O2 - BHO: Class - {6D1738D7-BF1E-8255-0FEA-4A6CEE9377E1} - C:\WINNT\system32\atljm.dll (file missing)
O2 - BHO: (no name) - {9DD8538B-70C1-E876-7FC6-CF6EE85DC958} - C:\WINNT\d3vo32.dll
O2 - BHO: Class - {A23F1F74-28CD-03FF-FA38-176F6F744C65} - C:\WINNT\system32\nethp.dll (file missing)
O2 - BHO: Class - {AE7F291B-D83B-5AD0-87A3-18EF11C6486C} - C:\WINNT\system32\ntbm.dll (file missing)
O2 - BHO: Class - {B64BFA6B-19B2-0573-4E13-411F69C173BB} - C:\WINNT\apicm.dll (file missing)
O2 - BHO: Class - {BB1EE591-B197-27E4-A3EA-4A452B62F425} - C:\WINNT\ipum.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [netmz32.exe] C:\WINNT\system32\netmz32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ntub32.exe] C:\WINNT\ntub32.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


Thanks
Colm
I deleted the file and restored all the hjt backups, I will post the log below.

The same error message comes up when I use the Command Prompt to access the Control Panel. Since I did the restore Explorer will not work when I boot into Safe Mode, it is generating an error message apparently identical to the one for Internet Explorer...
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Do you know what this file is?

[ChangeICON] C:\WINNT\SPMSMON.EXE

I don't know that I like the sound of ChangeICON...

Now, I can see the infections. You have Wareout rootkit along with coolwebsearch and some other random files.

I need to know what you can do on your computer. Explorer does load, but you can't use the icons or the start button correct?

This is going to extremely hard to fix when you can't access the Internet or the control panel.
  • 0

#22
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi there,

I have no idea what that file is but I agree with you about not liking the sound of it.

You are correct about what I can't use, I have been using Safe Mode to locate files I need to use and using Command Prompt or Task Manager to access them in Normal Mode(Regedit was accessible this way though). I figured the inability to connect to the internet was going to be an issue alright:(

I do have a removable memory card which I have been using to install and run various items as they were required... It's about the only good news I have really(it's the only way I've been able to post logs etc.).

When I installed Firefox I tried to recreate my dial-up connection using Safe Mode but it crashed(surprise), is there anyway I can use Firefox to try and prompt my dial-up connection?

It would also explain why CWShredder hasn't finished a scan properly since this nightmare began!!

I know this hasn't exactly brightened up your day but I'm very grateful for all the help you're giving me already and if there's more to come then I'll be even more thankful(no pressure :tazz: )!!

Colm

Edited by cosmidnight, 18 July 2005 - 05:58 AM.

  • 0

#23
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Me again,

I'm just wondering should I run AntiVir, Spybot & Ad-Aware again?

I ran them in Safe Mode first the last time, I can download newer versions I hope and install them effectively updating the existing systems(or should I just run them as is first?).

Or will this just mess things up again?

May not be able to get to computer again tomorrow, thanks again for the patience!!

Colm

Edited by cosmidnight, 18 July 2005 - 10:44 AM.

  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110


Close HiJackThis.

Then let's do this to see if it helps your connection any...

Open Task Manager, click "new task" - type:

cmd

hit OK

type:

ipconfig /flushdns

then hit enter, type exit hit enter.
(that space between g and / is needed)

Then do this, save it where it you can get to it to open it - you can do it in Safe Mode, if it's easier for you.

Copy everything in the code box below (starting with REGEDIT4) and paste it into notepad. Go to "File > Save As..." then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixwo.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Open fixwo.reg and when asked if you want to merge with the registry click YES.

This will uncover hidden files put there by Wareout. Then I need you to run RkFiles again and post the log.
  • 0

#25
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Can I just open by saying how great you are?!!

