Jump to content


Photo

res://random.dll, goto linking and more.


  • Please log in to reply
22 replies to this topic

#1 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 13 July 2004 - 02:11 PM

i did have another topic open, but i thought it would be best to post a new one, as i am now having many more spyware problems than the one i started with. also, i probably bumped that old thread right off the response ladder. ;) sorry about that.

i am running windows xp and internet explorer 6.0.

current problems:
- my internet homepage opens to "res://<random>.dll/<random>.html#<random>"
- a popup warning me that my computer is infected with spyware appears every time i open to this homepage
- many popups appear when browsing the internet, including the "only the best" popups mentioned in other threads
- when browsing the internet certain words are hyperlinked to "goto:<random>"
- the new search engine on http://www.msn.com causes my internet explorer to freeze

- "dso exploit" appears in my spybot scans
- "home search assistant", "search extender" and "shopping wizard" are installed on my computer and show the error message "unable to open "http://looking-for.c.../<random>.html" when i try to uninstall them
- "wildtangent multiplayer library" was installed on my computer but seems to have been uninstalled. what is it?

- my computer takes a long time to start up and shut down
- my computer somestimes shows an error message about a missing .dll when starting up
- windows notepad randomly closes itself without an error message when in use

what i've done:
- i have spybot search & destroy, hijackthis, ad-aware and cwshredder and run them when i reboot
- i fix "dso exploit" every time i run spybot
- i fix every incorrect internet home page and search page setting every time i run hijackthis
- i delete around seventeen entries every time i run ad-aware
- "dso exploit", "res://<random>.dll/<random>.html#<random>", and everything else returns when i reboot and sometimes before i reboot

here is my hijackthis log, before running spybot, ad-aware or cwshredder:
Logfile of HijackThis v1.98.0
Scan saved at 1:20:21 PM, on 3/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\sysyu.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\addaz32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jnnhw.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jnnhw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jnnhw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jnnhw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jnnhw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jnnhw.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7561BD5A-4319-21D1-6A49-CBCE972E06E8} - C:\WINDOWS\crhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [addaz32.exe] C:\WINDOWS\addaz32.exe
O4 - HKLM\..\RunOnce: [apiwf32.exe] C:\WINDOWS\system32\apiwf32.exe
O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\sysyu.exe
O4 - HKLM\..\RunOnce: [ntds32.exe] C:\WINDOWS\system32\ntds32.exe
O4 - HKLM\..\RunOnce: [appgl.exe] C:\WINDOWS\appgl.exe
O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe
O4 - HKLM\..\RunOnce: [ipip32.exe] C:\WINDOWS\ipip32.exe
O4 - HKLM\..\RunOnce: [iezf.exe] C:\WINDOWS\system32\iezf.exe
O4 - HKLM\..\RunOnce: [crfv.exe] C:\WINDOWS\crfv.exe
O4 - HKLM\..\RunOnce: [mslm.exe] C:\WINDOWS\mslm.exe
O4 - HKLM\..\RunOnce: [d3ck.exe] C:\WINDOWS\system32\d3ck.exe
O4 - HKLM\..\RunOnce: [netpu.exe] C:\WINDOWS\netpu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\My Programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


help, anyone? :)

Edited by liorajane, 13 July 2004 - 02:20 PM.


#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 16 July 2004 - 12:52 PM

Download the latest version of About:Buster and unzip it to your desktop.

These are the key infection files: jnnhw.dll, crhe.dll, addaz32.exe and sysyu.exe
But, I'm going to approach this as if they are changing names with each bootup, because some of these infections do that. If not, you won't have any trouble finding them. If they do change, hopefully you'll be able to follow what I describe and find them anyway.

Run a HJT scan and mark these for fixing:

There's only one BHO showing in your log - it's bad regardless of the .dll name

O2 - BHO: (no name) - {7561BD5A-4319-21D1-6A49-CBCE972E06E8} - C:\WINDOWS\crhe.dll


This is the last O4 - HKLM\..\Run: line

O4 - HKLM\..\Run: [addaz32.exe] C:\WINDOWS\addaz32.exe


These are ALL the O4 - HKLM\..\RunOnce: lines in your log - nothing legit among them.

