Jump to content


Photo

homepage hijack, Win Min?


  • This topic is locked This topic is locked
75 replies to this topic

#1 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 17 May 2004 - 04:24 AM

Hello :D I need some help :(
My IE explorer homepage was changed to hpjhzt.outhost.info so I ran adaware and it got rid of all this stuff then it said it couldnt delete "C:\WINDOWS\system32\dla\tfswshx.dll" untill I reboot so I did And now when my computer starts up I get 3 errors...
#1
C:\WINDOWS\System32\services\wmplayer.exe
Windows cannot find 'C:\WINDOWS\System32\services\wmplayer.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search.
#2
Desktop
Could not load or run 'C:\WINDOWS\System32\services\wmplayer.exe' specified in the regisrty. Make sure the file exists on your computer or remove the reference to it in the registry.
#3
RUNDLL
Error loading C:\Windows\Downloaded Program Files\bridge.dll
The specified module could not be found.

So after the reboot my default homepage is now: dorkodrom.com/index.htm
When I go into Internet Properties my computer seems to load slow. Also I already had CWShreeder on my computer before this happened but now it seems like this "virus" hides those files so in order to run CWShreeder I had to rename it and load it off another computer in my homenetwork. Even after this it tried to close the program...but the program told me it was trying to be closed and it worked after that..although CWShreeder seemed to have no effect (this is the newest version, I even tried the update) Also this "virus" dosent allow you to run HijackThis so I had to go into safe mode to run HijackThis off another computer in my homenetwork so I tried to save the log file but it wouldnt let me save it on my computer so I had to save it on my networked computer. Also now when I try to reboot it says a program "Win Min" is not responding, end task. Also I could not find "C:\WINDOWS\system32\dla\tfswshx.dll".. Anyway I hope you can help and thanks for your time...hers my log file:

Logfile of HijackThis v1.97.7
Scan saved at 4:38:55 AM, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\conime.exe
\Mobile\c\WINDOWS\Desktop\mnmn.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O1 - Hosts: 213.159.118.228 collections.inhost.info
O1 - Hosts: 213.159.118.228 collections.inhost2.info
O1 - Hosts: 213.159.118.228 1-se.com
O1 - Hosts: 213.159.118.228 58q.com
O1 - Hosts: 213.159.118.228 aifind.cc
O1 - Hosts: 213.159.118.228 aifind.info
O1 - Hosts: 213.159.118.228 allneedsearch.com
O1 - Hosts: 213.159.118.228 approvedlinks.com
O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.228 awebfind.biz
O1 - Hosts: 213.159.118.228 best.royalsearch.net
O1 - Hosts: 213.159.118.228 cracks.am
O1 - Hosts: 213.159.118.228 default-homepage-network.com
O1 - Hosts: 213.159.118.228 find.microgirls.com
O1 - Hosts: 213.159.118.228 find4u.net
O1 - Hosts: 213.159.118.228 freshvideogals.com
O1 - Hosts: 213.159.118.228 i-lookup.com
O1 - Hosts: 213.159.118.228 ie-search.com
O1 - Hosts: 213.159.118.228 in.webcounter.cc
O1 - Hosts: 213.159.118.228 itseasy.us
O1 - Hosts: 213.159.118.228 just.find-itnow.com
O1 - Hosts: 213.159.118.228 link.startmake.com
O1 - Hosts: 213.159.118.228 mysearchnow.com
O1 - Hosts: 213.159.118.228 nativehardcore.com
O1 - Hosts: 213.159.118.228 qwertysearch123.biz
O1 - Hosts: 213.159.118.228 search.ieplugin.com
O1 - Hosts: 213.159.118.228 search.psn.cn
O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.228 searchcentrix.com
O1 - Hosts: 213.159.118.228 searchmyrequest.com
O1 - Hosts: 213.159.118.228 super-spider.com
O1 - Hosts: 213.159.118.228 t.rack.cc
O1 - Hosts: 213.159.118.228 teen-biz.com
O1 - Hosts: 213.159.118.228 teenhqpics.com
O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.228 webcoolsearch.com
O1 - Hosts: 213.159.118.228 wmmse.com
O1 - Hosts: 213.159.118.228 www.008i.com
O1 - Hosts: 213.159.118.228 www.2fastsearch.net
O1 - Hosts: 213.159.118.228 www.8095.com
O1 - Hosts: 213.159.118.228 www.alfa-search.com
O1 - Hosts: 213.159.118.228 www.boredlife.com
O1 - Hosts: 213.159.118.228 www.couldnotfind.com
O1 - Hosts: 213.159.118.228 www.cracks.am
O1 - Hosts: 213.159.118.228 www.daum.net
O1 - Hosts: 213.159.118.228 www.dreamwiz.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find4u.net
O1 - Hosts: 213.159.118.228 www.firstbookmark.com
O1 - Hosts: 213.159.118.228 www.gajai.com
O1 - Hosts: 213.159.118.228 www.hand-book.com
O1 - Hosts: 213.159.118.228 www.hao123.com
O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
O1 - Hosts: 213.159.118.228 www.hugesearch.net
O1 - Hosts: 213.159.118.228 www.iquicksearch.com
O1 - Hosts: 213.159.118.228 www.lookfor.cc
O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
O1 - Hosts: 213.159.118.228 www.naver.com
O1 - Hosts: 213.159.118.228 www.nkvd.us
O1 - Hosts: 213.159.118.228 www.novafuck.com
O1 - Hosts: 213.159.118.228 www.ohcorea.com
O1 - Hosts: 213.159.118.228 www.omega-search.com
O1 - Hosts: 213.159.118.228 www.onet.pl
O1 - Hosts: 213.159.118.228 www.power-search.info
O1 - Hosts: 213.159.118.228 www.rightfinder.net
O1 - Hosts: 213.159.118.228 www.search-1.net
O1 - Hosts: 213.159.118.228 www.search-and-go.com
O1 - Hosts: 213.159.118.228 www.search-dot.com
O1 - Hosts: 213.159.118.228 www.search-space.com
O1 - Hosts: 213.159.118.228 www.searchforge.com
O1 - Hosts: 213.159.118.228 www.searching-the-net.com
O1 - Hosts: 213.159.118.228 www.searchv.com
O1 - Hosts: 213.159.118.228 www.searchxl.com
O1 - Hosts: 213.159.118.228 www.seznam.cz
O1 - Hosts: 213.159.118.228 www.slotch.com
O1 - Hosts: 213.159.118.228 www.spidersearch.com
O1 - Hosts: 213.159.118.228 www.startium.com
O1 - Hosts: 213.159.118.228 www.therealsearch.com
O1 - Hosts: 213.159.118.228 www.ttjj.com
O1 - Hosts: 213.159.118.228 www.viewpornkey.com
O1 - Hosts: 213.159.118.228 www.wazzupnet.com
O1 - Hosts: 213.159.118.228 www.websearch.com
O1 - Hosts: 213.159.118.228 www.windowws.cc
O1 - Hosts: 213.159.118.228 www.xgmm.com
O1 - Hosts: 213.159.118.228 xwebsearch.biz
O1 - Hosts: 213.159.118.228 yourbookmarks.ws
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8027.6773611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\system32\uxcbuv.2vh

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 17 May 2004 - 11:46 AM

Hi there. I'm looking at your log right now to see what needs to go.

In the meantime, download and install Spybot S&D and Ad-aware (you can find the links here). Don't run them quite yet.

Also, do a full virus scan and report back with the names of all viruses found.

-- LB

Edited by VashonDude, 17 May 2004 - 11:53 AM.

Want to help in the fight against malware? Join the SWI boot camp.

#3 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 17 May 2004 - 01:45 PM

When I download the install file for Spybot S&D my computer hides it, so I had to put the install file on a computer in my home network and rename the file and then install it...but now that I finally managed to install the program I cant find it :( Anyway here's the results of a 6 hour virus scan:

This is what Norton AntiVirus Found:


This is what was Automatically deleted:


Source: C:\WINDOWS\hxdefdrv.sys
Description: The file C:\WINDOWS\hxdefdrv.sys is infected with the Backdoor.HackDefender virus.
Click for more information about this threat : Backdoor.HackDefender

Source: C:\Program Files\Internet Explorer\yqmnnqcj.exe
Description: The file C:\Program Files\Internet Explorer\yqmnnqcj.exe is infected with the Backdoor.Jeem virus.
Click for more information about this threat : Backdoor.Jeem

Source: Parser.class
Description: The compressed file Parser.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderms.jar-5fe028-54003d56.zip is infected with the Trojan.ByteVerify virus.
Click for more information about this threat : Trojan.ByteVerify

Source: C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f603a77-76bd3f4a.zip
Description: The file C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f603a77-76bd3f4a.zip is infected with the Trojan.ByteVerify virus.
Click for more information about this threat : Trojan.ByteVerify

Source: C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3894448e-38e7f0a0.zip
Description: The file C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3894448e-38e7f0a0.zip is infected with the Trojan.ByteVerify virus.
Click for more information about this threat : Trojan.ByteVerify

Source: VerifierBug.class
Description: The compressed file VerifierBug.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71002e85-33bd4202.zip is infected with the Trojan.ByteVerify virus.
Click for more information about this threat : Trojan.ByteVerify

Source: Counter.class
Description: The compressed file Counter.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71002e85-33bd4202.zip is infected with the Trojan.ByteVerify virus.
Click for more information about this threat : Trojan.ByteVerify

Source: C:\WINDOWS\svhost.exe
Click for more information about this threat : Backdoor.HackDefender


Delete Failed:


Source: C:\WINDOWS\Downloaded Program Files\IEengine.exe
Description: The compressed file IEengine.exe within C:\WINDOWS\Downloaded Program Files\IEengine.exe is a Adware threat.
Click for more information about this threat : Adware.MainSearch

Source: C:\Program Files\Internet Explorer\IEengine.exe
Description: The compressed file IEengine.exe within C:\Program Files\Internet Explorer\IEengine.exe is a Adware threat.
Click for more information about this threat : Adware.MainSearch

Source: C:\Program Files\Internet Explorer\IEengine.exe
Description: The file C:\Program Files\Internet Explorer\IEengine.exe is a Adware threat.
Click for more information about this threat : Adware.MainSearch

Source: C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.dll
Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.dll is a Adware threat.
Click for more information about this threat : Adware.Binet

Source: twaintec.dll
Description: The compressed file twaintec.dll within C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.cab is a Adware threat.
Click for more information about this threat : Adware.Binet

Source: C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe
Description: The compressed file powerscan.exe within C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe is a Adware threat.
Click for more information about this threat : Adware.Istbar

Source: C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe
Description: The compressed file ist_install.exe within C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe is a Adware threat.
Click for more information about this threat : Adware.Istbar



Manually Deleted:


Source: C:\WINDOWS\Downloaded Program Files\IEengine.exe
Description: The file C:\WINDOWS\Downloaded Program Files\IEengine.exe is a Adware threat.
Click for more information about this threat : Adware.MainSearch

Source: C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe
Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe is a Adware threat.
Click for more information about this threat : Adware.Istbar

Source: C:\Documents and Settings\Admin\Local Settings\Temp\optimize.exe
Description: The compressed file optimize.exe within C:\Documents and Settings\Admin\Local Settings\Temp\optimize.exe is a Adware threat.
Click for more information about this threat : Adware.NetOptimizer

Source: C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe
Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe is a Adware threat.
Click for more information about this threat : Adware.Istbar

Posted Image

#4 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 17 May 2004 - 02:35 PM

If you haven't done so already, go to Windows Update and download all necessary critical patches.

Go back into HijackThis (in safe mode) and remove the following:

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=

O1 - Hosts: 213.159.118.228 collections.inhost.info
O1 - Hosts: 213.159.118.228 collections.inhost2.info
O1 - Hosts: 213.159.118.228 1-se.com
O1 - Hosts: 213.159.118.228 58q.com
O1 - Hosts: 213.159.118.228 aifind.cc
O1 - Hosts: 213.159.118.228 aifind.info
O1 - Hosts: 213.159.118.228 allneedsearch.com
O1 - Hosts: 213.159.118.228 approvedlinks.com
O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.228 awebfind.biz
O1 - Hosts: 213.159.118.228 best.royalsearch.net
O1 - Hosts: 213.159.118.228 cracks.am
O1 - Hosts: 213.159.118.228 default-homepage-network.com
O1 - Hosts: 213.159.118.228 find.microgirls.com
O1 - Hosts: 213.159.118.228 find4u.net
O1 - Hosts: 213.159.118.228 freshvideogals.com
O1 - Hosts: 213.159.118.228 i-lookup.com
O1 - Hosts: 213.159.118.228 ie-search.com
O1 - Hosts: 213.159.118.228 in.webcounter.cc
O1 - Hosts: 213.159.118.228 itseasy.us
O1 - Hosts: 213.159.118.228 just.find-itnow.com
O1 - Hosts: 213.159.118.228 link.startmake.com
O1 - Hosts: 213.159.118.228 mysearchnow.com
O1 - Hosts: 213.159.118.228 nativehardcore.com
O1 - Hosts: 213.159.118.228 qwertysearch123.biz
O1 - Hosts: 213.159.118.228 search.ieplugin.com
O1 - Hosts: 213.159.118.228 search.psn.cn
O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.228 searchcentrix.com
O1 - Hosts: 213.159.118.228 searchmyrequest.com
O1 - Hosts: 213.159.118.228 super-spider.com
O1 - Hosts: 213.159.118.228 t.rack.cc
O1 - Hosts: 213.159.118.228 teen-biz.com
O1 - Hosts: 213.159.118.228 teenhqpics.com
O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.228 webcoolsearch.com
O1 - Hosts: 213.159.118.228 wmmse.com
O1 - Hosts: 213.159.118.228 www.008i.com
O1 - Hosts: 213.159.118.228 www.2fastsearch.net
O1 - Hosts: 213.159.118.228 www.8095.com
O1 - Hosts: 213.159.118.228 www.alfa-search.com
O1 - Hosts: 213.159.118.228 www.boredlife.com
O1 - Hosts: 213.159.118.228 www.couldnotfind.com
O1 - Hosts: 213.159.118.228 www.cracks.am
O1 - Hosts: 213.159.118.228 www.daum.net
O1 - Hosts: 213.159.118.228 www.dreamwiz.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find4u.net
O1 - Hosts: 213.159.118.228 www.firstbookmark.com
O1 - Hosts: 213.159.118.228 www.gajai.com
O1 - Hosts: 213.159.118.228 www.hand-book.com
O1 - Hosts: 213.159.118.228 www.hao123.com
O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
O1 - Hosts: 213.159.118.228 www.hugesearch.net
O1 - Hosts: 213.159.118.228 www.iquicksearch.com
O1 - Hosts: 213.159.118.228 www.lookfor.cc
O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
O1 - Hosts: 213.159.118.228 www.naver.com
O1 - Hosts: 213.159.118.228 www.nkvd.us
O1 - Hosts: 213.159.118.228 www.novafuck.com
O1 - Hosts: 213.159.118.228 www.ohcorea.com
O1 - Hosts: 213.159.118.228 www.omega-search.com
O1 - Hosts: 213.159.118.228 www.onet.pl
O1 - Hosts: 213.159.118.228 www.power-search.info
O1 - Hosts: 213.159.118.228 www.rightfinder.net
O1 - Hosts: 213.159.118.228 www.search-1.net
O1 - Hosts: 213.159.118.228 www.search-and-go.com
O1 - Hosts: 213.159.118.228 www.search-dot.com
O1 - Hosts: 213.159.118.228 www.search-space.com
O1 - Hosts: 213.159.118.228 www.searchforge.com
O1 - Hosts: 213.159.118.228 www.searching-the-net.com
O1 - Hosts: 213.159.118.228 www.searchv.com
O1 - Hosts: 213.159.118.228 www.searchxl.com
O1 - Hosts: 213.159.118.228 www.seznam.cz
O1 - Hosts: 213.159.118.228 www.slotch.com
O1 - Hosts: 213.159.118.228 www.spidersearch.com
O1 - Hosts: 213.159.118.228 www.startium.com
O1 - Hosts: 213.159.118.228 www.therealsearch.com
O1 - Hosts: 213.159.118.228 www.ttjj.com
O1 - Hosts: 213.159.118.228 www.viewpornkey.com
O1 - Hosts: 213.159.118.228 www.wazzupnet.com
O1 - Hosts: 213.159.118.228 www.websearch.com
O1 - Hosts: 213.159.118.228 www.windowws.cc
O1 - Hosts: 213.159.118.228 www.xgmm.com
O1 - Hosts: 213.159.118.228 xwebsearch.biz
O1 - Hosts: 213.159.118.228 yourbookmarks.ws

O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O19 - User stylesheet: C:\WINDOWS\system32\uxcbuv.2vh


Then delete the following files (some may have already been deleted):

C:\WINDOWS\winupd.exe
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\svhost.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\WINDOWS\svchost.exe
- make sure you don't delete the one in C:\WINDOWS\system32\ (that one is legit)

You may have to change settings to show hidden files. Click here to see how to do so.

Reboot and post a new log.

-- LB

Edited by VashonDude, 17 May 2004 - 02:37 PM.

Want to help in the fight against malware? Join the SWI boot camp.

#5 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 17 May 2004 - 03:13 PM

Okay rebobooted and some things seem fixed and some are still broken. I still get the windows media player error when I start up but the bridge.dll error is gone. Also it seems like my default homepage is fixed. I still cant see my CWShredder files. Also theres a 17052004.exe file in my Windows folder wit ha orange X icon that was created when this all happened :( At least things seem to be getting better :) Thanks so far and heres the new log:

Logfile of HijackThis v1.97.7
Scan saved at 4:08:14 PM, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\ctfmon.exe
\Mobile\DESKTOP\mnmn.exe
C:\Program Files\Messenger\msmsgs.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8027.6773611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll

#6 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 17 May 2004 - 03:53 PM

Looks much better.

Next step is to run both Spybot S&D and Ad-Aware (run Ad-Aware first, then Spybot). Make sure to update both before running.

After that, reboot and post a new log.

-- LB

Edited by VashonDude, 17 May 2004 - 03:56 PM.

Want to help in the fight against malware? Join the SWI boot camp.

#7 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 17 May 2004 - 04:21 PM

Was lucky enough to be able to run Spybot S&D because it gives you the option to run it after installiation, it got rid of a few things and now I cant see it anymore. Ran ad aware and it got rid of 1 thing. Still get the windows media player error and still cant see CWShreeder :( Heres my new log :)

Logfile of HijackThis v1.97.7
Scan saved at 5:16:22 PM, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
\Mobile\desktop\mnmn.exe
C:\Program Files\Messenger\msmsgs.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8027.6773611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 17 May 2004 - 04:50 PM

Go back into safe mode and run CWShredder.

Also, while in safe mode, file the following file and delete it:

17052004.exe

Also, go to search files (from the start menu) and find all occurances of wmplayer.exe and note the directories where it/they reside.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#9 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 17 May 2004 - 05:25 PM

Ran CWShredder, still dosent show up. Same with Spybot S&D. Deleted 17052004.exe :) Heres where wmplayer.exe shows up:

C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf
C:\WINDOWS\RegisteredPackages\{B3C1B200-8F14-4C49-96D3-67425AD59914}\wmplayer.exe

#10 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 17 May 2004 - 11:17 PM

C:\WINDOWS\System32\services\wmplayer.exe
Windows cannot find 'C:\WINDOWS\System32\services\wmplayer.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search.


Turns out the Windows Media Player here was a fake one put in by CoolWebSearch. Fortunately it's gone. Does that message still show up?

The reason whjy you can't seem to get CWS to work is because you have something called Hacker Defender. It's something that isn't easily fixed (I think a fix is still being worked on. I'll get back to you tomorrow (5/18) once I find what needs to be done next.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#11 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 18 May 2004 - 09:12 AM

Yes I still get the Windows Media Player error :( Hacker defender? Not easily fixed? :( damn ahh well thanks for your help so far :) I await your response!

#12 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 18 May 2004 - 10:46 AM

Do you have the XP install CD (you may have to boot from the CD in order to fix the problem)?

-- LB

Edited by VashonDude, 18 May 2004 - 10:47 AM.

Want to help in the fight against malware? Join the SWI boot camp.

#13 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 18 May 2004 - 11:07 AM

Do you have the XP install CD (you may have to boot from the CD in order to fix the problem)?

-- LB

Ahhh oh my sounds hardcore :o , Yea I do have the CD :)

#14 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 18 May 2004 - 11:21 AM

Here we go.... do the following:

Go to Start>run and type: services.msc

When the services window opens, go to View and select List from the dropdown menu.

Now go to Action>Export List and save it as a text file then print it. This is the services list.

Place your windows installation disk into the cd rom and reboot

When prompted press a key to boot from the cd

When the screen with choices comes up, press the r key

Choose the c drive by pressing 1 and hitting the enter key.

If your administrator account has a password, type it in, otherwise just press enter (this is not the same as the account that you normallly log on with, if you don't know if there is a password then there probably isn't one).

At the recovery console prompt type the following command: listsvc

then press enter. All the services that are set to run on your computer are displayed. Look through that list for services that are not on the list you printed and note their EXACT names.

For each service the listsvc command displayed that was not on the list you printed, type the following command.

disable servicename

where servicename is the one you found
press enter

Make sure you do this for each one you found.

reboot into safe mode (repeatedly tap <F8> as the computer boots until you see a menu, select safe mode from the menu)


After this, try running CWShredder again.

Reboot and post a new log.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#15 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 18 May 2004 - 01:47 PM

Before I continue I wanna make sure on a few things :)

Okay I printed services.msc and when I goto the recovery prompt and type listsvc I get a huge list but the thing is there are ALOT of services listed in the listsvc that are not on the list I printed. Like for example these were not on the list I printed:

ACPI - Boot
Microsoft ACPI Driver

aec - Manual
Microsoft Kerner Acoustic Echo Canceller

AFD - Auto
AFD Networking Support Environment

AsyncMac - Manual
RAS Asynchronous Media Driver

atapi - Boot
Standard IDE/ESDI Hard Disk Controller

ati2mtaa - Manual

ATIBTCAP - Auto
ATI TV Wonder Video Capture

ATIBTXBAR - Auto
ATI TV Wonder Video Crossbar

etc...
Sorry if this is a sill question and is wasting your time but is it really necessary to disable all this because they did not show up on the list? They seem like they belong there since I have all that ATI stuff installed. Also on the listsvc list theres alot of stuff that was not on the list I printed that is already disabled, do I have to disable all of this even though its already marked as disabled. Also "Automatic Updates" was on the list I printed and not on the listsvc list...again sorry If these are stupid questions I just want to make sure Iam not fucking up my computer :(

#16 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 18 May 2004 - 01:57 PM

I'm checking with the experts to see what to do next.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#17 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 18 May 2004 - 02:16 PM

Okay thanks :)

#18 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 19 May 2004 - 04:02 PM

The experts are still working on a fix for this wretched thing.

In the meantime, download the following programs. They prevent much of the crapware from getting into your computer in the first place. They're all free.

Spyware Blaster
IE-Spyad
MVPS Hosts

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#19 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 19 May 2004 - 11:58 PM

Still no fix...crap :( so many days w/o my comp <_< Anyway Ill install those and thanks for not forgetting about me VashonDude :) I await your response :D

#20 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 22 May 2004 - 02:15 PM

bump
remember me? :( It's been a few days! Is there a fix yet? -_-

#21 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 22 May 2004 - 02:58 PM

Still no definite fix yet.

Someone else may take over for me on the fix I had you try earlier (the one where you weren't sure if it was necessary to shut down some files, but I couldn't give you an answer).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#22 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 22 May 2004 - 03:06 PM

ahhh I see, okay thanks ^_^ I miss my comp heh >.<

#23 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 24 May 2004 - 04:01 PM

bump? :( Has a solution been found yet? -_-
While Ive been wating Ive been trying other spyware programs. I ran Webroot Spy Sweeper and it seems to have gotten rid of alot of spyware that Ad Aware has missed. It fixed the windoes media player error I told you about so I dont get that error every time I start up my computer anymore. So now when I scan with Ad Aware and Spy Sweeper they both dont find anything. The only problems that I have left are that I still seem to have Backdoor.HackDefender. I did a virus scan after I ran Spy Sweeper and it found no virus but after I reboot it seems like Backdoor.HackDefender it still there. It was found in C:\windows\hxdefdrv.sys and Norton AntiVirus detected and removed it...but Iam sure it will be there again when I reboot...Also CWShredder and Spybot Search and Destroy are STILL hidden :( So yea those are the only 2 problems left. -_-

Anyone have a solution yet? >.<

Ive been reading up and I see solutions listed on these pages:

http://www.spywarein...p?showtopic=647
http://www.spywarein...p?showtopic=505
http://www.aumha.org/a/parasite.php

Also this solution seems promising:
http://securityrespo...ckdefender.html

Do these situations apply to me? Will they work if I do em? Are they safe to try? Anyone want to guide me through these solutions? Please help me ^__^

Edited by Lucky Cat, 24 May 2004 - 04:56 PM.


#24 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 25 May 2004 - 12:25 PM

bump >.<

#25 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 25 May 2004 - 01:44 PM

I'm checking to see if the tool listed on this site will help in any way.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#26 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 25 May 2004 - 05:07 PM

maybe...but it says the HackDefender Disabler tool temporarily disables the HackDefender only untill the next reboot...so no real help there -_- whats listed in those threads and the symantec webpage seems like the best bet...

#27 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 26 May 2004 - 03:50 PM

Hacker Defender has been out since March 12, 2003 and theres no fix yet??
help it's been more then a week >.<
bump :(

#28 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 26 May 2004 - 04:13 PM

Is it just the one computer on the network that got hit? I may end up having you reformat. From what I can tell, a fix is still being worked on.

As to why it's taking so long to create a fix, I don't know. This thing seems to be extremely sneaky.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#29 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 26 May 2004 - 04:45 PM

Is it just the one computer on the network that got hit? I may end up having you reformat. From what I can tell, a fix is still being worked on.

As to why it's taking so long to create a fix, I don't know. This thing seems to be extremely sneaky.

-- LB

yea just one, ahh man reformat?! crap I was hoping that would be a last resort measure -_- are you sure those solutions I listed dont relate to my situation at all? :(

#30 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 26 May 2004 - 06:36 PM

Very strange Lucky Cat. I am completely cured since May 18th and I had similar problems as you. My computer has worked perfectly since.

I had Hacker Defender, Svhost, Outpost.info, casino palazzio infestation & multiple 01 hosts. Spybot, Cwshredder and Hijackthis vanished from my desktop and harddrive plus I couldn't access most antispyware sites. I couldn't even access many forums on this site and had to use an unaffected computer to communicate with the experts here. These 2 topics may help and I know you have noted them.

http://www.spywarein...p?showtopic=647

http://www.spywarein...p?showtopic=505 s

I followed Winhelp's instructions exactly. 3 items I couldn't find with search were found later in the registry. Getting rid of hackerdefender through my registry deletions were tricky and seems to be the key as it is all over the place in different names.

I had to do multiple searches using Regedit as each time I would find references to HackerDefender. I first searched under HackerDefenderDrv100 and deleted all, then searched for HackerDefender and finally I even typed in hacker and found 2 more references. After this I deleted all the hidden files as mentioned by Winhelp.

I fixed the two Svhost entries and all 01 entries prior to doing this on Hijackthis. All was done in safe mode.

I think the key is doing multiple searches of the registry using Regedit and following Winhelp's instructions. I started a new registry search each time I did a search and did everything over 3 times to ensure I never missed anything.

Run Hijackthis again and if shown delete Svhost and all the 01 reference ( i had over 90 of them).

My situation may be different then yours. Get an expert to guide you before taking this on as I don't want any shit for posting this. Good luck.

These guys fixed my computer to perfection. You will hopefully not have to format.

Edited by duke9106, 30 May 2004 - 07:21 PM.


#31 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 26 May 2004 - 07:19 PM

Very strange Lucky Cat. I am completely cured since May 18th and I had similar problems as you. My computer has worked perfectly since.

I had Hacker Defender, Svhost, Outpost.info infestation & multiple 01 hosts. Spybot, Cwshredder and Hijackthis vanished from my desktop and harddrive plus I couldn't access most antispyware sites. I couldn't even access many forums on this site and had to use an unaffected computer to communicate with the experts here. These 2 topics may help and I know you have noted them.

http://www.spywarein...p?showtopic=647

http://www.spywarein...p?showtopic=505 s

I followed Winhelp's instructions exactly. 3 items I couldn't find with search were found later in the registry. Getting rid of hackerdefender through my registry deletions were tricky and seems to be the key as it is all over the place in different names.

I had to do multiple searches using Regedit as each time I would find references to HackerDefender. I first searched under HackerDefenderDrv100 and deleted all, then searched for HackerDefender and finally I even typed in hacker and found 2 more references. After this I deleted all the hidden files as mentioned by Winhelp.

I fixed the two Svhost entries and all 01 entries prior to doing this on Hijackthis. All was done in safe mode.

I think the key is doing multiple searches of the registry using Regedit and following Winhelp's instructions. I started a new registry search each time I did a search and did everything over 3 times to ensure I never missed anything.

Run Hijackthis again and if shown delete Svhost and all the 01 reference ( i had over 90 of them).

My situation may be different then yours. Get an expert to guide you before taking this on as I don't want any shit for posting this. Good luck.

These guys fixed my computer to perfection. You will hopefully not have to format.

Thanks alot for this help duke9106. I really appericate it ;) This seems very promising and I was considering going to try those solutions anyway since the only other option was formatting (eww) Now all I need is a expert to guid me through this and hopefully Ill be fine ^__^

#32 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 27 May 2004 - 04:59 PM

bump -_-

#33 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 28 May 2004 - 01:16 PM

daily bump >.<

#34 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 29 May 2004 - 02:36 AM

Okay thanks to duke9106 my computer seems to be HackerDefender free ^___^ Thanks ALOT duke9106 those solutions and what you said worked like a charm, Spyware S&D and CWShredder are NO LONGER hidden ^__^.

Now theres only a few problems left which I hope are easy to get rid of...First of all when I was searching for the files in the HackerDefender fix I found a few things that were created at the EXACT same time as the ones I deleted to get rid of HackerDefender aka files that were created when I got infected..These were some that caught my eye...

jkiwqxok.exe which was found in the C:/Program Files/Internet Explorer folder...I deleted it since it seemed out of place and was created at the exact time I got infected...seemed like a logical thing to do...I dont know what this file did.

Also I found mstaskss.exe which was found in the C:/Windows folder....I saw mention of this file in this thread:
http://www.spywarein...191&hl=mstaskss
So I deleted it also...

Also I found 2 other files that seemed out of place but Iam not sure what they do so I left them alone for now...they cre created a few minuetes after I got infected...the files are:

mstasks1.exe AND mstasks2.exe ... these files were found in the C:/Windows/System32 folder....I dont know if they are supposed to be there or not so I left them alone.....

Also their may be other files they were created the day that I got infected that I might have missed....is there any way to check?

Also a new problem is every time I run Spybot S&D it keeps on finding a DSO Exploit...I get rid of it but it keeps on coming back even after I reboot or even if I dont reboot after I get rid of it it comes back...heres what Spybot S&D found...


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1229272821-920026266-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


Is there any way to fix that?????? Also heres my latest hijack this log...


Logfile of HijackThis v1.97.7
Scan saved at 3:16:54 AM, on 29/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8027.6773611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Think you can help me with this problem VashonDude ^___^

#35 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 May 2004 - 12:23 PM

mstasks1.exe and mstasks2.exe came from viruses. Run a full virus scan.

I'm checking to see what needs to be done about the recurring DSO exploit and what still needs to be deleted.

I'm glad to hear that Hacker Defender appears to be dead.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#36 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 29 May 2004 - 01:16 PM

mstasks1.exe and mstasks2.exe came from viruses. Run a full virus scan.

I'm checking to see what needs to be done about the recurring DSO exploit and what still needs to be deleted.

I'm glad to hear that Hacker Defender appears to be dead.

-- LB

I ran a full virus scan and got 0 results for infections. Since mstasks1.exe and mstasks2.exe came from viruses can I delete them? Regarding the DSO exploit dont worry about it, it cant be helped and it dosent matter as long as your fully patched, info on it here:
http://www.spywarein...wtopic=1728&hl=
Since the Virus scan comes clean along with Adaware, Spybot S&D, CWShredder theres I seem to be generally clean...theres only a few things left to do like should I delete mstasks1.exe and mstasks2.exe?

After doing a search of all files that were modified on the day I was infected, Ive taken note of files that were put on my computer the moment I was infected or soon after...here they are:

C:\install.cab
C:\install.htm

C:\Windows\didduid.ini
C:\Windows\dl.html

C:\Windows\hosts

C:\Windows\sasing.ini

C:\Windows\test

C:\Windows\winamp.ini
C:\Windows\wininit.ini

C:\Program Files\Winamp\winamp.ini
C:\Program Files\Winamp\winamp.m3u
C:\Program Files\Winamp\wmplayer.exe.tmp

C:\Windows\CSC (A hidden folder that was modifyed a hour later...probably not related but just covering my bases ^_^)

C:\Windows\inf\drvindex.pnf (Modified the exact time I was infected and there are other files in that folder that were modified about an hour later...looks like a normal folder Iam just covering bases again ^_^)

C:\Windows\system32\ggdfg.txt

C:Windows\system32\drivers\etc\hosts (was created 10 hours after I was infected so its probably okay but I just want to make sure)

And those are all the files I found that day that SEEM suspicious...some of them I REALLY want to delete because I know they were a result of a virus...but I THINK that some of these files are leftovers from anti spyware programs...like for example remember that winmedia player error I was telling you about in the beginning? Even though spysweeper got rid of that error those files are still left over....maybe they are hermless alone....who knows?? But yea please tell me which of those files are normal and which are not and which ones I can delete?! Thanks alot and anyone else fell free to comment like duke9106 did! Again thanks ^___^

#37 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 30 May 2004 - 02:34 AM

bump! I think a solution is near :D

#38 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 30 May 2004 - 02:52 PM

help please anyone? :(

#39 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 31 May 2004 - 03:05 AM

ahhh man this has been going on for 2 weeks :weep: bump :blush:

#40 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 31 May 2004 - 05:22 PM

Go ahead and delete mstasks1.exe and mstasks2.exe.

As for the other files, I trying to find out if they're legit or not.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#41 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 31 May 2004 - 06:04 PM

Go ahead and delete mstasks1.exe and mstasks2.exe.

As for the other files, I trying to find out if they're legit or not.

-- LB

Okay will do, thanks :alarm:

#42 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 01 June 2004 - 01:11 PM

:hmmm: Okay what can I delete next?

#43 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 01 June 2004 - 01:50 PM

:hmmm: Okay what can I delete next?

I'm fairly certain you can delete this one:

C:\Program Files\Winamp\wmplayer.exe.tmp - probably is related to a virus.

C:\Windows\CSC is legit.

The F0 items in the HijackThis log can go.

As for the other files, I'm not certain. Google searches either come up blank or inconclusive (i.e. I can't tell if the file in question is legit or not).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#44 morcheeba

morcheeba

    Member

  • Retired Staff - Helper
  • Pip
  • 96 posts

Posted 01 June 2004 - 02:11 PM

Hi,
The recurring DSO exploit is caused by a bug in Spybot Search and Destroy 1.3. See here for a fix: http://forums.net-in...showtopic=15308 .
(Basically, the fix involves editing the registry.) Its not too difficult to do.
Hope that helps.

Edited by morcheeba, 01 June 2004 - 05:09 PM.


#45 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 01 June 2004 - 02:18 PM

k thanks VashonDude will delete!! hmm maybe a way of telling whats legit or not is to see if these files are found on a clean computer running XP Pro?! Or asking the experts? and thanks morcheeba, Ill try that out.

#46 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 02 June 2004 - 04:14 AM

2 weeks + :weep: but the end seems near :unsure:

Unsure files left:

C:\install.cab
C:\install.htm

C:\Windows\didduid.ini
C:\Windows\dl.html

C:\Windows\hosts

C:\Windows\sasing.ini

C:\Windows\test

C:\Windows\winamp.ini
C:\Windows\wininit.ini

C:\Program Files\Winamp\winamp.ini
C:\Program Files\Winamp\winamp.m3u

C:\Windows\inf\drvindex.pnf

C:\Windows\system32\ggdfg.txt

C:Windows\system32\drivers\etc\hosts

Edited by Lucky Cat, 02 June 2004 - 04:16 AM.


#47 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 02 June 2004 - 04:05 PM

Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

Also have you found out if those other files are legit or not??

Crap everytime I think Iam getting ahead Iam not, starting to go crazy again :(


Seems like others are having the "F0 - syst>m.ini: Shell=" problem:

http://www.spywarein...st=0
http://www.webuser.c...sb=5&o=93&part=

Edited by Lucky Cat, 02 June 2004 - 04:45 PM.


#48 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 03 June 2004 - 04:07 AM

bump

#49 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 03 June 2004 - 01:16 PM

bump

#50 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 03 June 2004 - 02:50 PM

Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

From what I've read, F0 items are always bad, but I was looking at a post that seems to say that they be legit.

These 3 files:

C:\Program Files\Winamp\winamp.ini
C:\Program Files\Winamp\winamp.m3u
C:\Windows\winamp.ini


go with Winamp (a media file player). Do you have this program on your computer? If so, was it installed around the time this problem began?

Could you make copies of the following file and place them in a ZIP file:

C:\install.cab
C:\install.htm
C:\Windows\didduid.ini
C:\Windows\dl.html
C:\Windows\hosts
C:\Windows\sasing.ini
C:\Windows\test
C:\Windows\inf\drvindex.pnf
C:\Windows\system32\ggdfg.txt
C:Windows\system32\drivers\etc\hosts

and send them to the following address: walk_wait AT msn.com (replace the AT with @). I'd like to have a look at these files.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button