Jump to content


Photo

$50 reward for removal of hijacker


  • This topic is locked This topic is locked
30 replies to this topic

#1 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 26 May 2004 - 09:37 PM

I have posted my logfile previously with minimal help from anyone on this site....thought this might provide a little extra incentive.....thanks


Logfile of HijackThis v1.97.7
Scan saved at 9:36:31 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Antivirus\NAV2003\navapsvc.exe
C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodManager.exe
F:\Utilities\AccountLogon\AccountLogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Utilities\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7969.7170949074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O19 - User stylesheet: C:\WINDOWS\color.css

#2 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 09:54 PM

good 1 im bumpen this one because the same happened to me... exect i still have NO Hep *caugh*WinHelp2002*caugh*

#3 Cannabian

Cannabian

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 May 2004 - 10:01 PM

Ok, but what is your problem? Popups? I see there is some fishy stuff like

http: cashsearch.biz/redir.php [Link disabled - it will resize your browser window and who knows what else. -cnm] (Redir means redirect??) I am a complete newbie and am guessing that it's fishy, but I think if you explained to the members what problem you are having, it might be easier for them.

What is

O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe??

Do you even have drive called "F"? That one smells fishey as well.

Edited by cnm, 29 May 2004 - 10:11 AM.


#4 superbratkidde

superbratkidde

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 26 May 2004 - 10:22 PM

I've been to a lot of proums and this is a common problem people not being specific enough with their problems. Make sure you give the symptoms and what have you tried, if you haven't done so

good luck

#5 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 26 May 2004 - 10:30 PM

I have an F drive and account logon is an autoamatic account logon program that is legit

what is happening is my homepage is being hijacked and I cannot get http://cashsearch.biz/redir.php out as my homepage. thanks

#6 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 May 2004 - 10:44 PM

The first thing i would do is run adaware, spybot s&d and cwshredder, and see whats left over, updating norton and scanning your computer wouldn't hurt either. The cascading style sheet (O19 - User stylesheet: C:\WINDOWS\color.css) looks pretty dodgy to me as well, so i would give that a scan with your av software.
Also open IE -> tools -> internet options -> accessibilty and take the tick out of "format my documents using my style sheet"

Edited by Charybdis, 26 May 2004 - 10:56 PM.


#7 hobb64

hobb64

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 26 May 2004 - 10:59 PM

hey, you are in serious luck (for 50$ i suppose i am too ;) )

i just resloved the exact same problem:

Go to start>run and type regedit. Press enter.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Highlight
ShellServiceObjectDelayLoad
in the left pane
Look in the right pane for this item:

system

Right click on System and choose delete from the menu.

Restart the computer.

Close all windows and have hijackthis fix the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php


Do a search for and delete file system32.dll

Download ad-aware here -> http://fileforum.bet...3?fid=965718306

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

Click the "Tweak" button.

Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

then...... click "proceed" to save your settings.

Now to scan itīs just to click the "Next" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.





there ya go, i cant take full credit for that, but 50 bones is alllways a good thing.
also.. glad to help ;)

#8 calicbr

calicbr

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 12:14 AM

I am fighting the same problem, my post is here: http://www.spywarein...?showtopic=2417
I don't have the $50 but can you help me out?

#9 Kevin_b_er

Kevin_b_er

    Gliding through the clutter

  • Retired Staff - Helper
  • Pip
  • 36 posts

Posted 27 May 2004 - 12:19 AM

hobb64 has given advice, but provide, please, a new hijackthis log after you've finish.

Also, if you feel $50 is really worth solving it, when we work for free, go to here: http://www.spywareinfo.com/support.php and make a donation to spywareinfo.com.

I'd assume that each post merits the same effort, whether $0.02 is offered, or $200. All the work is pro-bono just the same.

Edited by Kevin_b_er, 27 May 2004 - 12:21 AM.


#10 calicbr

calicbr

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 12:59 AM

I have followed hobb64's instructions, but I still can not post my log files to this site.

#11 hobb64

hobb64

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 May 2004 - 01:02 AM

I have followed hobb64's instructions, but I still can not post my log files to this site.


those were directed for robocomp. it seems you have something different going on as well.

#12 calicbr

calicbr

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 01:08 AM

Only one person posted in my topic, so I am trying to piece together a complete fix.

#13 calicbr

calicbr

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 01:32 AM

hobb64, can you take a look at my post, I am still having problems???
http://www.spywarein...?showtopic=2417

#14 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 May 2004 - 09:09 PM

I appreciate the help and followed hobb64 instructions and the sex page was removed, however the about:blank is still hijacking my homepage and i need to resolved this before the problem is totally solved. here is the current hijackthis logfile. I tried to fix the about:blank line in hijackthis, to no avail.. thanks


Logfile of HijackThis v1.97.7
Scan saved at 9:05:58 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Antivirus\NAV2003\navapsvc.exe
C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodManager.exe
F:\Utilities\AccountLogon\AccountLogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe
F:\Utilities\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B0FBB41-C9ED-42AC-9455-CDF9CC0023F1} - c:\windows\system32\fabple.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll
O2 - BHO: (no name) - {EB9B0E42-9127-47C5-B610-B5D79610CAAD} - c:\windows\system32\leobej.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\Documents and Settings\Christopher Milne\Desktop\msstasks.exe /u
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7969.7170949074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab

#15 Scifience

Scifience

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 28 May 2004 - 09:47 PM

You still have quite a few nasties.

Fix these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1B0FBB41-C9ED-42AC-9455-CDF9CC0023F1} - c:\windows\system32\fabple.dll (file missing)
O2 - BHO: (no name) - {EB9B0E42-9127-47C5-B610-B5D79610CAAD} - c:\windows\system32\leobej.dll
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab

When you have done this, restart your computer, open Internet Explorer, choose Tools, Internet Options, and change your homepage to something other than about:blank. Then click Apply, then OK. Close Internet Explorer and re-open it. This should fix your issue. :)

#16 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:13 AM

Thats not going to work..
It will come back

Please download this:

http://tools.zerosrealm.com/dllfix.exe

install it to the desktop.

go into the folder and double click the start.bat

run an option 1 find-all report please.

post it here



#17 Nighty

Nighty

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 May 2004 - 08:35 AM

SP.Html-Cleaner

#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:41 AM

thanks nighty. I have tested that and had a lot of problems with it crashing and not working.



#19 Nighty

Nighty

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 May 2004 - 08:47 AM

I had the same problem and could remove it with that

#20 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:57 AM

well you were a lucky one.
:)



#21 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 May 2004 - 10:33 AM

I have tried hijack this and altough it removes some things you suggest, it will not remove about:blank or the obfuscated ones. thanks for the help. any other suggestions? thanks




Logfile of HijackThis v1.97.7
Scan saved at 10:31:37 AM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Antivirus\NAV2003\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE
C:\Program Files\VVSN\VVSN.exe
F:\Utilities\AccountLogon\AccountLogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
F:\Utilities\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BC102126-EE42-4CAF-A6AC-E7B7ECFFDA9E} - c:\windows\system32\leobej.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\Documents and Settings\Christopher Milne\Desktop\msstasks.exe /u
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7969.7170949074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab

#22 Scifience

Scifience

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 29 May 2004 - 05:08 PM

Don't try to remove about:blank with HijackThis. Just change the homepage the normal way.

#23 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 29 May 2004 - 06:35 PM

The only one responding that knows what he is doing told you what to do.
Take a minuite and see Shadowars response .
Mad Max

#24 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 30 May 2004 - 11:02 AM

here it is: thanks



--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sun 05/30/2004
11:01 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
F: "DRIVE F" (07F7:3139) - FS:FAT clusters:32k
Total: 80 004 153 344 [75G] - Free: 58 812 989 440 [55G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLLEK.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLLEK.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC102126-EE42-4CAF-A6AC-E7B7ECFFDA9E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{EA39FA77-E2AC-4153-B632-B2BAABC1A972}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{EA39FA77-E2AC-4153-B632-B2BAABC1A972}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#25 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 30 May 2004 - 12:47 PM

Ok run start.bat again.
This time select option 2 than option 2.

It will perform a bunch of things.

than at the end it will reboot.

After the reboot upon startup of windows a second thing will run.

It should clean most of the hijacker.

Please post the logs.txt it generates at the end. it will be in the dllfix folder if it doesnt open automatically.

Post that along with a new findall report and a hijackthis log.

So:
logs.txt
find-all report
hijackthis log.



#26 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 30 May 2004 - 05:26 PM

got nothing but a bunch of error messages both before and after reboot. your program did not work...thanks for the effort though

#27 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 30 May 2004 - 05:30 PM

there was no find all report




CWSDLL/Searchx Appinit Fix By Shadowwar
Version 2.00 052804
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Sun 05/30/2004
05:19 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text

#28 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 31 May 2004 - 12:43 AM

have tried in safe mode and cannot remove it either. keeps popping up in norton antivirus and will not remove it. it is a backdoor keystroke virus and i need to remove it. it is in the windows system32 folder. thanks

#29 robocomp

robocomp

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 31 May 2004 - 01:33 AM

can't remove lsd_f3.dll. it is in windows system 32 file. even tried in safe mode and says other programs are running and wont shut it down. any suggestions. this should be an easy one for you guys. this is a trojan virus that record keystrokes. thanks

#30 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 31 May 2004 - 06:28 AM

ok i had a bug that i fixed in it. Please post a findall report.
It should of cleared most but we may need to add back the reg entries.

Also post a hijackthis log.



#31 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 25 March 2005 - 03:31 PM

Closing this really old topic.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button