Jump to content


Photo

My Solution to res:// hijack


  • This topic is locked This topic is locked
33 replies to this topic

#1 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 12:10 AM

Ok guys,

I've just spent the last few days getting rid of this crappy browser hijack that ***** up your start page/ search page and does this eveytime you run your browser. The method i used to delete it is a bit of controlled overkill - but much less overkill than formatting your hard drive or restoring the computer.

My solution builds upon other people's ideas and solutions, ill just list what i did:

Download Adaware from here if you havent already got it.. or use the link from the main page of this site.. and run a scan... once this is completed and you have deleted all the bad objects..

If you have the full version of Adaware you will have the Ad-watch portion.. If you do (which most wont i assume) then run it, and get it to prompt you for any attempts to alter the registry.. Depending on how ****ed your computer is.. each time you run a browser now you may get 6 to 7 attempts to change things.. If you dont have it then dont stress, it just makes things a little easier.

PLEASE NOTE! While this AdWatch is running, you will not be able to change the registry for the better, as well as deleting bad entries.. What i suggest is you kepp it set to NOT automatically block the attempts because Hijackthis (used later) will not be able to work properly..


OK, onto the solution:


1. Bring up the Processes window in Task Manager (CTRL + ALT DELETE) and look at the processes.. You are looking for things like: 'sd*.exe' (The * indicates some random characters) it may not even have sd at the start but it did everytime for me. You might wish to use a process viewer like the one here. in order to make this easier too.

2. Also look for anything else suspicious.. If it looks dodgy then kill it, the reason i say this is because theres no easy way for you to find out if it is or not.. Its likely to be dodgy if its made up of random characters and if you run a browser to find out then that is the catylst for it to infect your computer again.

3. Locate these files in these 2 directories:

C:\WINDOWS
C:\WINDOWS\SYSTEM32



What you are looking for are the names of the files you saw in the Processes (But not limited to!)

Depending on how many times you have tried to do this there could but multiple .exe files all with 5 random characters and a .exe extension.. You need to delete every single one of these files for this to work... You will find some in both directories..

The Easiest way i found to do this was to view the directories by 'Detail' - done by right clicking and selecting view --> Detail.... and the rightclicking next to the Last Modified column and adding the column 'Created On'.. This will show you any files that have recently been created.. It is fairly obvious which ones are the culprits.. they are as i said either a string of charactes with a .exe extension or a string of characters with a 32 tagged on the end with the same extension..

The dodgy files with the 32 tagged on the end are the executables that start the carnage.. What i think happens is the exe files that run on startup that you can see in the processes run these files with the 32 tagged on, and this is where the problem is - you can delete the files that run these other exe's but if you dont actually delete the exe's with the 32 tagged on then they in turn create the other exe's....... I have no idea if this is correct but it is surely something along those lines.

Anyway...

The other files that you must delete are the dodgy .dll files... These are the files that contain the HTML code that loads when the hijacker takes over your browser.. You can find them in the same directories as listed above, but most likely just the WINDOWS directory.. If you open them with notepad you will see the HTML in them.. The filename is randomly generated and will match the name in the address bar once hijacked i.e: res://*.dll........ The file name will be where the * is.

My advice is to delete any .dll files and .dat files that have been created in the couple of days since you were infected.. The chances of removing impotant files is slim... Hopefully you dont consider me a cowboy for saying that, but desperate times call for desperate measures... I call it controlled culling of files..

Anything that looks suspicious (i.e random characters .exe or .dll and that have been created in the last couple of days)

4. Once this is done, make sure to delete all the files in your

C:\Documents and Settings\(Your User Name)\ Local Settings\Temp

and

C:\Documents and Settings\(Your User Name)\Local Settings\Temporary Internet Files

This is just a precaution.

*You may need to be in safe mode in order to do this, because some of these files may rely on processes that are currently running. When in Safe mode, they do not.

5. Delete all the files in the WINDOWS\TEMP directory

and completely delete the folder: C:\WINDOWS\PREFETCH if it exists.

6. Run Hijackthis!!

And delete all the suspect BHO's etc... It is fairly obvious which ones the suspect ones are... Other people have said to run Hijackthis as the first step.. but its not necessary - if you have completed the steps above you should have too many dodgy items in Hijackthis. Once you click Fix, then you will get another prompt from Ad-Watch.. this time look at what it is trying to do.. If it is trying to restore your homepage/searchpage settings, then let it! If you have a lot of dodgy **** still in there, then fix all the problems and start again from instruction 1.

Ok after this is done, i reccomend doing another scan using Ad-aware, Spy-Bot or any other programs including CWShredder that you might have (you can never be too careful)..

-------EDIT---------

I forgot this step:

6. Have a look at the services running, do this my going to the 'run' menu and typing in 'services.msc'

Go down the list and locate 'Network Security Service' - this is another piece of dodgy **** that the hijacker installs.. Notice how it is one of the only items that doesnt have a description.. Any service running that is not sanctioned by Microsoft isnt allowed to have a description i do not think. Right click it, select properties and change its startup type to 'Disabled'.. Now if you dont clean your computer completely of the hijacking files then this will change itself back to Automatic (Sneaky bastard) so remember if the initial instructions fail, then you'll need to do this again.

---------------------


7. OK, once this is done you should be good to shut down your computer COMPLETELY, as in turn it off.. Then turn it back on and see what happens... What i did was make Ad-Watch run on statup so i knew if there were any attempts to change the registry.. The way to check to see if your computer is hijack free is to run a browser.. If nothing happens, then close it and run it again.. If you can do this three times with no hell breaking loose then you are most likely cured.. If Ad-Watch goes nuts then you'll have to start again and this time be more vigilant with the deletion of .dll's and .exe's. if you didnt use Ad-Watch then either nothing will happen, or you'll be redirected to that godforsaken res://*.dll page and your registry will be once again ****ed.

OK, hopefully that helps some of you.. I understand that my advice is somewhat confusing and probably annoying but i believe for now that it is the only solution.

The reason why this is such a nasty problem to fix is that the hijack creates randomly named .exe files and .dll files in different locations

Ill keep my eye on this post for the next couple of days to answer any questions.. and let me know if any of this helps..

Cheers,

Chris Galtieri

Edited swearing - thats just too much, this is a public forum, knock it off.

Edited by chrisgaltieri, 22 June 2004 - 09:25 AM.


#2 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 01:02 AM

Anyone tried this yet? Im eager to know if ive helped anyone out

#3 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 16 June 2004 - 01:09 AM

tried twice...no luck. I really thought I had it for a bit, but the res:// bit keeps coming back, but it's always the same name for a change...akgmf.dll

I've tried looking for that file under file search and no luck...

I've tried making the files non-hidden, and all that jazz....

still ain't working, is running better than it was though, less frequent interruptions... :wtf:

#4 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 16 June 2004 - 01:17 AM

once this is completed and you have deleted all the bad objects.. run the Ad-watch portion.. And get it to prompt you for any attempts to alter the registry

Umm... If I'm not mistaken (and feel free to correct me if I'm wrong), the Adwatch portion of Ad-Aware is only available in the AAW Pro Edition, NOT the Personal (Free) one... So free AAW users are not going to be able to use this option.

R. :scratchhead:

Edited by rosso_acido, 16 June 2004 - 01:23 AM.

I am the iron anchor.

#5 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 01:23 AM

once this is completed and you have deleted all the bad objects.. run the Ad-watch portion.. And get it to prompt you for any attempts to alter the registry

Umm... If I'm not mistaken, the Adwatch portion of Ad-Aware is only available in the AAW Pro Edition, NOT the Personal (Free) one... So free AAW users are not going to be able to use this option.

R. :scratchhead:

Yes i apologies about needing the pro version.. That was one thing i didnt consider...

However it only makes the process a little easier... The fact is that if you do not open any browser then nothing more gets added to your machine.. If you delete evey trace of the program '.exe' and '.dll' in one go without starting a browser then hopefully you shouldnt have too much trouble.. The real trouble lies in finding all the files.


One more thing - toblerone, ive had to repeat this process in excess of 6 or 7 times, but it did work once i had deleted all the files i assure you dude.. best of luck

Edited by chrisgaltieri, 16 June 2004 - 01:28 AM.


#6 rheinspiel

rheinspiel

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 June 2004 - 03:54 AM

Humm....This needs to be hit hard with a Half Life Crowbar across the face. This garbage is driving me nuts.

#7 XenoX

XenoX

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 04:55 AM

I just got hit with this badboy tonight. I have all the relavent files saved if any hardcore coders want to check them out. The whole key to figuring this out was a startup .exe that kept replacing itself after deleting it through regedit. It was called mfcpd32.exe. I also came along suspect file names of prqmf.dll (the main dll file) and iewf32.exe (28kb) (pretty sure this is a clone - I found many of these with random names, random dates, but most were 28kb). In the System32 folder I had a wylkd.dat and a syseh.dll. Very odd and hard to find names. After renaming all these files, deleting the registry run entry for mfcpd32.exe and killing any instance of it, and finally using hijackthis to clean the BHO (syseh.dll) and the rest of the IE stuff I'm pretty sure it's fixed. The only way I figured out which files these were was to use Filemon and Hijackthis. The relevant files names were found under the 'IExplore.exe' listing in Filemon so don't expect any miracle programs to show up. No other freeware I found would completely recognize or fully kill it. Adware did however recognize the prqmf.dll as CWS. This is one b*tch of a hijacker to clean.

Edited by XenoX, 16 June 2004 - 05:31 AM.


#8 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 06:24 AM

If you've tried my instructions above and it still doesnt work... try having a look at the microsoft services running.. run this by typing in 'services.msc' in the run menu..

Go down the list and locate 'Network Security Service' - this is another piece of dodgy garbage that the hijacker installs.. Notice how it is one of the only items that doesnt have a description.. Any service running that is not sanctioned by Microsoft isnt allowed to have a description i do not think. Right click it, select properties and change its startup type to 'Disabled'.. Now if you dont clean your computer completely of the hijacking files then this will change itself back to Automatic (Sneaky bugger) so remember if the initial instructions fail, then you'll need ot do this again.

Cheers.

Edited by PGPhantom, 16 June 2004 - 12:17 PM.


#9 XenoX

XenoX

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 09:13 AM

Dude you nailed it right on the head. I successfully cleaned the computer and the problem is solved, but I did in fact have that service and it pointed directly to 'C:\WINNT\mfcpd32.exe /s' which is the exact file that kept restarting itself/creating an entry in startup (registry). That is an awesome tip to figure out the main .exe for the reloading of the hijack.

Edited by XenoX, 16 June 2004 - 09:13 AM.


#10 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 16 June 2004 - 11:37 AM

ugh.....I know this should work, but there is still one file out there I cannot find...it seems I've deleted everything within the last ten days on my comp, but everytime I reboot I find that res://C:\WINDOWS\system32\akgmf.dll/sp.html#96676

I have searched high and low for akgmf on my comp, and the search bar never says it finds it...I've been able to get a ton of crap of with this method, but it's still hanging around...

#11 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 11:45 AM

Removing that service didn't remove the hijack. It returned! This is the worst CWS variant I've seen.

#12 megapepp

megapepp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 June 2004 - 11:58 AM

It seems that I was abe to remove the hijack!

Thanks a lot, Chris! :D

#13 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 16 June 2004 - 12:55 PM

Well, guys, I'm by no means an expert in CWS hijacks and would never in the world mean to contradict anyone, but it looks like CWS's latest variants are too persistent to do away with by simply locating and deleting the "guilty" files. The reason is that CWS hides its .DLLs deep in the infected system so they get activated again after a while, even if it (temporarily) looks like the hijack has gone away.

In my very, very humble opinion, it's better to wait until one of the forum Experts confirms this method of clearing the particular hijack or proposes a tested and truly reliable fix.

Just my 2c...

Best,
R. :wave:
I am the iron anchor.

#14 danielb

danielb

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 09:07 PM

Ok my friends. I did it. I won the battle against this hijacker. :techsupport:

So, I followed the instructions given by Chris, including the "Network Security Service" guideline to verify if you still have it or not.

Additionally to the steps, I recommend to do the following steps as I did to be accurate :thumbsup: :

1. Download the program "Process Explorer" compatible with your Windows version.

2. Being running the "Process Explorer", run Internet Explorer, then locate and track what is the hijacker program name currently activated when you start up IE. You will see it as a child process of IE.

3. Look for another isolated program running with no name or identification. This surely is the core program that remains in memory and create as many instances of the hijacker program as deletions you can do against to it. It regenerates as many programs as attemps to delete the files you can do. Take a list of the programs you see suspicious and could be this one. You may take a look at the process information shown at the bottom of the "Process Explorer" screen. Typically, you will see that these hijacker programs refers to user security staffs and are located at WINDOWS or WINDOWS/SYSTEM32 directories. The parent program is also loaded when you start your computer and you may find it at "msconfig.exe/Start" tab. Disable it.

4. One important step mentioned by Chris: Delete all the instances of this hijacker files. I assume that many persons did follow the steps properly, however, if you do not delete all the hijacker programs at WINDOWS and WINDOWS/SYSTEM32 directories, you will got it again next time you restart your computer. How to identify them? Well, I got a method:

4.1. Identify the parent and child program I mentioned in steps 2 an 3. Write down their names, kill them using "Process Explorer" (right mouse button) and then locate them at the hard disk.
4.2. Look at their real sizes in KB: use the right mouse button / properties to get this info. One tip: all the hijacker programs has different names, different dates, but the same size. I found 2 sizes for the 2 different hijacked files I had: 9216Kb and 28xxxKb. Don't remember the second one.
4.3. Use the "HijackThis" program to locate these files using Windows Explorer as well, compare those files autoloaded against the files located at your hard disk.
4.4. Search at the WINDOWS and WINDOWS/SYSTEM32 directories using Windows Explorer: Order the files by Size, so you will get all sized 9Kb or 28Kb files together, but you should go one by one verifying the file "Properties", because all the 9Kb has a real 9Kb, one has 9.021 bytes, others 9.202bytes, but they all are displayed as 9Kb. Identify the group of files which have the same size repeatedly.
4.5. Now we have to delete them: watch out!!! do not do a mistake deleting system programs with the same size !!! To avoid this, before deleting them, verify in File Properties (right mouse button again) if the file has no "Version" tab. If has it, then it's a system file. The hijacked program has no version tab. Ensure the file you will delete has no one.

5. Delete ALL the files present at the WINDOWS/PREFETCHED directory.

6. Do the rest of the steps already mentioned by Chris... Finally, run SpyBot, Ad-aware, Spycleaner, to ensure the instances were deleted, one important think, use the "HijackThis" program to fix the Registry problems.

7. Disconnect your computer before restarting, then restart and ensure you don't have any problems again. Ensure your default page and blank page works fine everytime you run your IE. Verify the Network Security Service is deactivated as well.

Hope this help you all with the same problem and solve it as I did it. :cool:


Regards,


Daniel

#15 co_1972

co_1972

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 11:45 PM

Thanks chrisgaltieri and danielb! Awesome work! Worked on the first try (even without Adwatch).

#16 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 18 June 2004 - 01:39 AM

Glad i could help guys,

Rosso Acido, i understand your scepticism, but seriously dude it seems that this method works - i know that there soon hopefully will be a more fullproof solution but for people infected with this **** its a welcome relief to get rid of it... right?

Im infection free still after a couple of days with no sign of reinfection - so i hope that this has fixed it once and for all

Edit - Zero - Community forum. DONT SWEAR!

#17 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 20 June 2004 - 04:19 PM

Okay... :) As long as it does help. Although I'm the least qualified to draw conclusions on that.

I do hope you've got rid of the pest. Having been hijacked myself, I am extremely sensitive on these matters - as everyone on this forum is. What I feel compelled to point out, though, is that one must be very careful on what they're deleting when trying to clear an infection - I dealt with my hijacker on my own about a year ago, and managed to do away with it but butchered my own system in the process. It took a reformat and reinstallation of the OS to get the machine to work right again. :(

I can't claim I've dealt with many CWS infections, but from the few logs I've parsed so far and those I'm studying, it looks like it's one of the most insidious and vicious trojans plaguing the Web at the moment - even more so as it's almost impossible to fight without a great amount of specialised knowledge (hence my skepticism - but being skeptical on most matters is something I never denied anyway).

Well, I do wish you the best - and of course, my standing curse goes out to those scams that make our lives a misery. :techsupport:

Take care,
R. :wave:

Edited by rosso_acido, 21 June 2004 - 10:19 AM.

I am the iron anchor.

#18 lansalot

lansalot

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 June 2004 - 04:24 PM

You guys might like to check this account out. I didn't see any sign of that service, fwiw.



http://www.spywarein...?showtopic=8373

#19 Garty

Garty

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 June 2004 - 05:38 AM

:deal: whats a process explorer?

#20 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 21 June 2004 - 07:21 AM

A Process Explorer shows you information about which handles and DLL's processes have opened or loaded. That is, all the .exe files that are running either in the background (ones you cannot see anywhere), those that you are currently using and those running in the task menu in the bottom right corner of your screen. The process explorer shows you what programs are running and the associated .dll files etc that the process is making use of, allowing you to delete suspect programs and their associated files.

A good one can be downloaded here

Edited by chrisgaltieri, 21 June 2004 - 07:22 AM.


#21 Jaaffa

Jaaffa

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 10:02 AM

Just short note say thanks Chris and daniel, after bout 16hours of trying to nut it out myself took your solution on board....ANd yes it worked!!!

I too didn't use ad aware.

#22 Zero

Zero

    Advanced Member

  • Emeritus
  • PipPipPip
  • 224 posts

Posted 21 June 2004 - 10:08 AM

Community forum, dont swear.

#23 Xelar20

Xelar20

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 21 June 2004 - 02:32 PM

Thanks, Chris, for the help. I stumbled across your original post and it seems to have cured my system of the hijacker which changed my homepage to "res:..."

If anyone has time, this is an updated HijackThis log, to check if I have traces of anything left.

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 3:32:15 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rosen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ler/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Thank you so much again, Chris.

#24 JenkHouse

JenkHouse

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 07:17 PM

okay i have a feeeling i am about to crash my computer...i am towards the end of the process...spybo has FINALLY stopped asking me to allow this stupis skvsd.exe crap. I am running hijackthis. should i just delete all files in the system32 folder that it shows me, or is that a nono

#25 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 21 June 2004 - 08:16 PM

Jenkhouse,

You certainly do not want to delete all the files it comes up with that are located in the system32 directory...

Be aware that HijackThis is not a program that tells you specifically what is taking over your computer, but rather any suspect files. As it says on the main screen: "HijackThis cannot determine what is bad and what is merely customized by you"

Making a new thread and waiting for someone to look at your log is a good option, it is difficult to write out the format that HijackThis outputs in order to point you in the right direction (So as to know what to leave and what to delete) because the format of each line of output changes depending on what type of componenet it is, and the other main thing is that i am not a moderator or administrator of this board anyway so i dont want to tread on their toes.

As a rule of thumb, before deleting anything read each line completely, each component should have a name with which to identify itself, these are located within either square brackets or rounded brackets i.e: [NeroCheck] or (Quicktime Object)... Obviously these would not be ones to delete.. The other thing to check for is the file path i.e (C:\Windows\System32\spool\DRIVERS......)

What you (or preferably a helper on this board) does is make a valued judgement depending on the three things: Type of component, Name of the component, and directory..

To properly answer your question, if you are experiencing the res://*.dll hijack the main things you will need to delete are just the lines that contain this particular phrase (generally the lines located up the top after the scan).. But my advice is to make a new thread and post your log, then if you like post the link to that thread in this topic and ill gladly have a look.

Chris

#26 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 21 June 2004 - 08:20 PM

Bigalster,

To answer your question about not being able to locate the "Local Settings" Folder, This folder is Hidden, that is why you cant find it..

To view it do the following:

1. Open 'My Computer'

2. Click Tools -> Folder Options

3. Select the 'View Tab'

4. Locate the 'Hidden Files and Folders' Folder and select 'Show Hidden Files and Folders'

Chris

#27 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 June 2004 - 08:36 AM

Think ill give this post a selfish 'bump'..

Maybe some people may find it useful so long as its not on the 6th page

#28 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2004 - 09:07 AM

Just a quick comment for those of you still working on this, getting rid of the dll's will do you no good at all since the main program will just recreate them. On my computer there were (2) exe's running together in the task manager that played on each other. If you deleted one the other would simply recreate it. Luckily, those exe's, although random, did not change name (unlike the dll's that change name every time you stop one of the exe's). The dll's and the exe's seem to both reside in the windows and windows/system32 directories. The big key here is to stop the two exe processes as quickly as possible in sequence. Once they are stopped you have all the time in the world to get rid of the exe's and dll's as well as their references in the registry. I sorted this last week and you might want to take a look at my comments here.

I will add that I am by no means an expert, only trying to help others that were in the same position as me. I really wanted to wait for the experts but I posted a week ago and still not comments. I'm sure that they are very busy with this one.

Good luck.

#29 bigalster

bigalster

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 22 June 2004 - 09:19 AM

Okay guys, I'm bigalster where do i start then??Do i forget about SAFEMODE and using ADAware?? What is the first thing i should do. Chris's suggestion starts with Adaware,but the Ad-Watch function does not work for me(u have to pay for it).So I assume the first step is Win Task Manager,correct? I have also been told the dodgie ones are lower case formatted(but not all lower-case ones are dodgy)PerhMy Tak Manager is now open,i got ccApp.exe& ccEvtMgr.exe running as well as >ccSetMgr.exe, all the rest are Capital Block ones so these must be good. Am I off in right direction?????

#30 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 June 2004 - 09:27 AM

Bigalster,

PGPHantom - Edited to remove offensive posting

#31 bigalster

bigalster

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 22 June 2004 - 09:39 AM

Chris, I posted a new HiJack This Log last night,but it keeps changing,not alot but there are changes nonetheless.I can't keep posting new logs every five minutes.I know the R1's and R0's are bogus and i printed out the dodgy ones you indicated in last night's log-posting,but i definitely need guidance,but should i post another Hijack Log or compare the one i did last night to what it looks like this morning??

#32 bigalster

bigalster

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 22 June 2004 - 09:51 AM

OK Chris, i reread instructions.In My Win Task Manager,i noticed this one>SDKYR32.exe(Block letters though,not small letters)is it a dodgy?

#33 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2004 - 09:58 AM

There is an area here that lists lots and lots of exe task files. The two I had that were ultimately responsible were not seen here. I can't recall the link but do a search and you should be able to fine the area of the form then key in your file name and if it doesn't show up then it's worth more examination.

#34 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 10:00 AM

Topic locked due to members getting more confused than is necessary. If you would like to assist, become a "Helper Trainee" by clicking on this link and responding to the message.

People having problems - Please post a new topic complete with your HijackThis logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button