Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

FRUSTRATED! Please help!

Started by davenmillie , Mar 29 2005 05:03 PM

This topic is locked

#16
OldTimer

Posted 17 April 2005 - 11:47 AM

Global Moderator

Global Moderator
3,273 posts

Hey davenmillie. We still have a few infections to go here but we are making good progress. The next major infection we have to remove is called Qoologic. Please do the following:

Download FindQoologic2.zip save it to your Desktop.
Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
Double-click the Find-Qoologic2.bat file to run it. It will take some time so be patient.
When Notepad opens with the results in it copy/paste the entire contents of the document back here.

I will review the information when it comes in. Once we get Qoologic removed we cn clean the rest up. And who says computing isn't fun?

Cheers.

OT

#17
davenmillie

Posted 17 April 2005 - 04:23 PM

Member

Topic Starter
Member
15 posts

Ok, OT- Here’s that Qoologic2 notepad info. Not sure if you wanted another HijackThis log, so I put the latest on as well. Thanks! -Dave

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\MRZNK.DLL
* urllogic C:\WINDOWS\NKOCGE.DLL
* qoologic C:\WINDOWS\MRZNK.DLL
* qoologic C:\WINDOWS\NKOCGE.DLL
* qoologic C:\WINDOWS\UNADBEH.EXE

* ad-beh C:\WINDOWS\System32\DOURA.DLL
* ad-beh C:\WINDOWS\System32\SERYGHT.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\DXMAORB.EXE
* ad-beh C:\WINDOWS\System32\IAKZNM.EXE
* ad-beh C:\WINDOWS\System32\WGKUV.DAT
* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RUIA.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
MiniMavis.lnk
ruia.exe
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msxyqt
<NO NAME> REG_SZ {af0e7b41-5c6a-4d2b-90f0-f466dd0a9e0a}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msxyqtfm
<NO NAME> REG_SZ {488379ba-24d3-4e02-8b68-232b521b4f38}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 14:45
Operating System: Windows XP

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 2:54:11 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\javaon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\apizm32.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {66CB6D22-78A1-C880-862B-C3F798B2B51E} - C:\WINDOWS\system32\mseu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [apizm32.exe] C:\WINDOWS\apizm32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\RunOnce: [javaon.exe] C:\WINDOWS\javaon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_733845] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#18
OldTimer

Posted 17 April 2005 - 09:37 PM

Global Moderator

Global Moderator
3,273 posts

Hey davenmillie. Ok, let's see if we can fix this up. Please proceed with the following steps in order.

First

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
Select the option Delete on Reboot
Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
- C:\WINDOWS\MRZNK.DLL
  C:\WINDOWS\NKOCGE.DLL
  C:\WINDOWS\MRZNK.DLL
  C:\WINDOWS\NKOCGE.DLL
  C:\WINDOWS\UNADBEH.EXE
  C:\WINDOWS\System32\DOURA.DLL
  C:\WINDOWS\System32\SERYGHT.DLL
  C:\WINDOWS\System32\WINUP2~1.DLL
  C:\WINDOWS\System32\DXMAORB.EXE
  C:\WINDOWS\System32\IAKZNM.EXE
  C:\WINDOWS\System32\WGKUV.DAT
  C:\WINDOWS\System32\WMCONFIG.CPL
  C:\WINDOWS\UNADBEH.EXE
  C:\docume~1\alluse~1\startm~1\programs\startup\RUIA.EXE
In Killbox click on the File menu and then the Paste from Clipboard item
In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
Now click on the red button with a white 'X' in the middle to delete the files
Click Yes when it says all files will be deleted on the next reboot
Click Yes when it asks if you want to reboot now
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
After your system reboots, open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msxyqt]
[-HKEY_CLASSES_ROOT\CLSID\{af0e7b41-5c6a-4d2b-90f0-f466dd0a9e0a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{af0e7b41-5c6a-4d2b-90f0-f466dd0a9e0a}]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msxyqtfm]
[-HKEY_CLASSES_ROOT\CLSID\{488379ba-24d3-4e02-8b68-232b521b4f38}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{488379ba-24d3-4e02-8b68-232b521b4f38}]

Save the document to your desktop as fixqoo.reg and close Notepad. Locate the fixqoo.reg file on your desktop and right-click on it
Choose Merge from the popup menu and answer Yes or Ok to any further prompts
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
- R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
  R3 - Default URLSearchHook is missing
  O2 - BHO: (no name) - {66CB6D22-78A1-C880-862B-C3F798B2B51E} - C:\WINDOWS\system32\mseu.dll
  O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
  O4 - HKLM\..\RunOnce: [javaon.exe] C:\WINDOWS\javaon.exe
  O15 - Trusted Zone: *.frame.crazywinnings.com
  O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
  O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\bozhw.dll
C:\WINDOWS\system32\mseu.dll
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\javaon.exe
C:\WINDOWS\winac32.exe
Reboot and post a new HijackThis log along with a new Find-Qoologic2.bat log

I will review the new information when it comes in and then we can finish things up.

Cheers.

OT

#19
davenmillie

Posted 18 April 2005 - 09:13 AM

Member

Topic Starter
Member
15 posts

Hi OT! Here’s the latest (and hopefully greatest) HijackThis log and Qoologic log. (I did notice that the “frame.crazywinnings.com” file keeps re-appearing) Thanks mucho for all your work. My computer is already starting to act like its old self.
–Dave

Logfile of HijackThis v1.99.1
Scan saved at 8:39:59 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\apizm32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\d3ua.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B563B512-9C45-A24D-989F-52B597D9791F} - C:\WINDOWS\apiyi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [apizm32.exe] C:\WINDOWS\apizm32.exe
O4 - HKLM\..\RunOnce: [d3ua.exe] C:\WINDOWS\d3ua.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_422487] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
MiniMavis.lnk
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 08:41
Operating System: Windows XP

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

#20
OldTimer

Posted 18 April 2005 - 02:50 PM

Global Moderator

Global Moderator
3,273 posts

Hey davenmillie. Yes, things are looking much better. The Qoologic infection is now gone. We still have a couple of persistent entires that we need to take care of so let's go after them now.

Step #1

We need to get rid of the 023 entry for the RPC Helper so let's go through the steps again:

Click Start>Run, type services.msc into the Open editbox and click the Ok button.
Locate the Remote Procedure Call (RPC) Helper service and click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.
Close the Services window

Click Start>Run, type cmd into the Open editbox and click the Ok button.
Copy/paste the line below into the Command Prompt window:
sc delete 11Fßä #•ºÄÖ`I
If you get an error message then copy/paste this line into the Command Prompt window:sc delete Remote Procedure Call (RPC) Helper
Close the Command Prompt window

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B563B512-9C45-A24D-989F-52B597D9791F} - C:\WINDOWS\apiyi.dll
O4 - HKLM\..\Run: [apizm32.exe] C:\WINDOWS\apizm32.exe
O4 - HKLM\..\RunOnce: [d3ua.exe] C:\WINDOWS\d3ua.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\apiyi.dll
C:\WINDOWS\apizm32.exe
C:\WINDOWS\d3ua.exe
C:\WINDOWS\winac32.exe (verify that this file is gone)
Step #4

Run either CleanUp! or [b]CCleaner (whichever you are using).

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps using the [b]Add Reply button and I will review it when it comes in.

If these entries or similar come back again then I want to check your computer for a rootkit infection. These do not show up in a HijackThis log but I have a tool to reveal it anyway.

Cheers.
OT

#21
davenmillie

Posted 18 April 2005 - 04:57 PM

Member

Topic Starter
Member
15 posts

Hi OT- I had problems with the last part of step#1 on your instructions… in the cmd line prompt I tried both cut and paste lines you provided, but got error messages for both. I copied the whole sequence so you could see what it looks like:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>sc delete 11Fßä #•ºÄÖ`I
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Administrator>sc delete Remote Procedure Call (RPC) He
lper
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Administrator>
--------------------------------------------------------------------------------------------

-I did follow the rest of the instructions and here’s the latest HijackThis logfile.
Thanks- Dave

Logfile of HijackThis v1.99.1
Scan saved at 4:49:18 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kppoj.dll/sp.html#28129
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_36537187] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#22
OldTimer

Posted 18 April 2005 - 07:46 PM

Global Moderator

Global Moderator
3,273 posts

Hey davenmillie. Well, the RPC Help service is now gone (that was the item you received the error messages about when you tried to remove it) and I like that. Plus, there is nothing running in memory anymore. We do now have another CWS infection (which probably came from the RPC Helper service). Let's remove that and try to get rid of the crazywinnings entries. Please print these directions off because we are going to reboot during the 1st step and then proceed with the following steps in order.

Step #1

If you have any of these files/programs then you do not need to download them again. If you do not have them then please do so now.

Download DelDomains.zip and unzip it to your desktop. We will be using it in Step #3.

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download the Pocket Killbox.

Step #2

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Double-click on KillBox.exe.
Click "Delete on Reboot".
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\kppoj.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Delete on Reboot prompt.
Click "Yes" at the Delete next Reboot prompt.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Step #3

Locate the deldomains.inf file on your desktop and right-click on it. Choose Install from the popup menu and answer Yes or Ok to any prompts.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kppoj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kppoj.dll/sp.html#28129
O15 - Trusted Zone: *.frame.crazywinnings.com (should be gone already)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) (should be gone already)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix.

Step #6

Because this infection has hung on for so long I want to check for something called a rootkir infection. These types of infections do not show up in a HijackThis log and can cause the problems we have been encountering removing this infection.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:

Restart the computer in Safe Mode.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here with your new HijackThis log in the next step.

Step #7

OK. Start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps along with the C:\log.txt file contents using the Add Reply button and I will review it when it comes in.

OT

#23
davenmillie

Posted 19 April 2005 - 05:57 PM

Member

Topic Starter
Member
15 posts

Hi OT!!
I got through all the steps in your latest instructions. The only thing that gave me pause was in the last part of step #3 for the deldomains.inf file… When I right-clicked it and hit “install”, there was no Yes or OK prompt, so I don’t know if it installed or not.
Anyways- here’s the C:\log.txt report and the latest HijackThis logfile (which looks a lot cleaner! Yippee!!) -Dave

C:\Documents and Settings\Administrator\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\AUNBHO.dll: UPX!
C:\WINDOWS\system32\AUNPS.dll: UPX!
C:\WINDOWS\system32\HyperLinker.exe: UPX!
C:\WINDOWS\system32\HyperLinker3.exe: UPX!
C:\WINDOWS\system32\prutqct.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\elitetrl32.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\HijackThis.exe: UPX!
C:\WINDOWS\HLInstaller3.exe: UPX!
C:\WINDOWS\msxmidi.exe: UPX!
C:\WINDOWS\sfita.exe: UPX!
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 5:43:31 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_106463] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#24
OldTimer

Posted 19 April 2005 - 07:27 PM

Global Moderator

Global Moderator
3,273 posts

Hey hey! Your log is clean but.... You do have a rootkit infection :tazz:

. That explains alot. Let's repair that.

Step #1

Navigate to c:\winnt\system32\ and search for these files (they might or might not be there):AUNBHO.da0
AUNBHO.cfg
AUNPS.dll.da0
AUNPS.dll.cfg
If you find them we will take care of them in Step #5.

Step #2
Download the Pocket Killbox if you don't already have it and unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Step #3

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:C:\WINDOWS\system32\AUNBHO.dll
C:\WINDOWS\system32\AUNPS.dll
C:\WINDOWS\system32\HyperLinker.exe
C:\WINDOWS\system32\HyperLinker3.exe
C:\WINDOWS\system32\prutqct.exe
C:\WINDOWS\system32\elitetrl32.exe
C:\WINDOWS\HijackThis.exe
C:\WINDOWS\HLInstaller3.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\sfita.exe
Now go to the Killbox application and click on the File and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.

Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

You system will reboot now.

After rebooting, you might or might not get alot of error messages when applications start because these files were linked to Explorer.exe. That is normal.

Step #4

Now open Internet Explorer and go to the eTrust Antivirus Web Scanner and perform a scan. This will repair the applicaiton errors that you are receiving and clean up the rest of the infection.

Step #5

If you found any of the files listed in Step #1 then do the following, otherwise skip to Step #6.

Type or copy/paste each file into the top Full Path of File to Delete field one at a time.
Click the Delete File button which looks like a red stop sign with a white 'X' in it.
If you have not entered the last file click No at the Pending Operations prompt; after the last file is entered click Yes and allow your computer to reboot.

Step #6

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:

Restart the computer in Safe Mode.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of the new C:\log.txt file back here in the next step.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply buuton to post your new log file and the new log from rkfiles.bat back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

#25
davenmillie

Posted 20 April 2005 - 08:28 PM

Member

Topic Starter
Member
15 posts

Hi OT- I ran into a few things that I need to ask you about before I complete the steps from your last post: From Step #1 the files you wanted me to look for (AUNBHO.da0
AUNBHO.cfg
AUNPS.dll.da0
AUNPS.dll.cfg)
I didn’t find the exact file names, but I did find in c:\windows\system32
AUNBHO.dll and AUNPS.dll… do these need to go?

Also: in step #4, at the eTrust Antivirus Web Scanner site I ran the complete scan and it identified about 46 different infected files. BUT, when I hit the “cure files” button all of the different listed files said “cannot cure” next to them. Do you have specific instructions on how to get those files cleaned up?

Thanks -Dave

#26
OldTimer

Posted 20 April 2005 - 10:36 PM

Global Moderator

Global Moderator
3,273 posts

Hey davenmille. My mistake. the files to search for in Step #1 were supposed to be:AUNBHO.da0
AUNBHO.cfg
AUNPS.da0
AUNPS.cfg
The AUNPS.dll file is included in Step #2 to delete.

Can you print a report of the infected files at eTrust that cannot be cleaned? I'll take a look at them. Otherwise just delete the ones they list.

Cheers.

OT

#27
davenmillie

Posted 21 April 2005 - 05:58 PM

Member

Topic Starter
Member
15 posts

Howdy OT- well, I got through the eTrust antivirus scanner online again and this time I asked it to delete the infected files that showed up. It showed “deleted” on all but 4 files. I was able to find and delete 3 of them, but the 4th (called ceres.dll) would not delete. It kept giving the error message that it was write protected.
Anyways, here’s the log files you asked for. Thanks again! (and again) -Dave

C:\Documents and Settings\Administrator\Desktop\GeeksToGo

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
Bye

Logfile of HijackThis v1.99.1
Scan saved at 5:50:17 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_151207] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#28
OldTimer

Posted 21 April 2005 - 06:41 PM

Global Moderator

Global Moderator
3,273 posts

Hi davenmille. Well, it's been a long time coming but guess what? YOU ARE CLEAN! Good job! How are things running? Any more problems?

We have a couple of steps to perform yet but before we get to them I want to comment on the ceres.dll file. That is a bad file and you want to delete it. If you are getting a message that the file is write-protected then right-click on it and choose Properties. In the Properties Dialog box, down near the bottom should be a checkbox labeled Read-only. If this checkbox has a check in it then click in the checkbox to remove the checkmark. Click on the Ok button and then close the dialog. Try to delete the file again. If you get any error messages then try to delete it in Safe Mode. If you still cannot delete it then use Killbox to delete it on reboot. If you need directions just post back here.

Now on to the final steps.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT

#29
davenmillie

Posted 21 April 2005 - 08:07 PM

Member

Topic Starter
Member
15 posts

Old Timer, You are the BEST!! My computer is running 1000% better and I am still dumbfounded that there are people like you out there who will actually HELP folks who need it. You are like an "anti-hacker", performing random acts of kindness. I can't thank you enough. If you're ever in the Denver area, I owe you a beer (or at least a cup of coffee). Actually I owe more than that- do you remember my 1st post? I was ready to pitch my computer and start over. THANK YOU, THANK YOU, THANK YOU!!!!!! -Dave. :tazz:

#30
OldTimer

Posted 21 April 2005 - 09:10 PM

Global Moderator

Global Moderator
3,273 posts

Dave, you are very welcome. I am glad that we were able to help. I used to come to Denver about once a month but have not been there now for about 6 months. If I am ever there you can buy me that beer (or cup of coffee)

Now that your issues have been resolved I will close theis topic. If you need it re-opened for the same issue then just PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :tazz: