Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Please... Malware Problems. [RESOLVED]


  • This topic is locked This topic is locked

#1
Dexter777

Dexter777

    New Member

  • Member
  • Pip
  • 7 posts
Ok, I have no idea whats going on... All i know is AVG is saying i have trojans all over in various areas.. I also am getting a about:blank page... Dreaded...

AVG Picks up these.
Trojan Horse Startpage 19.AO
Trojan Horse Downloader.Agent.OJ

My log.. if anyone can help.. Thanks..

Logfile of HijackThis v1.99.1
Scan saved at 9:38:39 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\apisr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Buck Rogers\Desktop\Fix it Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {D25A4A72-58EB-1395-AF54-321D1954EE5B} - C:\WINDOWS\system32\wineo.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [apisr.exe] C:\WINDOWS\apisr.exe
O4 - HKLM\..\RunOnce: [iejn.exe] C:\WINDOWS\iejn.exe
O4 - HKLM\..\RunOnce: [atlsa.exe] C:\WINDOWS\atlsa.exe
O4 - HKLM\..\RunOnce: [appft32.exe] C:\WINDOWS\appft32.exe
O4 - HKLM\..\RunOnce: [appcd.exe] C:\WINDOWS\system32\appcd.exe
O4 - HKLM\..\RunOnce: [adday.exe] C:\WINDOWS\adday.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\msng32.exe
O4 - HKLM\..\RunOnce: [atlpr.exe] C:\WINDOWS\system32\atlpr.exe
O4 - HKLM\..\RunOnce: [ipgu32.exe] C:\WINDOWS\ipgu32.exe
O4 - HKLM\..\RunOnce: [msta32.exe] C:\WINDOWS\msta32.exe
O4 - HKLM\..\RunOnce: [javamx32.exe] C:\WINDOWS\javamx32.exe
O4 - HKLM\..\RunOnce: [appzk32.exe] C:\WINDOWS\system32\appzk32.exe
O4 - HKLM\..\RunOnce: [iefq32.exe] C:\WINDOWS\iefq32.exe
O4 - HKLM\..\RunOnce: [atlxn32.exe] C:\WINDOWS\system32\atlxn32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\system32\ntcp32.exe
O4 - HKLM\..\RunOnce: [ipml32.exe] C:\WINDOWS\ipml32.exe
O4 - HKLM\..\RunOnce: [ipnw32.exe] C:\WINDOWS\system32\ipnw32.exe
O4 - HKLM\..\RunOnce: [addof.exe] C:\WINDOWS\addof.exe
O4 - HKLM\..\RunOnce: [sdkla.exe] C:\WINDOWS\system32\sdkla.exe
O4 - HKLM\..\RunOnce: [addmm.exe] C:\WINDOWS\system32\addmm.exe
O4 - HKLM\..\RunOnce: [d3ma32.exe] C:\WINDOWS\d3ma32.exe
O4 - HKLM\..\RunOnce: [apixf32.exe] C:\WINDOWS\apixf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com...ts/TDSERVER.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115146690593
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\iejn.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Lets get this show on the road..

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY HERE
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find .Remote Procedure Call (RPC) Helper (11F#`I)

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Now run Ewido. click on the full system scan button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.


Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rjkhj.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D25A4A72-58EB-1395-AF54-321D1954EE5B} - C:\WINDOWS\system32\wineo.dll
O4 - HKLM\..\Run: [apisr.exe] C:\WINDOWS\apisr.exe
O4 - HKLM\..\RunOnce: [iejn.exe] C:\WINDOWS\iejn.exe
O4 - HKLM\..\RunOnce: [atlsa.exe] C:\WINDOWS\atlsa.exe
O4 - HKLM\..\RunOnce: [appft32.exe] C:\WINDOWS\appft32.exe
O4 - HKLM\..\RunOnce: [appcd.exe] C:\WINDOWS\system32\appcd.exe
O4 - HKLM\..\RunOnce: [adday.exe] C:\WINDOWS\adday.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\msng32.exe
O4 - HKLM\..\RunOnce: [atlpr.exe] C:\WINDOWS\system32\atlpr.exe
O4 - HKLM\..\RunOnce: [ipgu32.exe] C:\WINDOWS\ipgu32.exe
O4 - HKLM\..\RunOnce: [msta32.exe] C:\WINDOWS\msta32.exe
O4 - HKLM\..\RunOnce: [javamx32.exe] C:\WINDOWS\javamx32.exe
O4 - HKLM\..\RunOnce: [appzk32.exe] C:\WINDOWS\system32\appzk32.exe
O4 - HKLM\..\RunOnce: [iefq32.exe] C:\WINDOWS\iefq32.exe
O4 - HKLM\..\RunOnce: [atlxn32.exe] C:\WINDOWS\system32\atlxn32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\system32\ntcp32.exe
O4 - HKLM\..\RunOnce: [ipml32.exe] C:\WINDOWS\ipml32.exe
O4 - HKLM\..\RunOnce: [ipnw32.exe] C:\WINDOWS\system32\ipnw32.exe
O4 - HKLM\..\RunOnce: [addof.exe] C:\WINDOWS\addof.exe
O4 - HKLM\..\RunOnce: [sdkla.exe] C:\WINDOWS\system32\sdkla.exe
O4 - HKLM\..\RunOnce: [addmm.exe] C:\WINDOWS\system32\addmm.exe
O4 - HKLM\..\RunOnce: [d3ma32.exe] C:\WINDOWS\d3ma32.exe
O4 - HKLM\..\RunOnce: [apixf32.exe] C:\WINDOWS\apixf32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\iejn.exe" /s (file missing)