O4 - HKLM\..\RunOnce: [apiwf32.exe] C:\WINDOWS\system32\apiwf32.exe
O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\sysyu.exe
O4 - HKLM\..\RunOnce: [ntds32.exe] C:\WINDOWS\system32\ntds32.exe
O4 - HKLM\..\RunOnce: [appgl.exe] C:\WINDOWS\appgl.exe
O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe
O4 - HKLM\..\RunOnce: [ipip32.exe] C:\WINDOWS\ipip32.exe
O4 - HKLM\..\RunOnce: [iezf.exe] C:\WINDOWS\system32\iezf.exe
O4 - HKLM\..\RunOnce: [crfv.exe] C:\WINDOWS\crfv.exe
O4 - HKLM\..\RunOnce: [mslm.exe] C:\WINDOWS\mslm.exe
O4 - HKLM\..\RunOnce: [d3ck.exe] C:\WINDOWS\system32\d3ck.exe
O4 - HKLM\..\RunOnce: [netpu.exe] C:\WINDOWS\netpu.exe


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Now, boot into Safe Mode and run About:Buster - Start it, hit OK, Start, And OK again to start the scan. It will generate a log. Save that log to post in your reply. Reboot normally.

Now, run CWShredder followed by Ad-aware (be sure it's updated) to clean up the residuals.

Run another HJT scan, and post it and the About:Buster log.
(and please don't use the tiny font size!)

Edited by Fireflyer, 16 July 2004 - 01:05 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 16 July 2004 - 08:46 PM

when i tried to run about:buster in safe mode i received this error message: "runtime error '339': component "MsComCtl.ocx" or one of its dependencies not currently registered: a file is missing or invalid."

my internet started up to about:blank after i restarted, which was a good sign, but the second time i opened it it was back to another res://<random>.dll homepage.

would you still like my hijackthis log? i also wanted to know if all 04 - HKLM\..\RunOnce: entries are safe to delete, as there are some new ones in the log.

thanks for your help so far, though! :)

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 16 July 2004 - 09:43 PM

For missing MSCOMCTL.OCX, download and run this program from Javacool Software. http://www.spywarein...ngfilesetup.exe

If the 04 - HKLM\..\RunOnce: entries are like the others - that is, the dll file names appear to be random letters (with or without 32 at the end), then yes, they should be OK to delete.

Since there weren't any valid ones before, there shouldn't be any valid ones in the next log either - unless you installed a program in the interim that uses a Run Once Registry entry.

Do the MSCOMCTL.OCX fix and try About:Buster again and see how it goes.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 16 July 2004 - 11:00 PM

i downloaded and installed the program. however, now hijackthis is playing up. there is a new BHO in the place of the old one, and i am not sure if it needs to be deleted: O2 - BHO: (no name) - {D1EE8A52-EB75-BD6B-C698-94D3153A49FB} - C:\WINDOWS\system32\appgb.dll. however, whenever i attempt to fix anything in the hijackthis scan, i receive this error message:

"An unexpected error has occurred at procedure: cmdFix_Click()
Error #75 - Path/File access error (37 items in results list)."

it also has instructions to e-mail merijn@spywareinfo.com about the error, which i did. could it have anything to do with downloading MSCOMCTL.OCX? :wtf:

i am assuming i should not run about:buster in safe mode until hijackthis is back to normal, unless it is unecessary to delete this BHO. sorry for all the complications! :blush:

Edited by liorajane, 16 July 2004 - 11:04 PM.


#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 17 July 2004 - 09:52 AM

All the complications aren't your fault! That's just the way this stuff goes sometimes.

The new BHO is likely the same bad one as before - just morphed, using a random name and CLSID.

Ideally we want to delete the BHO and the O4 items before running About:Buster.

I've seen another report of HJT errors so let's wait a bit and see what Merijn does.

I'll also ask some of the Experts here for their opinions on what's going on - whether this is related to MSCOMCTL.OCX or not.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#7 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 17 July 2004 - 12:38 PM

okay! thanks. i'll wait. :)

#8 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 17 July 2004 - 02:13 PM

I found these two bits of info on the HJT error.

Merijn knows about this cmdFix_Click error and is working on it.

Apparently the error is unrelated to running the missingfilesetup.exe

If you try to delete and item using HJT 198.0 and get an error #75.

Delete the 'Backups' folder in the same folder as HJT. That should fix the problem.


So, so go ahead and try that and see if it works.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#9 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 17 July 2004 - 09:34 PM

yes, deleting the backups folder works! ;D

okay, i deleted everything listed in your first reply, the new BHO and all of the new runonce entries. i ran about:buster in safe mode. here is the log you asked for:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\adglis.dat
Removed! : C:\WINDOWS\appgl.exe
Removed! : C:\WINDOWS\appuz.dll
Removed! : C:\WINDOWS\appwc32.dll
Removed! : C:\WINDOWS\bnwvj.dat
Removed! : C:\WINDOWS\btidzc.dat
Removed! : C:\WINDOWS\bumsak.dat
Removed! : C:\WINDOWS\colcxk.dat
Removed! : C:\WINDOWS\crfv.exe
Removed! : C:\WINDOWS\crhe.dll
Removed! : C:\WINDOWS\crxh32.exe
Removed! : C:\WINDOWS\deury.dat
Removed! : C:\WINDOWS\deuryw.dat
Removed! : C:\WINDOWS\djumgs.dat
Removed! : C:\WINDOWS\fuzih.dat
Removed! : C:\WINDOWS\fzzfrm.dat
Removed! : C:\WINDOWS\hkvlj.dat
Removed! : C:\WINDOWS\hxsfbt.dat
Removed! : C:\WINDOWS\ieum.exe.bak
Removed! : C:\WINDOWS\ipip32.exe
Removed! : C:\WINDOWS\jdrkw.dat
Removed! : C:\WINDOWS\jnnhw.dll
Removed! : C:\WINDOWS\kgcjcw.dat
Removed! : C:\WINDOWS\lqvjyy.dat
Removed! : C:\WINDOWS\lyqjcq.dat
Removed! : C:\WINDOWS\lzhbu.dll
Removed! : C:\WINDOWS\memyom.dat
Removed! : C:\WINDOWS\mfchs32.exe
Removed! : C:\WINDOWS\mfcim.exe
Removed! : C:\WINDOWS\mfcqh32.exe
Removed! : C:\WINDOWS\mslm.exe
Removed! : C:\WINDOWS\msxh.exe
Removed! : C:\WINDOWS\netpu.exe
Removed! : C:\WINDOWS\nkdmkx.dat
Removed! : C:\WINDOWS\nmsdu.dat
Removed! : C:\WINDOWS\nofue.dat
Removed! : C:\WINDOWS\nsency.dat
Removed! : C:\WINDOWS\ntau32.exe
Removed! : C:\WINDOWS\otkvx.dat
Removed! : C:\WINDOWS\pmqphp.dat
Removed! : C:\WINDOWS\prqry.dat
Removed! : C:\WINDOWS\qxelix.dat
Removed! : C:\WINDOWS\sdkgm32.exe
Removed! : C:\WINDOWS\snqhkd.dat
Removed! : C:\WINDOWS\swoax.dat
Removed! : C:\WINDOWS\swoaxi.dat
Removed! : C:\WINDOWS\tajdrz.dat
Removed! : C:\WINDOWS\teabqm.dat
Removed! : C:\WINDOWS\tywffl.dat
Removed! : C:\WINDOWS\wbdidj.dat
Removed! : C:\WINDOWS\wifkz.dat
Removed! : C:\WINDOWS\wifkzq.dat
Removed! : C:\WINDOWS\xbkmc.dat
Removed! : C:\WINDOWS\xpdsbf.dat
Removed! : C:\WINDOWS\ymgkj.dat
Removed! : C:\WINDOWS\zfauwb.dat
Removed! : C:\WINDOWS\zxcjtb.dat
Removed! : C:\WINDOWS\System32\apijd32.exe
Removed! : C:\WINDOWS\System32\apiwf32.exe
Removed! : C:\WINDOWS\System32\appgb.dll
Removed! : C:\WINDOWS\System32\appid.exe
Removed! : C:\WINDOWS\System32\atllc.exe
Removed! : C:\WINDOWS\System32\crea.exe
Removed! : C:\WINDOWS\System32\crvf32.exe
Removed! : C:\WINDOWS\System32\crwe.dll
Removed! : C:\WINDOWS\System32\cycpl.dll
Removed! : C:\WINDOWS\System32\d3ck.exe
Removed! : C:\WINDOWS\System32\ehnnl.dat
Removed! : C:\WINDOWS\System32\gefkr.dll
Removed! : C:\WINDOWS\System32\gsxjy.dat
Removed! : C:\WINDOWS\System32\ieuj32.dll
Removed! : C:\WINDOWS\System32\iezf.exe
Removed! : C:\WINDOWS\System32\itdiu.dat
Removed! : C:\WINDOWS\System32\javalm.exe
Removed! : C:\WINDOWS\System32\mfcgo32.exe
Removed! : C:\WINDOWS\System32\mscv32.dll
Removed! : C:\WINDOWS\System32\ntds32.exe
Removed! : C:\WINDOWS\System32\pmqph.dll
Removed! : C:\WINDOWS\System32\ppdap.dat
Removed! : C:\WINDOWS\System32\qqlxq.dll
Removed! : C:\WINDOWS\System32\qsvwc.dll
Removed! : C:\WINDOWS\System32\tagxs.dat
Removed! : C:\WINDOWS\System32\vdrle.dat
Removed! : C:\WINDOWS\System32\vuvgt.dat
Removed! : C:\WINDOWS\System32\wfaav.dat
Removed! : C:\WINDOWS\System32\xbaqz.dat
Removed! : C:\WINDOWS\System32\yuqgm.dat
Removed! : C:\WINDOWS\System32\zfleu.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

i rebooted normally and ran cwshredder and ad-aware, which deleted forty seven entries. but i ran hijackthis and the hijacked internet settings are still there, along with a new BHO:

Logfile of HijackThis v1.98.0
Scan saved at 8:25:38 PM, on 3/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\sysyu.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\mslc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cdsgb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cdsgb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cdsgb.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - C:\WINDOWS\system32\ieci32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [mslc.exe] C:\WINDOWS\mslc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\My Programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

the internet opened to my usual dellnet.msn.com homepage, but went back to another res://random.dll homepage as soon as i refreshed. home search assistant, search extender and shopping wizard are still present and still cannot be uninstalled. :techsupport:

ugh. but at least hijackthis works now, right? ;)

Edited by liorajane, 17 July 2004 - 09:36 PM.


#10 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 18 July 2004 - 02:48 PM

Good grief! What a collection of malware. All that wiped out, and the hijacker is still there.

Sorry if this seems redundant, but sometimes this stuff requires multiple assaults. First, get the new Ad-aware update (01R333 18.07.2004).

Boot into Safe Mode, and:
  • Run HijackThis - fix the O2 - BHO and the random named O4 (mslc.exe in the last log)
  • Run About:Buster
  • Run About:Buster again
  • Run CWShredder
  • Run Ad-aware
  • Run HijackThis and fix any R1/R0 entries left
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
  • C:\Windows\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
  • Empty your "Recycle Bin"
Boot into normal mode, run a new HJT scan and let me know how it went.

Edited by Fireflyer, 18 July 2004 - 03:57 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#11 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 10:53 PM

thank you very much. but still no luck. i ran hijackthis right after i rebooted and the bho was back, and my internet opened to res://random.dll again. here is the log (sorry if you didn't want it, i wasn't sure):

Logfile of HijackThis v1.98.0
Scan saved at 9:45:54 PM, on 3/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\sysyu.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\javaxp32.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - C:\WINDOWS\system32\ieci32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\sysyu.exe
O4 - HKLM\..\RunOnce: [crsb.exe] C:\WINDOWS\system32\crsb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\My Programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

i went through the steps from run hijackthis in safe mode to delete all files and folders in c:\windows\temp, and i emptied my recycle bin. but i couldn't find any local settings folders under the profiles in documents and settings at all, in safe mode or out. :wtf:

when the log in screen comes up in safe mode, i can choose between administrator, dad, mom, and michele. i choose michele as usual. do you have to be logged in as administrator for the local settings folders to show up? or is my computer just strange?

also, slightly unrelated... there is a "wildtangent control panel" option in my control panel. what is wildtangent? i have heard about a lot of spyware being linked to it. is wildtangent spyware itself, or is it a required program...?

#12 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 19 July 2004 - 12:13 PM

Yes, I wanted to see a new log - sorry I wasn't clear on that.

Also sorry, I forgot to mention making sure you had Windows Explorer set to show Hidden Files and Folders. I'm so used to doing it, I guess I thought I already had.

Open Windows Explorer and reconfigure it to Enable Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:
Scroll down to the Files and Folders section.
Select: Display the contents of system folders.
Scroll down to the Hidden Files and Folders section.
Select: Show hidden files and folders, Ok the prompt
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files
Ok the Prompt, click Apply
Click the Apply to all Folders button.

Now, you should be able to find:
C:\Documents and Settings\michele\Local Settings\Temp
C:\Documents and Settings\michele\Local Settings\Temporary Internet Files
C:\Documents and Settings\dad\Local Settings\Temp
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files
C:\Documents and Settings\mom\Local Settings\Temp
C:\Documents and Settings\mom\Local Settings\Temporary Internet Files
and delete the contents (not the folders) of each Temp and Temporary Internet Files folder.

Wild Tangent is online game related - and known to provide popups, adware, etc. - but, I don't see anything in the log that's Wild Tangent related - it usually shows up as an O16 - ActiveX downloaded program file. Since the only thing left of it is in the Control Panel, it may be that Ad-aware cleaned out the other parts.

Let's try a different cleaning approach and then follow that with the new 1.31 version of About:Buster - go ahead and download it: http://www.downloads...AboutBuster.zip

Open Windows Task Manager by pressing CTRL+SHIFT+ESC

Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list.

Look for these items in the running processes list - if you find them, click them to select them and then click End Process.

crsb or crsb.exe
javaxp32 or javaxp32.exe
sysyu or sysyu.exe

Exit the Task Manager.

Next, go to Start->Run and type Services.msc then hit OK.

Scroll down and find the service called "Network Security Service".

When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

Run a new HijackThis scan and place a check mark in the following boxes:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - C:\WINDOWS\system32\ieci32.dll

O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\sysyu.exe

O4 - HKLM\..\RunOnce: [crsb.exe] C:\WINDOWS\system32\crsb.exe


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot into Safe Mode and delete these files:

C:\WINDOWS\javaxp32.exe
C:\WINDOWS\sysyu.exe
C:\WINDOWS\system32\crsb.exe
C:\WINDOWS\system32\ieci32.dll

Go to Start => Run and type in regedit and press "Enter".

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for any of these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find any, right-click it in the right-pane and choose Delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press Apply and OK and attempt to delete the key again.

Exit regedit.

Now run About:Buster. Reboot in Safe Mode under each additional user profile and run About:Buster for each - administrator, dad, mom, and michele.

Reboot in normal mode (as michele), run a new HJT scan and post the log.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#13 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 08:09 PM

YES! i think it worked! ;D

Logfile of HijackThis v1.98.0
Scan saved at 7:02:47 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\My Programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

i scanned before i opened the internet. i opened the internet, and it decided to make google the homepage, which is fine by me. i scanned again--no change. i browsed the net a bit and scanned again--no change. home search assistant, search extender and shopping wizard are all gone from my installed programs list, too.

YES! thank you so much! thank you!

this is so great. i can't stop running hijackthis and laughing when i don't see any r0, r1, 02 or strange 04 entries. ;)

now fingers crossed it stays clean! should i repeat this last thing we did if i get infected similarly again? do you have any suggestions for anti-virus and spyware protection i should download? i just got spyware blaster a couple of days ago. anything else?

thank you. again. ;D

Edited by liorajane, 19 July 2004 - 08:10 PM.


#14 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 19 July 2004 - 09:54 PM

OK, michele, keep your fingers crossed, we're not out of the woods yet - there's still more work to do. But first, take a deep breath and... time travel!

This is a technique that Budfred, Moderator of our Boot Camp, came up with - set the date of your system clock ahead 2 or 3 days and reboot your system. This sneaky critter comes back sometimes, and this trick can smoke it out if it's still lurking.

I'll answer all your questions more completely later, but first try this out and let's be sure it's really gone and not just hiding.

And, yes, you can repeat the same procedure it it shows back up. There's also a file or files that will need to be replaced - but first, the time travel!

If it's clear after the time trick, you can reset your date and give me the good news!
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#15 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 11:01 PM

yes! i "time traveled" forward three days and rebooted. my internet opened to google and the hijackthis log is exactly the same. clean. ahh.

i am so happy right now. ;D thanks.

#16 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 20 July 2004 - 07:46 AM

That's great! But, there's still some work to do.

It is possible that the infection may have deleted up to three files from your system. If these files are present, to be safe, I suggest you overwrite them with a new copy.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. For Windows XP, copy it to C:\Windows\System32\.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

This next file is only necessary if you use a HOSTS file - if you don't know what that is, then skip this, because you won't have one!
Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Additionally, please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in IE as recommended. This is accessed thru the IE menu bar: Tools -> Internet Options -> Security tab -> Custom Level button. If you don't use Custom Security settings then be sure the slider is set to Medium or higher.

Finally, you should clear out your System Restore so you don't accidentally re-enable the malware.
  • Click Start > Control Panel > System
  • Under the System Restore tab, place a check mark in the box next to "Turn off System Restore on all drives" and click Apply
  • Reboot the computer
  • Repeat step A and uncheck the box selected in step B, click Apply, a clean restore point will be created automatically (no need to reboot again)
About:Buster reset your homepage to Google - reset it as you wish.

Spywareblaster is very good to have. In addition, I recommend SpywareGuard and IESpyad.

SpywareGuard offers realtime protection from spyware installation attempts. More info and download is available at:
SpywareGuard: http://www.wildersse...ywareguard.html

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. More info and download is available at:
IE/Spyad: https://netfiles.uiu...ww/resource.htm

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#17 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 20 July 2004 - 06:57 PM

everything looks great!

the control.exe and sdhelper.dll files were present so i overwrited them as you suggested. and i have no idea what a hosts file is. ;)

i set my security settings to medium and cleared out system restore.

i will probably install the kerio personal firewall soon and i have downloaded and installed spywareguard and ie-spypad on top of spywareblaster. does it matter where you install them? i have them all in c:\my programs. can i also move hijackthis from c:\ to c:\my programs or does it need to stay where it is to work properly?

the only difference in my hijackthis log is the addition of these two entries: O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\My Programs\SpywareGuard\dlprotect.dll and O4 - Startup: SpywareGuard.lnk = C:\My Programs\SpywareGuard\sgmain.exe which i assume are part of spywareguard and therefore safe?

thankyou very much, again. ;D you saved my computer!

#18 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 21 July 2004 - 07:39 AM

All the programs are fine where you put them - you can move HijackThis there, too. After a week or so you can delete any HJT backup files that you have, as they shouldn't be needed anymore.

Yes, the two new items in the log are part of SpywareGuard's protective features.

Secruity settings of Medium are pretty much the old standard - in this day and age of Malware everywhere you turn, I would actually recommend a setting of High - but this can affect the functionality of some websites. It comes down to personal choice and what you are comfortable with.

A HOSTS file can be another layer of protection - check out http://www.mvps.org/...p2002/hosts.htm to learn more if you are interested.

I'm glad I could help you - but you deserve some of the credit too - you did all the actual work, including editing the Registry - a scary proposition for many folks!

I'm probably nearly as happy as you are that your computer is clean of all the garbage now, and I'm happy to see you taking steps to keep it that way.

I wish you Safe Surfin'!
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#19 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 21 July 2004 - 04:03 PM

i switched the security settings to high—and it wouldn't allow me to download hosts.zip! ;) i could download the file on medium security, though, so i'll stick to high security and only switch to medium when it prevents me from downloading a file.

i might have done the actual work, but i couldn't have done a thing without your help. thank you very much. ;D and safe surfing to you too!

#20 zjclimber

zjclimber

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 July 2004 - 05:49 PM

Hello I just wanted you to know you may have to travel a littlle further in
time I was trojan free on 7/19/04 and it was back on 7/28/04
good luck

#21 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 21 July 2004 - 06:43 PM

thanks for this! i set the time a month ahead to double check and the hijackthis log was still clean, so everything looks great. ;)

oh! under network security service, the startup type is still disabled. was i supposed to return it to automatic or manual? i was rereading the instructions and can't find anything telling me to do so, but i'm not sure (and i might just be blind).

Edited by liorajane, 21 July 2004 - 09:13 PM.


#22 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 21 July 2004 - 09:35 PM

It's just a leftover fragment, so you can leave it disabled. Apparently that Service listing does not exist on systems until they are infected with the CWS About:Blank.

So, it's not anything you need, or will miss.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#23 liorajane

liorajane

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 22 July 2004 - 12:07 PM

okay!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button