Jump to content


Photo

About Blank


  • Please log in to reply
4 replies to this topic

#1 e_eek

e_eek

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 06:27 PM

Hi All,

It appears I was infected with a hijacker that first came up in browswer as "about Blank" and then loaded several files. It actually started explorer itself, I did not even have to open it. Our "IT" guy worked on it, but never totally fixed it. He did get it to stop opening the browser by itself though. I have to do web presentations in front of clients and am still getting pop ups and my computer is extremely low. It also prevents me from going to certain web sites or opens another browser window when it should not. Please help. Below I am pasting the Hijack this log.

Thanks

Eric


Logfile of HijackThis v1.97.7
Scan saved at 7:07:24 PM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\ehager\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: PowerBuilder DW Control & JDBC - http://10.0.1.21:82/...ine/PSDWC70.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://12.223.248.216:81/kxhcm10.ocx
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.pl...quicksilver.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange...ectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.129.250.6/...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37874.261712963
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - http://10.0.1.21:82/...indows-i586.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 08:27 PM

Hello ,Welcome to SWI.
Print out these instructions so you can read them while you clean your system.

Move Hijack This to its own folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Download VX2Finder


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows


Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here

Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab


Then continue with win tools:
Please reboot into safe mode - How do I boot into "Safe" mode?

Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.
Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.
(If the service is not there, no worries...all the better!)

Next, right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.

Now, we can proceed to delete these directories, located at:

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

Edited by mmxx66, 29 July 2004 - 08:27 PM.


#3 e_eek

e_eek

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 07:16 AM

Thanks much for the quick reply. I have ran the vx2 as described. Here is the log.

Thanks again,

Eric

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\abaamon.dll
C:\WINNT\system32\acaamon.dll
C:\WINNT\system32\adaamon.dll
C:\WINNT\system32\aeaamon.dll
C:\WINNT\system32\afaamon.dll
C:\WINNT\system32\afledit.dll
C:\WINNT\system32\agaamon.dll
C:\WINNT\system32\ahaamon.dll
C:\WINNT\system32\aictres.dll
C:\WINNT\system32\ailui.dll
C:\WINNT\system32\aimparse.dll
C:\WINNT\system32\aismib.dll
C:\WINNT\system32\ajsnds.dll
C:\WINNT\system32\alaamon.dll
C:\WINNT\system32\amaamon.dll
C:\WINNT\system32\amledit.dll
C:\WINNT\system32\anaamon.dll
C:\WINNT\system32\anledit.dll
C:\WINNT\system32\aoaamon.dll
C:\WINNT\system32\apaamon.dll
C:\WINNT\system32\aqledit.dll
C:\WINNT\system32\aqsldp.dll
C:\WINNT\system32\araamon.dll
C:\WINNT\system32\artxprxy.dll
C:\WINNT\system32\ataamon.dll
C:\WINNT\system32\auaamon.dll
C:\WINNT\system32\aului.dll
C:\WINNT\system32\ausmib.dll
C:\WINNT\system32\avaamon.dll
C:\WINNT\system32\awaamon.dll
C:\WINNT\system32\axctres.dll
C:\WINNT\system32\axmparse.dll
C:\WINNT\system32\ayaamon.dll
C:\WINNT\system32\azaamon.dll
C:\WINNT\system32\azsmib.dll
C:\WINNT\system32\aztxprxy.dll


Guardian Key--- is called:

User Agent String---
{613DF497-F2A0-4EC2-B85C-AE44F75676BA}

#4 e_eek

e_eek

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 07:42 AM

Hello again,

Here is the 2nd vx2 log as requested.


Eric



Files Found---
C:\WINNT\system32\abaamon.dll
C:\WINNT\system32\acaamon.dll
C:\WINNT\system32\adaamon.dll
C:\WINNT\system32\aeaamon.dll
C:\WINNT\system32\afaamon.dll
C:\WINNT\system32\afledit.dll
C:\WINNT\system32\agaamon.dll
C:\WINNT\system32\ahaamon.dll
C:\WINNT\system32\aictres.dll
C:\WINNT\system32\ailui.dll
C:\WINNT\system32\aimparse.dll
C:\WINNT\system32\aismib.dll
C:\WINNT\system32\ajsnds.dll
C:\WINNT\system32\alaamon.dll
C:\WINNT\system32\amaamon.dll
C:\WINNT\system32\amledit.dll
C:\WINNT\system32\anaamon.dll
C:\WINNT\system32\anledit.dll
C:\WINNT\system32\aoaamon.dll
C:\WINNT\system32\apaamon.dll
C:\WINNT\system32\aqledit.dll
C:\WINNT\system32\aqsldp.dll
C:\WINNT\system32\araamon.dll
C:\WINNT\system32\artxprxy.dll
C:\WINNT\system32\ataamon.dll
C:\WINNT\system32\auaamon.dll
C:\WINNT\system32\aului.dll
C:\WINNT\system32\ausmib.dll
C:\WINNT\system32\avaamon.dll
C:\WINNT\system32\awaamon.dll
C:\WINNT\system32\axctres.dll
C:\WINNT\system32\axmparse.dll
C:\WINNT\system32\ayaamon.dll
C:\WINNT\system32\azaamon.dll
C:\WINNT\system32\azsmib.dll
C:\WINNT\system32\aztxprxy.dll


Guardian Key--- is called:

User Agent String---
{613DF497-F2A0-4EC2-B85C-AE44F75676BA}

#5 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 30 July 2004 - 09:36 AM

Good job!
Go ahead with the next steps as requested before.
thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button