Jump to content


Photo

Are you getting the res:// homepage hack


  • Please log in to reply
20 replies to this topic

#1 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 12:11 PM

This is what you do to remove this NASTY bugger ...

Download and get SPYBOT SEARCH AND DESTROY, HILACKTHIS, and WEBROOT SPY SWEEPER ... INSTALL all 3 and make sure all are up to date ... I also recommend adaware ( and recent updates as well ) once you have all these and they are all working and up to date ... follow this list of things to remove the BUGGER ...

1) open your browser ... I know silly right ... Just do it ...

2) go to TOOLS > Internet Options > ADVANCED tab

3) uncheck Enable Third-Party Browser Extension ( requires restart )
<< this step STOPS this BUG in its tracks >>

4) now restart your PC in safe mode ...

5) If you get a warning at startup that a file can not be loaded dont worry about this its the FILE that is causing the worm ...

6) use SPYBOT search and destroy with the latest updates to scan your system ...

7) remove all files that spybot has found ... then run hijack this and delete any reference to the res:// homepage hack ( dll files ) that are shown there ... usually at the top in the first couple of columns ...

8) now restart again in safe mode

9) Run adaware and delete anything that it finds as well ...

10) on normal restart which is what you do next you may see 2-3 pop ups from windows saying a file can not be found ... GOOD that is the worm file ... now when you are started you will get warnings from spybot stating that a program wants to change your values to res:// homepage hack related files ... click keep this decision box and deny all these requests ... DENY CHANGE !!! (( this is VERY important ))

11) once that is done resart in normal mode one more time and run spybot search removing any left over files and then asaware doing the same ... NOW the bug should be removed ... FOR THE MOST part ... HOWEVER make sure your browser homepage is set to http://www.yahoo.com ( or something other then res:// homepage hack otherwise it will reinfect your pc ) I recommend doing this between steps 8-9 above ( after the second restart in safe mode )

Well there you go that is the BIG secret ... I know this works cause I have done it and NO MORE BUG >>>> if anyone has any ???'s please post a reply and I will try and answer them ...

<edit> Added text < edit>
*** ANOTHER NOTE ***

Please make sure and run SPYSWEEPER ( with latest definitions ) after all is in the clear to remove all the left over .dat and .dll giles ... then you can open tools > internet options and recheck enable third party browsers ( altho I wouldnt seeing that it helps keep this from happening again ) but that is up to you ... I spoke to a TECH at microsoft and he assured me that leaving this unchecked does not hamper your internet exp. in any way ... so better to be safe then get something like this again ... ALERT ... you can not get spysweeper to see or delete this unless you have done all the above and have the lastest definitions ... I also suggest version 3.0 which jsut came out ... altho I used 2.61 and it works FINE !!!

MIDNITE
:techsupport:

Edited by Midnite, 25 June 2004 - 02:07 PM.


#2 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 12:16 PM

BUMP .... THIS WORKS AND WILL RESOLVE THIS FOR YOU 100% please post any ???'s once you have done the ABOVE if you still have issues I will help you ...

MIDNITE
:techsupport:

#3 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 12:26 PM

this is JUST one more BUMP to help everyone with this issue ... THIS solution works ... If anyone has any issues after this post PLEASE email me on here I will reply to all with help ... actually PM would be better and faster ... again this WILL clean the BUG off your system ...

Midnite
:ugh:

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 12:37 PM

This is an ok workaround but won't accomplish much.
That particular variant installs itself as a service!

Keep your workaround here and don't jump
in to posts that have been succesfully resolved!
I'd hate to see em' being edited ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 12:42 PM

*** ANOTHER NOTE ***

Please make sure and run SPYSWEEPER ( with latest definitions ) after all is in the clear to remove all the left over .dat and .dll giles ... then you can open tools > internet options and recheck enable third party browsers ( altho I wouldnt seeing that it helps keep this from happening again ) but that is up to you ... I spoke to a TECH at microsoft and he assured me that leaving this unchecked does not hamper your internet exp. in any way ... so better to be safe then get something like this again ...

MIDNITE
:p

#6 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 12:51 PM

This is NOT a work around ... silly ... What is with you people I have been a TECH for years ... I guess only time will tell LET everyone with it try it and SEE for themselves ... YOU guys are FUNNY ... I post the SOLUTION and you all get HUFFY !!! Whatever ... even PGPHANTOM got upset

PGPhantom Please stop posting in Active Logs ..., Jun 25 2004, 12:40 PM

Superman of SWI


Group: Malware Support Mod
Posts: 1,062
Joined: 16-May 04

I have already asked that you stop posting in logs where help is already under way - If you continue, I will be forced to suspend your account. Thank you.

If my trying to help people with this BUG offended you or HIM I am sorry ... I was only giving the solution to everyone ...

Midnite
:ugh:

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 12:59 PM

This is a polite warning!

You made your presence, time to chill the thrill.











*Note to All:

^^^ It's a case of... :blink: :scratchhead: :whistle:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 01:04 PM

for those that are doubting this to be the solution here is my hijack this logs ... I had a MAJOR infection with this WORK but as I stated above ... I resolved and removed it ... anyway for the non believers this is my log and last post on this topic ... if you want help and want this removed you will follow my outline if not then have fun ...

Logfile of HijackThis v1.97.7
Scan saved at 1:58:42 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Saved Files\Chad's Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AC2FD346-B35C-A896-4487-916D3E911455} - C:\WINDOWS\addnt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [addsx.exe] C:\WINDOWS\system32\addsx.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKLM\..\RunOnce: [apipt.exe] C:\WINDOWS\apipt.exe
O4 - HKLM\..\RunOnce: [appeg32.exe] C:\WINDOWS\system32\appeg32.exe
O4 - HKLM\..\RunOnce: [mfcez.exe] C:\WINDOWS\mfcez.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079997239468
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38068.4309375
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab



I was not here to start any mess JUST to help clean one UP sorry to those that I offended by trying to help everyone with this outbreak of this CWS worm ...

:scratchhead: :weee:

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 01:27 PM

It is not that your help is not appreciated - Any and all help is appreciated. There are a number of experts that make a living out of dealing with these things and even though some of us (Myself included) may come up with solutions, they do not always cover everything. For your own log, please see the PM I sent you as there are some problems still there.

As I mentioned in a PM - Please do continue to help but as a "Helper" by joining the Boot Camp - There you will learn a lot about what we are doing and why and why we need to stop incomplete fixes. We can all learn from each other and most, nearly all, of the fixes that I use have been developed by experts such as freeatlast.

Thank you for your consideration.

#10 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 01:30 PM

So Midnite. You are saying that this solution will remove all .dats, .dlls, and .exes from the Windows And System Folder. If your answer is no then the solution is a workaround. If your answer is yes. Then you are a genious and have found a solution.


Also.. I do not want you to get infected.. But if you accept -

PGPhantom: Please let's keep this civil :)

O2 - BHO: (no name) - {AC2FD346-B35C-A896-4487-916D3E911455} - C:\WINDOWS\addnt.dll

....

Edit: Im not trying to be rude just to point out :weee:

Edited by PGPhantom, 25 June 2004 - 01:49 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#11 Zero

Zero

    Advanced Member

  • Emeritus
  • PipPipPip
  • 224 posts

Posted 25 June 2004 - 01:34 PM

As ducky so 'eloquently' O_O said, the bho will just re-spawn a new one.

#12 shauneq

shauneq

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 01:39 PM

I'm afraid this is not a real solution.

By checking "Remember this Descision" in the SPYBOT popups, SPYBOT will swat this bug everytime it tries to do it's evil, however the malware is STILL on your system and still active. You're just being protected by SPYBOT.

That is not very satisfactory for me. I too get a clean hijack this log, but EVERY time I boot, SPYBOT pops up and saves my life. I want the malware destroyed. Which is why I am pleading for a really smart spyware smasher (PGPhantom? Superman?) to help me out with my post

I just may be willing to join boot camp myself if I can get my problem solved! ;)

#13 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 01:55 PM

I did not update my hijack this log till I rebooted so my log was inaccurate duckie ...

Logfile of HijackThis v1.97.7
Scan saved at 2:48:12 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\Saved Files\Chad's Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079997239468
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38068.4309375
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab



that is my correct log I know that I still had the infected files there as PGphnatom brought that to my attention ... and yes there is one other thing I forgot and that was a reboot ... BUT yes as you can see from my log ... it works ... and SPYSWEEPER removes this variant after you let it do its thing after all has been cleaned ... You have to follow the above steps first then run spy sweeper last and it will remove all exe dat and dll files as you can see from my log ...

I appreciate all the other input but I assure you this works ..

I was the silly one that forgot the reboot .. but look at my hijack this log now and see if I am not tellin the truth ...

Look I did not come here ( as mentioned in private PM's to a few ) to start any waves JUSt to help )

Midnite
:rolleyes:

SPYSWEEPER will not remove this VARIANT or its files till after you do all of the above and run it in NORMAL mode I was suppose to make that the last part in the above I will EDIT my post !!!

Edited by Midnite, 25 June 2004 - 02:05 PM.


#14 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 02:12 PM

I have modified this post ... anyone thinking this might not work ... I am sorry for posting the wrong hijack this log ( before I did a reboot ) but again I assure you this works ... PgPhantom alerted me to some files that were still in my log but as you can see after thinking about it I forgot to reboot ... and once I did WALA it is GONE and finished ... so yes I do stand by my solution and still say it is NOT a work around ... and just to test it I am going to re-enable my third party selection that I mentioned should be disabled and reboot to make sure 100%

as I mentioned I was jsut here to help and I will not interfere with the powers that be I was just offering a solution that works ... again for any one that I upset or offended I am SORRY !!!

Midnite
:cool:

Edited by Midnite, 25 June 2004 - 02:13 PM.


#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 02:19 PM

Nice, and welcome abord, boot camp hopefully! :D

It's good to know and see that SpySweeper is helpful.

Howevwer--
Do you realize there are several variants around?
The ones the Guys above are referring to is one of the variants that install as system service!
Providing you're familar with the terminology, do mention the exact name of
the service that SpySweeper allegedly removed, which,
undoubtedly you should have in your records/logs, etc

If not, it may be a different variant!

Your "official" solution to "all" cws problems
was a bit out of range, namely jumping into my
thread which was dealing with completely different variant.

All ther best, :thumbsup: :
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 02:23 PM

PGPhantom:  Please let's keep this civil :)

http://www.spywarein...topic=10171&hl=


:weee:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 02:34 PM

OK the one that SPYSWEEPER is finding on my system or was should I say LOL :) is CWS_NS3 if that means anything to anyone ...

That may be the name of this variant ... all I know is that untill I used the steps above SPY SWEEPER didn't even see this work on my system ...

so there you go and HOW does one join BOOT camp ???

Midnite
:fotc:

#18 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 03:06 PM

If you would like to assist, become a "Helper Trainee" by clicking on this link and responding to the message.

I look forward to seeing you in the "Boot Camp".

#19 yoboss

yoboss

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 June 2004 - 03:44 PM

Many Thanks Midnight!!

It worked for res:\\IDUQV.dll....

#20 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 09:55 PM

you are very welcome VOBOSS !!! glad I could help you !!!

Midnite

#21 kevbot9000

kevbot9000

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 June 2004 - 12:56 AM

This fix worked perfectly for me. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button