I am now able to use my Desktop & Start Menu as normal, IE seems to be working too(although I am using Firefox anyway), and I am as we speak updating my AntiVir, Spybot & Ad-Aware!! It's miraculous :tazz:

My system is exhibiting symptoms of other infections still though e.g. random INFO System Messages with garbled text which won't stop unless I use Task Manager & trying to warn me that my system is infected and would I like to learn more about removing it(is that a part of Smitfraud.C, which has been on this computer in the past?) and stopping NOTIFIER.exe from staring using the same error message as before when i ran my AntiVir update.

My AVGuard is up and running too and warning me about ASOBA.dll which it say is TR/StartPA.DU.DLL.1 and it just seems to keep coming back?!

Here is the log file you asked for

C:\unzipped\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


Not sure it's much help though!

I'll leave it in your capable hands before I go running scans again(as this didn't seem to help much last time!!) and I should now be able to post more frequelntly(thankyou thank you thank you!).

Did I say thanks? ;)

Colm
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh that is such a relief!! :tazz:

Ok, please post a new HiJackThis log for me (make sure that you haven't fixed anything else except what I specified) and we will get onto to the other infections to get you fixed up!! ;)
  • 0

#27
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here's the logfile, thanks for the quick reply

Logfile of HijackThis v1.99.1
Scan saved at 17:49:22, on 22/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\addmp32.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\netmz32.exe
C:\WINNT\SPMSMON.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AVPersonal\INETUPD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {70562F75-241E-A46B-7CDD-417F8EF270C5} - C:\WINNT\apicj32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [netmz32.exe] C:\WINNT\system32\netmz32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ntub32.exe] C:\WINNT\ntub32.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\addmp32.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • 0

#28
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok great! I will be back as soon as possible with a pretty long fix!
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read through the instructions before you start (you may want to print this out). They all need to be followed!

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip HSfix to your desktop.
http://users.pandora...tools/HSfix.zip

Download CW-Shredder at the link below:
http://cwshredder.ne.../CWShredder.exe

Download CleanUp!

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service ( 11F#`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\asoba.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {70562F75-241E-A46B-7CDD-417F8EF270C5} - C:\WINNT\apicj32.dll

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe

O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\addmp32.exe


4. Delete the following files and folders if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINNT\system32\asoba.dll
C:\WINNT\addmp32.exe
C:\wp.exe
C:\wp.bmp
C:\Program Files\WareOut <-Whole Folder
C:\WINNT\apicj32.dll

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

5. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

6. Scan with AdAware and let it remove any bad files found.

7. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program

8. Double click on the HSfix.reg and when asked to merge say yes.

9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

10. Reboot into normal mode.

Post a fresh Hijack This log to see how we did. :tazz:
  • 0

#30
cosmidnight

cosmidnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Me again,

I have followed your instructions and things seem to be running much better thanks although CleanUp! wouldn't let me check the "Delete Prefetch Files" option but other than that it went pretty smoothly!! :tazz:

Here are the logs you asked for :

AboutBuster 5.0 reference file 31
Scan started on [23/07/2005] at [14:25:23]
------------------------------------------------
Removed Stream! C:\WINNT\Coffee Bean.bmp:nbshqe
Removed Stream! C:\WINNT\COM+.log:zfikby
Removed Stream! C:\WINNT\desktop.ini:pkvzuw
Removed Stream! C:\WINNT\desktop.ini:rgsqvj
Removed Stream! C:\WINNT\Zapotec.bmp:rybmbn
Removed Stream! C:\WINNT\Zapotec.bmp:tcmpqc
Removed Stream! C:\WINNT\Zapotec.bmp:ucomay
Removed Stream! C:\WINNT\_default.pif:bggcrf
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 14:25:25


and my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 14:56:04, on 23/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\system32\wuauclt.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ntub32.exe] C:\WINNT\ntub32.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [netmz32.exe] C:\WINNT\system32\netmz32.exe
O4 - HKLM\..\Run: [ietc32.exe] C:\WINNT\ietc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


Thanks again,
Colm
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP