Jump to content


Photo

Hijacked by here4search.com


  • Please log in to reply
24 replies to this topic

#1 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 17 May 2004 - 03:55 AM

My start page was hijacked by here4search.com about two weeks ago. Since then I cannot stop the popups and constant security alerts from Norton, which has fortunately blocked my computer from connecting "to a local computer using Sokets de Trois V1. trojan horse." I ran spybot, then adware, but still my start page remains hijacked.

So next I ran Hijack this. Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 4:53:02 AM, on 5/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\PARSONS TECHNOLOGY\FAMILY ORIGINS\FOWIN32.EXE
C:\WINDOWS\START MENU\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E5B2AA55-D394-4d51-BD6D-5D03385AF186} - C:\WINDOWS\SYSTEM\HK5SDFGSKJ.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [XRAHNBISGWKEVTG] C:\WINDOWS\UBTRESTYPUWQOY.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 17 May 2004 - 04:23 AM

Hi and welcome to the forum...

You have a CoolWebSearch infection...

Please Download CWShredder from http://www.spywarein.../cwshredder.zip and run the Program. Press the "Fix Button" Let it fix all variants.


You need to place HiJackThis in its own permanent folder, because if it's placed in the main (C:/) folder, it could become a complete mess because of the backups...
Place it in a folder, for example: C:/HiJackThis/HiJackThis.exe
This way it can store backups to fix anything in a later stage if something seems to be broken...


Next, Close all browsers and programs, except for HiJackThis, scan if not already done,tick the next entries and only hit fix until I say so:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E5B2AA55-D394-4d51-BD6D-5D03385AF186} - C:\WINDOWS\SYSTEM\HK5SDFGSKJ.DLL

O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR

O4 - HKCU\..\Run: [XRAHNBISGWKEVTG] C:\WINDOWS\UBTRESTYPUWQOY.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab


After this, you can also add the next entries... By fixing them you will shorten boot-up time and free up resources... By doing this you wil not harm your programs and they will still be able to start manually via the start-button...

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Now hit fix...

Reboot and delete the next file:
C:\WINDOWS\UBTRESTYPUWQOY.exe

Use the windows built-in search option Start>search to search for this file:
WINLODR.SCR
Delete it when found...
Probably in the c:/windows or c:/Windows/System32 folder...

Now post a fresh log...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 17 May 2004 - 11:49 PM

Thank you so much for your help, however, I did not get very far. I downloaded the shredder. Open trying to open the shredder, I received a message that said that the requested program could not be opened because it is not a valid font file.
Peter


#4 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 18 May 2004 - 04:01 AM

Hi... Me again...

Hmmm, that's strange, never heard of that error before...
Try downloading it from here...
Click the link and hit save...
On the left pane, select your desktop...
Hit save again...
Don't rename the file...
Here it is: CWShredder...
Double click it to launch it...

Let's see if this works...

Edited by Quinstar, 18 May 2004 - 04:03 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#5 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 19 May 2004 - 02:36 AM

I VERY much appreciate your assistance. The good news is that I was able to install and run CW Shredder from your link. Thanks. The bad news is that I remain hijacked. Here is what I did:

Ran CW Shredder - clicking the fix button (looked successful)
Installed the windows patch as suggested in the software.
Rebooted my machine.
Changed my start page to what I wanted (FYI yahoo news).
Rebooted my machine
Got hijacked to http://here4search.com/hp.htm?id=131
Ran Hijackthis again
My log is as follows:


Logfile of HijackThis v1.97.7
Scan saved at 3:26:28 AM, on 5/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\T9YCSIT9AT0C.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [TDNKWPDBAFJ] C:\WINDOWS\XRUPSXEBAV.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#6 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 04:45 AM

Hi...

I think you forgot a long part of the fix...

Close all programs and browsers again, Open HiJackThis and tick the next entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\T9YCSIT9AT0C.DLL

O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR

O4 - HKCU\..\Run: [TDNKWPDBAFJ] C:\WINDOWS\XRUPSXEBAV.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab


After this, you can also add the next entries... By fixing them you will shorten boot-up time and free up resources... By doing this you wil not harm your programs and they will still be able to start manually via the start-button..

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Now hit fix...

Next, could you check this file:
C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE

Rightclick on sysstartup.exe in your explorer and click properties...

Post me any relevant information you can find in there...
Do you know what it is? Is it a program you installed?
Let me know...

Now reboot and delete this file:
C:\WINDOWS\XRUPSXEBAV.exe


Now post me a fresh log... Tell me if you are still having problems...



Good luck...

Edited by Quinstar, 19 May 2004 - 04:45 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#7 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 May 2004 - 12:34 AM

OK, let me tell you what I did.

I fixed (deleted) all of the files that you listed except one that I could not find:

O4 - HKCU\..\Run: [TDNKWPDBAFJ] C:\WINDOWS\XRUPSXEBAV.exe

I found C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE in windows explorer and right clicked on properties as you requested and looked for relavent info, but I'm not sure what info you think is relavent, so I noted the following:
TYPE: Application
SIZE: 3.0KB
CREATED: May 18, 2004
ACCESSED: May 20, 2004
ATTRIBUTES: Archive

(I do not recognize this, but that doesn't mean much. I do not remember installling anything two days ago. )

(BTW: When I do an alt/control/delete to get the list of programs running, the list is very long and I'm not sure what most of it is. )

Then I rebooted and searched for C:\WINDOWS\XRUPSXEBAV.EXE as you suggested but did not find it there. I did a global search of the whole C drive for XR*.* but found nothing.

While I was doing this, I got an impressive looking message from Norton Antivirus that it could not repair C:\WINDOWS\22.exe because it was infected with Trojan.Bookmarker.1 so I quarratined that file (never saw that message before).

Then I got a meesage (i think it is my Norton firewall application but I'm no computer guy) that said that PUSBJBQXUDX.EXE was attempting to access the internet and did I want to allow or block this from happening, so I blocked it. I figured some part of CoolWeb was trying to contact its people.

Then I got a message saying that PUSBJBQXUDX.EXE perfored an illegal operation and was shutting down, so I closed it for the same reason.

Then I changed my start page back to yahoo news and rebooted.

I actually got yahoo news this time but also got a message saying that BAOUTJ had preformed an illegal operation and will be shut down, so I closed it.

What's going on?

Then I ran Hijackthis with all applications shut down except this window itself. Here is the log:


Logfile of HijackThis v1.97.7
Scan saved at 1:28:03 AM, on 5/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [TRCYQTNKKGP] C:\WINDOWS\UDJRORUUYS.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#8 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 May 2004 - 12:58 AM

PS: I got another security alert from Norton, which has appearently blocked my computer from connecting "to a local computer using Sokets de Trois V1. trojan horse."

PPS: I'm still hijacked. My started page is once again http://here4search.com/hp.htm?id=131

#9 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 20 May 2004 - 01:24 PM

Hi...

Read the full post first...
After that, print it out since you need to do a lot offline...

Do you see the pattern between these 4 files?

O4 - HKCU\..\Run: [TDNKWPDBAFJ] C:\WINDOWS\XRUPSXEBAV.exe
O4 - HKCU\..\Run: [XRAHNBISGWKEVTG] C:\WINDOWS\UBTRESTYPUWQOY.exe
O4 - HKCU\..\Run: [TRCYQTNKKGP] C:\WINDOWS\UDJRORUUYS.exe
And remember the notification from Norton about this file: PUSBJBQXUDX.EXE

They are all completely random...

Now for your fix:
Reboot and go into safe mode by tapping f8 during boot-up..

Then Run CWShredder again...
After it's finished, open HiJackThis, and tick these entries (wait with hitting the fix button):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE


In your last log, this was the bad file:
O4 - HKCU\..\Run: [TRCYQTNKKGP] C:\WINDOWS\UDJRORUUYS.exe
But in the new log you made it could have transformed again...
Just look for a similar entry with lot's of random letters... Tick it too...

Now, hit Ctrl+Alt+Del to bring up the task manager (or Ctrl+Shift+Esc)
Look between the processes if you see that file listed... If so, Right click it and end pocess it...
Now hit fix...

Try to delete that last random file if you can find it...
The bold text in the example tells you where you need to look for it...
Maybe you need to make hidden files visible:

Windows 98
Open My Computer.
Select the View menu and click Folder Options.
Select the View Tab.
In the Hidden files section select Show all files.
Click OK


Now reboot...

Go back online and visit these pages:

Online Virus Scanner:
Go to TREND MICRO’s free online virus scanner
http://housecall.tre.../start_corp.asp
and deal with it there.


Here's an online Trojan scan:
Click yes when you get prompted...
http://www.trojansca.../trojanscan.htm
And do what they ask...


Reboot once more and post me a fresh log..
If in anyway, you do not understand my instructions, come back and ask me what I need to explain more...


Good Luck...

Edited by Quinstar, 20 May 2004 - 01:24 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#10 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 May 2004 - 07:17 AM

Thank you for staying with me.

Following your directions, I did the following:

Rebooted in safe mode
Ran the shredder again (seemed to find a few things)

Ran Hijackthis

I was unable to find the following that you mentioned:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=131
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=131
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=131

I did check the following:
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
but you never told me to gert rid of them so I did not

I did see a clone similar to:
O4 - HKCU\..\Run: [TRCYQTNKKGP] C:\WINDOWS\UDJRORUUYS.exe

I did a Ctrl+Alt+Del to bring up the task manager. You ask me to "look between the processes if you see that file listed" Not sure what you meant. All I saw listed was exploerer and Hijackthis, so I did nothing.

I went into windows explorer and deleted the random file that I found listed in Hijackthis along with one other that looked nearly the same (another .exe file with random letters)

I rebooted.

I ran the online Virus Scanner at http://housecall.tre.../start_corp.asp
It found nothing.

I ran the trojan scanner at http://www.trojansca.../trojanscan.htm
It did not find anything either

I rebooted and ran Hijackthis. The log is printed below.

I also did something on my own. I did an alt-control-delete and looked at the tasks that were running. A lot of what I saw did not look familiar but I'm not particualrly computer savvy so that does not mean much. The file called PTSNOOP caught my eye. It just sounded odd, so I googled on it. In sort, it may be a trojan, but some say it is OK and that backdoor.ptsnoop, or something like that is a trogan. I copied down some info inf you are interested:

Troj/Ptsnoop is a backdoor Trojan. It copies itself to \windows\system\ptsnoop.exe and changes win.ini adding 'c:\windows\system\ptsnoop.exe' to 'load = '.
http://www.computing...forum/1754.html
http://us.mcafee.com...&virus_k=100820

I went into windows explorer and searched on *snoop*.*
I found three files and was able to delete two, but not the .exe file
My start page has not been hijacked in the last few hours no have I had popups that got past my popup blocker. Not sure I did anything permanent however.

Peter

Here is my recent log:


Logfile of HijackThis v1.97.7
Scan saved at 8:16:04 AM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [XYDYRKRRXGLHWKH] C:\WINDOWS\JXJUUUUKYPTPUT.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#11 Dore

Dore

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 215 posts

Posted 23 May 2004 - 07:26 AM

Forgot I'm not supposed to post here, ignore this post.

Edited by Dore, 23 May 2004 - 07:27 AM.

The Basics
Ad-aware Spybot S&D Hijack This

Free Scan
Housecall Anti Virus Panda Anti Virus Trojan Scan

The Specifics
CWShredder CWS Smart Killer Removal L2M 2k Xp L2M 98 ME
Peper Uninstaller

I don't just cook malware, I friggin flash fry the sucker. You know what I mean?

#12 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 23 May 2004 - 01:09 PM

Hi... Me again...
Read the whole post first so you know what to do... And maybe print it out to be sure...

O4 - HKCU\..\Run: [TDNKWPDBAFJ] C:\WINDOWS\XRUPSXEBAV.exe
O4 - HKCU\..\Run: [XRAHNBISGWKEVTG] C:\WINDOWS\UBTRESTYPUWQOY.exe
O4 - HKCU\..\Run: [TRCYQTNKKGP] C:\WINDOWS\UDJRORUUYS.exe
And remember the notification from Norton about this file: PUSBJBQXUDX.EXE

These were te random lines the last time... In your last log, it was this one:
O4 - HKCU\..\Run: [XYDYRKRRXGLHWKH] C:\WINDOWS\JXJUUUUKYPTPUT.exe


Now, I've seen, that in the Log's, it's ALWAYS the last O4....
Example of your last log:

Example

Logfile of HijackThis v1.97.7
Scan saved at 8:16:04 AM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [XYDYRKRRXGLHWKH] C:\WINDOWS\JXJUUUUKYPTPUT.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

So it will be the last O4 in your next log too..
This is what you need to do:
Open HiJackThis, hit scan...
When the scan is done, save the log first... Close the log... HiJackThis will still be open... If not, open again and scan again...
Now, look at the last O4 in the new HiJackThis-list...
It will be a completely random one too like the last log, only different letters
(Look in the example of your last log... I made the random entry Bold...)
In the new scan, tick that random entry, the last O4...
Also, tick these two:
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
(They are both the same, but are visible twice in the log...
Now, close this browser, and hit fix in HiJackThis (be sure you have ticked the Last O4... Our random file, the baddie)

Now, reboot

Post me the log that you saved, tell me the name of the random file I asked you to fix...(In the example of your last log, I made the name purple... That's what you need to note down from the random entry I asked you to fix) AND post me a FRESH log that you made AFTER the reboot...


Good Luck...

If anything is unclear, feel free to ask...

Edited by Quinstar, 23 May 2004 - 01:18 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#13 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 May 2004 - 09:40 PM

Thanks again. I really appreciate your help and patience. Here is what I did:

I closed all windows, opened Hijackthis, ran a scan, and saved the log. it looked like this:

Logfile of HijackThis v1.97.7
Scan saved at 10:10:22 PM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [XYDYRKRRXGLHWKH] C:\WINDOWS\JXJUUUUKYPTPUT.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Next, I closed the log, ticked the last o4 (which did look randam again as you suspected) as well as the two sysstartup.exe files. Then I ran a fix and delelted those files. Then I made a log. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 10:19:53 PM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

I'm not sure if we are done, but we seem to getting very close if we are not there already. It has been 24 hours since I was last hijacked. There have been no attacks on my machine, no popups getting past my popup blocker, and no Norton messages that it blocked my computer from connecting "to a local computer using Sokets de Trois V1. trojan horse."

So I have 5 questions for you:
1) So what was it. The CW trogan, Sokets de Trois V1. trojan, and/or what about the ptsnoop.exe file. You never commented about that.
2) How do I keep from getting reinfected?
3) Why do you do what you do? Are you just a nice guy who takes pity on schlomozels like me? This site was a godsend.
4) How does your site stay in business? Will it continue to do so?
5) I am really pissed off a the #$%& guys who infected my computer. I would like to do something - politically - since I cannot identify them. Or can I? What about the people behind the here4search.com website? Maybe I should write my Congressman or something. What do you suggest?

Peter


#14 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 24 May 2004 - 04:01 AM

Hi...

Yes, we are done... :D
You're clean again...
I'm glad that last one did it since I was beginning to worry... :)
Now for some answers:

1) So what was it. The CW trogan, Sokets de Trois V1. trojan, and/or what about the ptsnoop.exe file. You never commented about that.

I have actually no idea what it was... There are a lot of infections that have a name, but even more that don't have a name... This one doesn't...
Yet, we only find them, because we strike out the known legit programs from the logs, and the infections are the ones that are left behind in the end of the examination...
How to fix it, depends on how smart the programmer was...
As for your ptsnoop.exe...
Go here
Hit Ctrl+f, type Ptsnoop.exe and hit find
You'll see a number of descripions on the right-hand site...
One of them is indeed a Trojan...
But if you remember right, I made you go here: Online Trojan Scan
So that couldn't be the one... Hence it was the legit one...


2) How do I keep from getting reinfected?


Read this:

Protection after fix... These are recommandations...
download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies...
http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all...
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates...

And also see:
So how did I get infected in the first place?


3) Why do you do what you do? Are you just a nice guy who takes pity on schlomozels like me? This site was a godsend.


I do it because I like it... I like helping people, I like working with Computers, and everytime I come across a new kind of infection I have to look up information and that way I keep learning new things...
I have learned tons the last 4 months I was in here...


4) How does your site stay in business? Will it continue to do so?


We have a donation site where victims sometimes donate money because of the fine help we gave them... It doesn't matter how much they donate, but the fact people donate keeps us alive...
If you look at my signature at the bottom of every reply I made, you will find a clickable link... That's how I kindly ask people for their support...


5) I am really pissed off a the #$%& guys who infected my computer. I would like to do something - politically - since I cannot identify them. Or can I? What about the people behind the here4search.com website? Maybe I should write my Congressman or something. What do you suggest?


This is the hardest question...
HiJacks are like virusses... Its very hard to find the programmer... And since HiJacks aren't forbidden everywhere (as far as I know) People are almost free to launch those things...
Yet, there have been plenty of people who want to stop these programmers, so who knows, maybe one day they will start punishing those evil people...


I hope I was clear enough in every way in may answers...
If not, come back and ask again... :)



Happy Surfing...

Edited by Quinstar, 24 May 2004 - 04:04 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#15 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 May 2004 - 10:57 PM

I don't think that I am out of the woods yet. Although my start page has not been hijacked and there has been a considerable decrease in both alerts from Norton and popups getting past my popup blocker, the latter still occur. It is always the same message from Norton saying that it blocked my computer from connecting "to a local computer using Sokets de Trois V1. trojan horse."

I figuered that you would want to view a recent Hijackthis log, so I pasted it below.

Peter


Logfile of HijackThis v1.97.7
Scan saved at 11:49:59 PM, on 5/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.starpower.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#16 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 26 May 2004 - 03:46 AM

Downloading and running 'The Cleaner' from this page should do the trick...

Try it... If it doesn't work, come back...


Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#17 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 10:25 PM

Thanks.
I downloaded the file, but when I tried to execute it, I got a similar error to one that I received befor ethat said that the program was not a valid font file. Any ideas?
Peter


#18 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 29 May 2004 - 02:25 AM

Hi...

Open HiJackThis, tick the next entry, close all other programs including this browser and hit fix:

O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll

Reboot...

now try the program again...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#19 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 June 2004 - 11:15 PM

Remember me? I have been busy.

I did what you asked and still have the trojan.

I installed the cleaner, but I was unable to execute it. I have been working with another site that assists idiots on more basic problems. It turns out that my WinZip software is corrupted so I was unable to unzip the clearer using Winzip. It was suggested to me that I install PowerArchiver and use that to unzip the cleaner. This I did, but when I try to execute the cleaner, the computer gets hung up.

However, the other guy suggested that I follow the instructions for remving the W32.HLLP.DeTroie trojan found at http://securityrespo...lp.detroie.html

I looked that over and I like the fact that the removal instactions come from Norton AntiVirus instead of some weird french site aka the cleaner. A few other thoughts and these removal instructiuons:
1) I do not think that I am smart enough to follow them
2) The first half of the instructions is all about how to make Norton do a virus check update. I think that is unecessary since i get updates all of the time automatically. Norton does not seem to be able to remove the trojan itself although it does recognize that I have it.
3) I am afraid to follow the instrctions because, since it discusses changing my registry, it would seem that it is doing the type of things that you and I have been working on with Hijackthis and I would prefer to get your feedback first before I go do anything.

Could you take a look at the info located at http://securityrespo...lp.detroie.html

See "Removal Instructions" about half way through. I am thinking that I can skip the "to remove the virus part" since I think my computer does that routinely.

What about deleting the Winstart.bat file?

What about "To edit the registry:" and all of the lines of code listed there?

Peter

For your reading pleasure, I have also included a recent verson of the scan results from Hijack this:


Logfile of HijackThis v1.97.7
Scan saved at 12:13:33 AM, on 6/6/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\JOIEXPRESS\PROPELAC.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7929.1409606481
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#20 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 06 June 2004 - 02:54 AM

Well...

If you want to try it, go ahead, looks easy enough to me...
I can't make it anymore clear then they've written it, but I'll edit out all the unnecessary stuff:

Use Windows Explorer to locate the \Windows\Winstart.bat file, and delete it.

To edit the registry:

Bakcup your registry if you think you could mess it up
If you mess up your registry, you could seriously damage windows...

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

In the right pane, delete any of the following values that you see:

Win ocx C:\Windows\System\Lcv_sys.exe
Win ocx C:\Windows\System\Mkopg.exe
Load Mgadeskdll C:\Windows\System\Mgadeskdll.exe
Load Csmctrl32             C:\Windows\System\Csmctrl32.exe
Load Rsrcload              C:\Windows\Rsrcload.exe

Repeat step 4 for the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Click Registry, and click Exit.


That's what they are saying, but:
The O4's in the HiJackThis log are the runservices that are found over there... Yet, you should try it, it never hurts to look :)

Edited by Quinstar, 06 June 2004 - 02:55 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#21 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 07 June 2004 - 04:17 AM

None of the files that they said to look for are in my computer.

NO:
Win ocx C:\Windows\System\Lcv_sys.exe
Win ocx C:\Windows\System\Mkopg.exe
Load Mgadeskdll C:\Windows\System\Mgadeskdll.exe
Load Csmctrl32 C:\Windows\System\Csmctrl32.exe
Load Rsrcload C:\Windows\Rsrcload.exe

No: \Windows\Winstart.bat file

No:
Windows\System\Lcv_sys.exe
\Windows\System\Discv.dll
\Windows\Temp\Tcv.exe
\Windows\Winstart.bat
or:
\Windows\System\Mkopg.exe
\Windows\System\Oiht400.dll
\Windows\Temp\Tmp_.exe
\Windows\System\Mgadeskdll.exe
\Windows\System\Csmctrl32.exe
\Windows\Rsrcload.exe

Meanwhile, I still get the message from Norton saying that it blocked my computer from connecting "to a local computer using Sokets de Trois V1. trojan horse" everday. Actually, many times per day. And I get popups that bypass my popup blocker. These things I can live with. It is the thought that someone could be collecting passwords and credit card data that worries me.

Peter


#22 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 08 June 2004 - 12:49 PM

Hi... I haven't forgotten you yet...
I'm asking around...

Hang in there...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#23 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2004 - 07:38 PM

Quinstar has asked someone else to take a fresh look as he says he has been staring at your log too long. :)

First of all, the trojan is being blocked, so no worries. It is not being allowed to connect to your computer. But that is very annoying to constantly be told that it's being blocked. In fact it is annoying a lot of people, see:
http://www.google.co..... de Trois V1"
If Norton can't be configured to block silently then you might want to get a different firewall. There are several good free ones.

Second, your log looks clean now, after the good work by you and Quinstar. I don't think you have anything there that could be spying on you.

Third - for the popups. The best popup blocker I've ever seen comes with the free Google toolbar. toolbar.google.com. Give it a try.
Also, can you give us more detail on the unwanted popups? Do they only happen when you are connected to the internet? Do they come from particular sites?

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#24 Unsprung

Unsprung

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 09 June 2004 - 12:55 AM

IF I have removed the Trojan and I am not at risk of being spied upon and all I have is an annoying alert and some popups, than I agree that things are indeed much better.

But I guess I need your help to explain to me like a child what is going on.

I get these alerts from Norton. That means that something in my computer is trying to communicate with the spy people or the spy people are trying to communicate with my computer? I'm not sure which is worse. If the former, than isn't there a bit of the Trojan left in my computer? If the latter, than might not the spy people figure out a different way in?

It would appear that the only way to ask Norton any question about this is if I am willing to pay - and they give me a choice of a $29.95 flat ret or some per minute fee. I find this ironic because I simply want to ask them if they are aware of the problem. I paid for a firewall and an on-line up-to-date virus blocker. In my mind, it is not doing its job.

Was the site that you want me to read this one: "I am running Windows 98, and I also have Norton Anti-virus. The problem that I'm currently having is with a Trojan called: sokets de trois v1.Trojan. I get an occasional alert from Norton Anti-virus that Norton has blocked it. When I do a complete scan with Norton it always comes back that I have no infection with this particular Trojan.

Is there any steps that I can take to eliminate this annoying problem with this Trojan. At this point I'm at witts end, having tried everything under the sun that I know to do. I pretty much know my way around a computer, but this situation has really got me stumped. Any help that anyone can render will be greatly apprectiated.......Thanking anyone way in advance."

[color="red"]Yes, they have the same problem as I do. Again, please elaborate on the seriousness of the issue. My wife and I are concerned about credit card theft. She is also a therapist and I suppose keystroke theft could compromise the patient-doctor code of honor for which she could potentially loose her license.

With regard to popups, frankly, I close them so fast that I have not noticed where they are coming from. Should I?

Peter


#25 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 10 June 2004 - 03:27 AM

I'm back again after some discussion with some experts...

We all agreed that everywhere on the net people are complaining about that annoyance with that trojan, getting popups of Norton 20 times a day...
We think that it's up to Norton to fix that since it's their software that's complaining about it...
So normally our help and knowledge actually stops here...
Yet, someone found a post on another board in which there was a victim claiming that he fixed it... I can't find anyone that has checked it, so I can't be sure about the fix, and if you want to try it that way, we're going to make all possible precautions and backups before continueing...

So if you want to try it, here's what you need to do:

First, let's start with a systemrestore point... Even though you are infected, it's better to have an infected system restore point then none...
Go to start>programs>accesories>system tools>system restore
Now tick 'Make a restore point' and hit next...
Give it a name and continue with making the point...

This was the first step...
next, use your windows explorer to create a new folder on your c:/
Name it Backup
Now you should have c:/Backup/
Now,navigate to c:/windows/system32/
and locate the file notepad.exe
Move that file to the backup-folder you just created...
Don't copy it, move it...

Now, we have to make a backup of your registry...
Go to start>run
type regedit
hit Enter
Be sure that the top of the tree is selected
There should be a blue-filled rectangle around My Computer
if not, left click it...
Go to file>export
save it in the c:/Backup/
Name it what you want... For example: RegBackup.reg
just type Regbackup in the box, the .reg will be added automatically...
Close the registry window...

Now, download Regsupreme here
It's a registry cleaner... It's a trial version for 30 days, but it'll work nice for what we need it for...
After downloaded, install it on your computer... Doesn't matter where exactly...
When you start the program, it'll ask to adjust the cache size...
Do it...
After it's done, tick 'extra deep', and hit start...
Wait untill it's done...
Go to select>all
Now hit fix...
Give the backup that it prompts for an appropriate name and hit ok...
Reboot...

Your problem should be fixed...


If it is, then download the real notepad.exe here
And place it back into the c:/windows/system32/

I hope this helps...


Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button