Ensure no windows open except HJT and click FIX CHECKED.

now using windows explorer locate the following files/folders and delete them.

C:\WINDOWS\rjkhj.dll/sp.html#93256
C:\WINDOWS\system32\wineo.dll
C:\WINDOWS\apisr.exe
C:\WINDOWS\iejn.exe
C:\WINDOWS\atlsa.exe
C:\WINDOWS\appft32.exe
C:\WINDOWS\system32\appcd.exe
C:\WINDOWS\adday.exe
C:\WINDOWS\msng32.exe
C:\WINDOWS\system32\atlpr.exe
C:\WINDOWS\ipgu32.exe
C:\WINDOWS\msta32.exe
C:\WINDOWS\javamx32.exe
C:\WINDOWS\system32\appzk32.exe
C:\WINDOWS\iefq32.exe
C:\WINDOWS\system32\atlxn32.exe
C:\WINDOWS\system32\ntcp32.exe
C:\WINDOWS\ipml32.exe
C:\WINDOWS\system32\ipnw32.exe
C:\WINDOWS\addof.exe
C:\WINDOWS\system32\sdkla.exe
C:\WINDOWS\system32\addmm.exe
C:\WINDOWS\d3ma32.exe
C:\WINDOWS\apixf32.exe


Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Run this online virus scan: ActiveScan - Save the results from the scan

Now run Ewido. click on the full system scan button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here, so we can sort out any remnants
  • 0

#3
Dexter777

Dexter777

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, I followed all the steps you said.. Im pretty sure that i missed something.. Maybe you can figure it out.. Thank you for replying as well with the help you have given. Although the problem still here.

A fresh HJT for ya. AVG Still picked up the
Trojan Horse Startpage 19.AO

Logfile of HijackThis v1.99.1
Scan saved at 10:26:47 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\atlkp32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Buck Rogers\Desktop\Fix it Folder\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {63491145-0DFC-8514-EE36-1EEBDABEF01C} - C:\WINDOWS\system32\sdkfb.dll
O2 - BHO: Class - {64A6BEFF-15F2-8F55-C53D-6C41009ED9DA} - C:\WINDOWS\mfckd32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {F21BD77E-0CCE-C6CD-4F85-AA3B7895988E} - C:\WINDOWS\system32\addmm.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [atlkp32.exe] C:\WINDOWS\atlkp32.exe
O4 - HKLM\..\RunOnce: [addlb32.exe] C:\WINDOWS\system32\addlb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com...ts/TDSERVER.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115146690593
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\iejn.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Also i'd like to add. When you said using windows explorer located the following files etc.. Is it ok to use the Killbox to delete? That's what i used.. And I couldnt find the following

C:\Windows\rjkhj.dll/sp.html#93256 Im pretty sure the name of the .dll changed... so sorry but would you please leave another step by step? Thanks in advance.

Also.. Forgot to add.. the ".Remote Procdure Call (RPC) Helper thing.. Its already at stopped. Ive tried disabling it.. it goes back to automatic.

Edited by Dexter777, 26 July 2005 - 09:36 PM.

  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
please post ewido and panda active scan logs
  • 0

#5
Dexter777

Dexter777

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok will do.

Edited by Dexter777, 29 July 2005 - 02:00 AM.

  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Any progress?
  • 0

#7
Dexter777

Dexter777

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, I posted once before.. But i cant seem to find my post. (sorry forgot to bookmark it..) I forget who helped me.. But they asked for logs... So ill just do a fresh log of everything... Its about:blank.. Coolwebsearch. I cannot seem to get rid of it... Any help is appreatiated. Thanks

-HJT

Logfile of HijackThis v1.99.1
Scan saved at 5:59:27 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sysfd32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Documents and Settings\Buck Rogers\Desktop\Fix it Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {24EDB288-AF4A-18FA-270B-627C10F2632F} - C:\WINDOWS\system32\appej.dll
O2 - BHO: Class - {59594E13-4234-38BB-AF53-DC72A5E929B3} - C:\WINDOWS\system32\msiu32.dll
O2 - BHO: Class - {97E89C20-AC50-9DBF-2ABE-64CC06E86D54} - C:\WINDOWS\ipxg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B75BCD02-ABA7-9B5A-4478-A8AD97904CAC} - C:\WINDOWS\addlx32.dll
O2 - BHO: Class - {B907FD48-75C1-78A0-3DCB-EE61C88E7FE9} - C:\WINDOWS\sdkat.dll
O2 - BHO: Class - {E4D353C5-F038-4827-9CDA-ABDCF49E5AB5} - C:\WINDOWS\appsq32.dll
O2 - BHO: Class - {FBB1288E-F9DA-63B6-535A-91E59402B4CE} - C:\WINDOWS\sysxi32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sysfd32.exe] C:\WINDOWS\sysfd32.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunOnce: [mfcep32.exe] C:\WINDOWS\mfcep32.exe
O4 - HKLM\..\RunOnce: [mskz32.exe] C:\WINDOWS\system32\mskz32.exe
O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\crfl32.exe
O4 - HKLM\..\RunOnce: [winqh32.exe] C:\WINDOWS\system32\winqh32.exe
O4 - HKLM\..\RunOnce: [iefo32.exe] C:\WINDOWS\system32\iefo32.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com...ts/TDSERVER.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115146690593
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\mfcep32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


About:blank 5
AboutBuster 5.0 reference file 28
Scan started on [8/1/2005] at [9:55:15 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\amvpi.log:ygwid
Removed Stream! C:\WINDOWS\cjjjn.txt:fecbxg
Removed Stream! C:\WINDOWS\comsetup.log:cdvam
Removed Stream! C:\WINDOWS\gbjvq.txt:omaas
Removed Stream! C:\WINDOWS\iswpm.log:cltup
Removed Stream! C:\WINDOWS\KB820291.log:smuok
Removed Stream! C:\WINDOWS\KB822603.log:lisjs
Removed Stream! C:\WINDOWS\KB823182.log:dpysa
Removed Stream! C:\WINDOWS\KB828035.log:cgyqf
Removed Stream! C:\WINDOWS\KB888113.log:udjmx
Removed Stream! C:\WINDOWS\mgfjp.dat:kimxg
Removed Stream! C:\WINDOWS\pjoof.log:csrjyo
Removed Stream! C:\WINDOWS\pjoof.log:fkoav
Removed Stream! C:\WINDOWS\pxqdn.log:plyfpd
Removed Stream! C:\WINDOWS\Q810243.log:hrrmn
Removed Stream! C:\WINDOWS\Q811114.log:ilrsro
Removed Stream! C:\WINDOWS\qsvng.txt:yooegz
Removed Stream! C:\WINDOWS\Rhododendron.bmp:dufpy
Removed Stream! C:\WINDOWS\setupapi.log:mjvutr
Removed Stream! C:\WINDOWS\setuperr.log:emsad
Removed Stream! C:\WINDOWS\SetupPestPatrolBeta.mif:gktlo
Removed Stream! C:\WINDOWS\system.ini:zkknc
Removed Stream! C:\WINDOWS\tabletoc.log:qruxq
Removed Stream! C:\WINDOWS\twscw.txt:yooegz
Removed Stream! C:\WINDOWS\UNNMP.cfg:wpbsah
Removed Stream! C:\WINDOWS\uvugo.log:oquxvr
Removed Stream! C:\WINDOWS\vjcem.txt:mzoob
Removed Stream! C:\WINDOWS\win.ini:fzguv
Removed Stream! C:\WINDOWS\yxzob.txt:bxkmaq
------------------------------------------------
Removed File! : C:\Windows\gdrds.dat
Removed File! : C:\Windows\hsuuk.dat
Removed File! : C:\Windows\hypmx.dat
Removed File! : C:\Windows\savdd.dat
Removed File! : C:\Windows\selxv.dat
Removed File! : C:\Windows\System32\bzwaw.dat
Removed File! : C:\Windows\System32\coobn.dat
Removed File! : C:\Windows\System32\cwiku.dat
Removed File! : C:\Windows\System32\lfrcj.dat
Removed File! : C:\Windows\System32\xfwto.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:04:51 PM


-Ewindo
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:53:22 PM, 8/1/2005
+ Report-Checksum: 81853064

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 62231
+ Speed: 26.28 Files/Second
+ Infected files: 9
+ Removed files: 9
+ Files put in quarantine: 9
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@search123[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Buck Rogers\Cookies\buck rogers@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Panda Antivirus didnt work for me.. It would not scan..
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
This is a nasty infection, and we might have to run through this fix numerous times depending on if it reinfects you (which it is supposed to do). Please stick with me. We will fix this!

Please take the following steps:

Set pc to show hidden files.

IMPORTANT Be sure all browser and explorer windows are closed.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find .Remote Procedure Call (RPC) Helper (11F#`I)

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility

Press Ctrl+Alt+Delete to start the Task Manager. If you find Network Security Service in this list, select it and end the task.

Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select
if present:

CRRH32.EXE
NETYR32.EXE

and click on "Kill process". Answer Yes to the "Are you sure..." question.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ahvcz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {59594E13-4234-38BB-AF53-DC72A5E929B3} - C:\WINDOWS\system32\msiu32.dll
O2 - BHO: Class - {97E89C20-AC50-9DBF-2ABE-64CC06E86D54} - C:\WINDOWS\ipxg.dll
O2 - BHO: Class - {B75BCD02-ABA7-9B5A-4478-A8AD97904CAC} - C:\WINDOWS\addlx32.dll
O2 - BHO: Class - {B907FD48-75C1-78A0-3DCB-EE61C88E7FE9} - C:\WINDOWS\sdkat.dll
O2 - BHO: Class - {E4D353C5-F038-4827-9CDA-ABDCF49E5AB5} - C:\WINDOWS\appsq32.dll
O2 - BHO: Class - {FBB1288E-F9DA-63B6-535A-91E59402B4CE} - C:\WINDOWS\sysxi32.dll
O4 - HKLM\..\Run: [sysfd32.exe] C:\WINDOWS\sysfd32.exe
O4 - HKLM\..\RunOnce: [mfcep32.exe] C:\WINDOWS\mfcep32.exe
O4 - HKLM\..\RunOnce: [mskz32.exe] C:\WINDOWS\system32\mskz32.exe
O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\crfl32.exe
O4 - HKLM\..\RunOnce: [winqh32.exe] C:\WINDOWS\system32\winqh32.exe
O4 - HKLM\..\RunOnce: [iefo32.exe] C:\WINDOWS\system32\iefo32.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\mfcep32.exe" /s (file missing)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode.

Using WINDOWS EXPLORER locate and delete the following if found:

C:\WINDOWS\ahvcz.dll/
C:\WINDOWS\system32\msiu32.dll
C:\WINDOWS\ipxg.dll
C:\WINDOWS\addlx32.dll
C:\WINDOWS\sdkat.dll
C:\WINDOWS\appsq32.dll
C:\WINDOWS\sysxi32.dll
C:\WINDOWS\sysfd32.exe
C:\WINDOWS\mfcep32.exe
C:\WINDOWS\system32\mskz32.exe
C:\WINDOWS\crfl32.exe
C:\WINDOWS\system32\winqh32.exe
C:\WINDOWS\system32\iefo32.exe


(also delete any *.dat files with the same name as any of the above *.exe files)

While still in Safe Mode finish the cleanup process, please run through the rest of these steps:

From the Start Menu, choose "Run" and type Regedit then click "Ok".
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the "Permission" menu option under "Security" or "Edit". Uncheck "Allow inheritable permissions" and press "copy". Then click on everyone and put a checkmark in "full control". Then press "Apply" and "Ok" and attempt to delete the key again.

Exit regedit, and restart your computer in Normal Mode.

To remove the remainder of the files this exploit deposits, run this Online AntiVirus scan, removing all it finds:

Trend

=== Check ActiveX Settings ===
Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press "Default level", then "Ok".
Now press "Custom Level."
In the ActiveX section, set the first option, "Download signed controls", to "Prompt"; set the second option, "Download unsigned controls", to "Disable"; and finally, set "Initialize and Script ActiveX controls not marked as safe" to "Disable".


=== Replace Deleted Files ===
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press "Restore Original Hosts" and press "Ok"
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX Security Settings in IE as recommended.

Download Adaware SE and update it (the Globe icon, then Connect).

Next, go to Settings (the gear icon at the top) and then "Scanning" and checkmark these items so they will be green:
"Scan within archives"
"Scan my IE Favorites for banned URLS"
"Scan my hosts file"

Then click "Proceed" to save settings.

Click on "Tweak" next. And checkmark to make this green also:
"Automatically try to unregister objects prior to deletion"

Click on "Proceed"

Next, from the main screen, click on "Perform Full System Scan". Uncheck "Search for negligible risk entries" and click on "Next". Eliminate all that Ad-aware finds.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Restart your computer after cleaning with AdAware SE and scan again. Repeat the process until no further items are found as bad.

Run HiJackThis and post a new log in this thread.
  • 0

#9
Dexter777

Dexter777

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:33:45 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Buck Rogers\Desktop\Fix it Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com...ts/TDSERVER.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115146690593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Fresh HJT log.. So far everything seems to be running again! I would really like to thank you for your time.. Hopefully my HJT log is good.. and i wont need to mess with this anymore!! Again THANK YOU!!!!!!!!
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#11
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP