Jump to content


Photo

:) log files


  • Please log in to reply
16 replies to this topic

#1 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 05:42 PM

Logfile of HijackThis v1.97.7
Scan saved at 3:42:34 PM, on 10/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ipmo32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\system32\mfcoh32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GlobalSCAPE\CuteFTP Professional\ftpte.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Arachnophilia\arach.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pzujz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzujz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzujz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pzujz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pzujz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pzujz.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BFFB14CE-5DCB-C371-8960-2404CA0FF16A} - C:\WINDOWS\ntqh32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mfcoh32.exe] C:\WINDOWS\system32\mfcoh32.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [SsUninst] C:\DOCUME~1\Joey\LOCALS~1\Temp\SS_UNI~1.EXE -d C:\PROGRA~1\ACCELE~1\StopSign\
O4 - HKLM\..\RunOnce: [ws_uninst] C:\DOCUME~1\Joey\LOCALS~1\Temp\ws_uninst.exe -s
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_stp.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

#2 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 18 June 2004 - 06:46 PM

Hi TheMan,

This is a new variant of CoolWebSearch (CWS) which cannot be fixed with just one click of the mouse. So we have some things to do here to get you fixed.

Configure your computer to show hidden files.

Next, hold down the Ctrl + Shift keys on your keyboard, then tap the Esc key. This will open task manager. Click the processes tab. Find mfcoh32.exe, right click it and select End Process. Click Yes to the confimration message. Now find ipmo32.exe and end that process too.

Now go to Start->Run and type Services.msc then hit OK. Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now click OK and close any open windows.

Be sure to close all browser and explorer windows before continuing.

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pzujz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzujz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzujz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pzujz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pzujz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pzujz.dll/sp.html#96676
O2 - BHO: (no name) - {BFFB14CE-5DCB-C371-8960-2404CA0FF16A} - C:\WINDOWS\ntqh32.dll
O4 - HKLM\..\Run: [mfcoh32.exe] C:\WINDOWS\system32\mfcoh32.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_stp.cab


Exit HiJackThis.

Then reboot your computer in safe mode and delete the following files:
C:\WINDOWS\pzujz.dll
C:\WINDOWS\ntqh32.dll
C:\WINDOWS\system32\mfcoh32.exe

While still in safe mode, click Start > Run and type in regedit. Click OK.

Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu

Exit regedit and reboot your computer back into normal mode.

A file may have been deleted from your computer so it needs to be replaced.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. For Windows XP, copy the file to the c:\windows\system32 folder.

Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Unzip it and click Restore Original Hosts and click OK. Then close the program.

Run Hijackthis again and post a new log back into this thread.

Many thanks to LoPhatPhuud, Metallica, Mosaic1, Zupe, Grinler, FreeAtLast, Merijn and hosts of others for their contributions to this fix.

#3 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 07:30 PM

Ok here is what I have now.

Logfile of HijackThis v1.97.7
Scan saved at 5:28:41 PM, on 10/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ipmo32.exe
C:\WINDOWS\system32\addsm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tbctray.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Arachnophilia\arach.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kiuak.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kiuak.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kiuak.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mfcoh32.exe] C:\WINDOWS\system32\mfcoh32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [sdkcy.exe] C:\WINDOWS\sdkcy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab


Also when i ran the hoster file it said i had no hosts.

So there was nothing done there.

It seems I still have the dpyware though :(

#4 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 18 June 2004 - 08:04 PM

Hi TheMan,

Yes, it is still there and the files keep respawning new bad files, which is why your still infected. I am currently testing a fix for this with a team of experts and I will post back as soon as we have a viable solution. May take us a day or two though, so please be patient. :)

#5 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 08:09 PM

Hello :)

I will wait.
I appriciate this so much! :thumbsup:
Thank you!

#6 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 22 June 2004 - 09:54 AM

Hi TheMan,

Okay, a reliable fix is now available for this. Can you post an updated hijackthis log for me please?

#7 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 02:49 PM

Hi :)
So looking forward to getting rid of this.
Thank you so much again for remembering this.



-------------
Logfile of HijackThis v1.97.7
Scan saved at 12:37:37 PM, on 10/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ipmo32.exe
C:\WINDOWS\system32\addsm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Arachnophilia\arach.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kiuak.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kiuak.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kiuak.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kiuak.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mfcoh32.exe] C:\WINDOWS\system32\mfcoh32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [sdkcy.exe] C:\WINDOWS\sdkcy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

---------------------------------

#8 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 22 June 2004 - 03:22 PM

Hi TheMan,

***Please do not reboot until it is requested. Rebooting during this process will cause reinfection!***

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O4 - HKLM\..\Run: [mfcoh32.exe] C:\WINDOWS\system32\mfcoh32.exe
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [sdkcy.exe] C:\WINDOWS\sdkcy.exe


Next, hold down the Ctrl+Shift keys on your keyboard and tap the Esc key. This will open task manager. End each of the following processes by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

addsm.exe
ipmo32.exe
mfcoh32.exe
<---if it's listed - it may not be listed, in which case, move on

Download About:Buster from either of the following locations.

http://www.atribune....AboutBuster.zip
or
http://tools.zerosre...AboutBuster.zip

Run AboutBuster.exe and click ok and then start. Paste this exact line into the text box in About:Buster

res://kiuak.dll

Close ALL Internet Explorer windows. This is a very important step!!

Next click Ok and allow the program to run.

After it runs copy its report and paste it back into this thread.

Next, go to c:\documents and Settings\{username}\local settings\Temp and delete all files in that temp folder.

Reboot and post a new HijackThis log along with the report from About:Buster if there were any errors in it.

Edited by OSC, 22 June 2004 - 07:06 PM.


#9 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 12:26 PM

Hi again
Well after doing this at first when I opened the browser google showed up... So that was diffrent. Then after a few minutes it went back to the same thing it was doing.... Below are the following stuff you requested.

----------------------
Buster logs
.dll File not found, Continuing fix
Removed! : C:\WINDOWS\sdkcy.exe
Removed! : C:\WINDOWS\diepzb.dat
Removed! : C:\WINDOWS\pggpo.dat
Removed! : C:\WINDOWS\rladhk.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Pages Reset... Done!
-----------------------

hijackthis logs

Logfile of HijackThis v1.97.7
Scan saved at 10:25:30 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\addsm.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ipmo32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Arachnophilia\arach.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pbbve.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pbbve.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pbbve.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [javadn32.exe] C:\WINDOWS\javadn32.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [ntvm32.exe] C:\WINDOWS\system32\ntvm32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

---------------------------------

Thanks again
Will be waiting for further instructions...

#10 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 23 June 2004 - 09:17 PM

Hi TheMan,

Okay, one more stab at this using this method. Have you rebooted since you posted that last log?? If so, then please post a new log before proceeding. If not, the please continue with the instructions.

***Please do not reboot until it is requested. Rebooting during this process will cause reinfection!***

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [javadn32.exe] C:\WINDOWS\javadn32.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [ntvm32.exe] C:\WINDOWS\system32\ntvm32.exe


Download the latest version of About:Buster from either of the following locations.

http://www.atribune....AboutBuster.zip
or
http://tools.zerosre...AboutBuster.zip

Run AboutBuster.exe and click ok and then start. Paste this exact line into the text box in About:Buster:

res://pbbve.dll/index.html#96676

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Next click Ok and allow the program to run. After it runs copy its report and paste it back into this thread.

Reboot and post a new HijackThis log along with the report from About:Buster if there were any errors in it.

#11 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 04:57 PM

Hello
Sorry but since your message I have rebooted my computer.
here is the latest hijack logs. :)

(I will not be rebooting)

Also so you know.. I will be making a donation after we rid of this.

Thanks again for your time.




Logfile of HijackThis v1.97.7
Scan saved at 2:56:00 PM, on 10/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ipmo32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\addsm.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pbbve.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pbbve.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pbbve.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pbbve.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [javadn32.exe] C:\WINDOWS\javadn32.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [ntvm32.exe] C:\WINDOWS\system32\ntvm32.exe
O4 - HKLM\..\RunOnce: [iegt32.exe] C:\WINDOWS\iegt32.exe
O4 - HKLM\..\RunOnce: [atlwi32.exe] C:\WINDOWS\atlwi32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

#12 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 25 June 2004 - 05:11 PM

Hi TheMan,

Thanks for the donation. :) It costs a lot of money to run this site, so every little bit helps. It is greatly appreciated.

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\RunOnce: [ipmo32.exe] C:\WINDOWS\system32\ipmo32.exe
O4 - HKLM\..\RunOnce: [javadn32.exe] C:\WINDOWS\javadn32.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [ntvm32.exe] C:\WINDOWS\system32\ntvm32.exe
O4 - HKLM\..\RunOnce: [iegt32.exe] C:\WINDOWS\iegt32.exe
O4 - HKLM\..\RunOnce: [atlwi32.exe] C:\WINDOWS\atlwi32.exe


Download the latest version of About:Buster from either of the following locations.

http://www.atribune....AboutBuster.zip
or
http://tools.zerosre...AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

Reboot and post a new HijackThis log along with the report from About:Buster.

#13 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 06:25 PM

Hi :)

Here are the log files.

-----------------
Logfile of HijackThis v1.97.7
Scan saved at 4:21:38 PM, on 10/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\system32\addsm.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\d3uw32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\osptq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://osptq.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://osptq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\osptq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://osptq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\osptq.dll/sp.html#96676
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addsm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [addsm.exe] C:\WINDOWS\system32\addsm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

-------------------------

Here is the buster one..

bout:Buster Version 1.21
Removed! : C:\WINDOWS\atlwi32.exe
Removed! : C:\WINDOWS\iegt32.exe
Removed! : C:\WINDOWS\javadn32.exe
Removed! : C:\WINDOWS\ccmzey.dat
Removed! : C:\WINDOWS\jmipsi.dat
Removed! : C:\WINDOWS\jxoyz.dat
Removed! : C:\WINDOWS\kyoksf.dat
Removed! : C:\WINDOWS\rladhk.dat
Removed! : C:\WINDOWS\ycypfr.dat
Removed! : C:\WINDOWS\ymgibp.dat
Removed! : C:\WINDOWS\System32\ipmo32.exe
Removed! : C:\WINDOWS\System32\ntvm32.exe
Removed! : C:\WINDOWS\System32\sdkpb.exe
Error Removing! : C:\WINDOWS\System32\addsm.dll
Removed! : C:\WINDOWS\System32\pbbve.dll
Removed! : C:\WINDOWS\System32\hcgtc.dat
Removed! : C:\WINDOWS\System32\kiuak.dat
Removed! : C:\WINDOWS\System32\msdwp.dat
Removed! : C:\WINDOWS\System32\nrwwi.dat
Removed! : C:\WINDOWS\System32\spsau.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-----------------------------

When I first opened the web browser I got google as the home page and the second time I opened a browserpage I got that other page...

res://osptq.dll/index.html#96676

it's shown me many diffrent urls but all pages are the same.

Thanks

#14 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 25 June 2004 - 06:51 PM

Hi TheMan,

Try deleting this file:

C:\WINDOWS\System32\addsm.dll

If you get an error while trying to delete it, boot into safe mode and delete it. After you delete the file, run aboutbuster.exe again and follow the same steps.

If your still hijacked after that, run aboutbuster.exe in safe mode, following the same steps.

When thats all done, post the aboutbuster log and a new hijackthis log.

#15 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 June 2004 - 07:41 AM

Hello
Was away so I didnt have time to do anything.. I just did everything you said to do and so far it does seem to be fixed. :)

Here are my logs.....

------------------------
This was the first thing I did when I went into safe mode.. I ran buster.



About:Buster Version 1.21
Removed! : C:\WINDOWS\d3uw32.exe
Removed! : C:\WINDOWS\hzqclm.dat
Removed! : C:\WINDOWS\jpohjv.dat
Removed! : C:\WINDOWS\kryoau.dat
Removed! : C:\WINDOWS\ttglbk.dat
Removed! : C:\WINDOWS\osptq.dll
Removed! : C:\WINDOWS\System32\crhh.exe
Removed! : C:\WINDOWS\System32\sysxq.exe
Removed! : C:\WINDOWS\System32\nhxfd.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Then after doing what you told me I ran it again and got this....


About:Buster Version 1.21
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!


After rebooting I ran hijackthis and got...

Logfile of HijackThis v1.97.7
Scan saved at 5:40:14 AM, on 10/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\Program Files\Arachnophilia\arach.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8076.4288541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

-------------------------------


Does everything look ok to you?

Thanks so much!

I will check back soon to see if everything looks right and to mention if anything came back or not.

Edited by TheMan, 28 June 2004 - 07:42 AM.


#16 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 28 June 2004 - 09:41 AM

Hi TheMan,

Looks good. :thumbsup: Here's some reading for prevention.

Protection - download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?

#17 TheMan

TheMan

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 July 2004 - 02:51 PM

Hi
Everything seems to be going very smooth now. :)
I havent forgot about making the donation... Please give me till after this weekend.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button