There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
adware audio bios blue screen boot bsod card computer crash dell driver drivers error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot recovery redirect router screen server slow sound speakers spyware startup trojan usb video virus vista windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Home Search (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 3 1 23
 
Thread Tools
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
25-Jul-2004, 07:54 PM #1
Home Search
I have encountered a problem that I have done some research on and believe I have become hijacked with failed attempts to correct it myself. But see that is seems to be a common issue. My home page is http://forums.techguy.org/archive/index.php/t-249504.html" and will return to that even after changing internet options. When it opens it has which when it opens, has "Home Search" in the upper left by a Windows logo/flag and tons of search links. It also opens with a small pop-up window that briefly says "search-all-fast.com" with a form of advertisement or spyware link. Home Search Assistent fails to delete in add/remove programs, with error "looking-for.cc/unistall/HomeSearchAssistant.html"

My hijack log is

Logfile of HijackThis v1.97.7
Scan saved at 6:53:32 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mfcch.exe
C:\techbox\techbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\WebCam Control\CamTray.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\NAVscan32.exe
C:\WINDOWS\System32\dailin.exe
C:\windows\system32\ns.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\javand32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Watkins\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gocyberlink.com/registrat...tomer&Lang=Enu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CamTray.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32x] c:\windows\system32\ns.exe
O4 - HKLM\..\Run: [javand32.exe] C:\WINDOWS\javand32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...192.5297222222
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab


and my AboutBuster log reads

- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\fkcwt.dat
Removed! : C:\WINDOWS\dxock.dat
Removed! : C:\WINDOWS\javand32.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\System32\azgha.dat
Removed! : C:\WINDOWS\System32\ymrms.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

I have tried to follow other threads to fix this myself...but realize that they are all not the same, and I need assistance.

Thank you
Daisy
Register for free to hide this ad!
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
25-Jul-2004, 09:14 PM #2
Hi- You are using an older version of HJT the current one, with a hotfix, is this:

http://www.lurkhere.com/forum/DCForumID6/684.html

It may not be neccessary for you to get it right now, please wait for expert help. I just didnt want you to get pointed to the un-fixed version of 1.98 which may still be posted at some places, or you may have downloaded before the info came out and try to use....

Here's what to do first: IN SAFE MODE--stay offline until done!
You should print these pages if you can- you will be in Safe Mode to do the work and will not have access to them, unless you have another computer to read them with.
Please make sure that you can view all hidden files.
Instructions on how to do this:
1.
1. On the Tools menu in Windows Explorer, click Folder Options.

2.
Click the View tab.

3.
Under Hidden files and folders, click Show hidden files and folders.


Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.
NEXT::

These steps, stopping the services that the malware uses, appear to be needed, as well you should look for the Registry keys as explained below, in the proper sequence...
I see a lot of the experts at other forums still using this method for XP/ so I have included them also!

to stop the service that the malware uses:
Step 1:

Click on start, the control panel, then administrative programs, then services. Look for a service called

Workstation NetLogon Service or
Network Security Service or
Remote Procedure Call (RPC) Helper


Double click on those/ that service and click stop. Also write down the name and path of the file listed in the Path to executable field.

OK< NEXT -- We need to End Task on any of these .exe processes that may be running:
dailin.exe
ns.exe
wuamgrd.exe
mfcch.exe
NAVscan32.exe
javand32.exe

Just press CTRL+ALT+DEL once to get the Task Manager open. A HIGHLIGHTED ITEM is the one you are working with, either the down arrow OR a mouse click will move to any item you need to get to.
Then, End Task on any that show, you may have to wait a bit until the End Task works
At any time you feel you made a mistake ending a task, just hit the Cancel button and wait a bit, then open up Task Manager again...

....just do not hit CTRL+ALT+DEL more than once rapidly or you will reboot>> should it happen, F8 back to Safe Mode>>>
and you will have to start all over again>> so work carefully, take your time, open and reopen the Task Manager until you do not see any of these guys there, then as your last move, hit CANCEL to close Task Manager.

NEXT, Run HijackThis again,
With only HJT open, all browser windows etc CLOSED, have these fixed-- they may not all show in your log but carefully put CHECKS IN BOXES NEXT TO ANT THAT ARE THERE , and have
HijackThis "FIX" them.

C:\WINDOWS\System32\dailin.exe
C:\windows\system32\ns.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\mfcch.exe
C:\WINDOWS\System32\NAVscan32.exe
C:\WINDOWS\javand32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129

O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll


O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32x] c:\windows\system32\ns.exe
O4 - HKLM\..\Run: [javand32.exe] C:\WINDOWS\javand32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [NAV Scan Service] NAVscan32.exe

O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe

NEXT STEP(5)
In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 ---but may be called something differently on your computer.
Navigate by clicking on the + signs, like Windows Explorer has---be very careful in the Registry and follow the steps exactly.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 ( (- or whatever is there with _NS_Service))

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 ((or whatever LEGACY__NS__Service is showing))

If LEGACY___NS_Service_3
exists then right click on it and choose delete from the menu.
Close the Registry Editor.


STEP (6)

Still in safe mode, run AboutBuster and COPY the log it makes and save it to put into your reply.


NEXT do THIS:::

Quote:
Originally Posted by flrman1



Here is the only variation this time:

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Now while still in safe mode, run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Once the tool is done scanning, copy the log and save it to paste back here in your thread.

Restart your computer,

Now run About:Buster again just to be sure it got everything.

Make a copy of the log it creates again.

Reboot and post the 2 about buster logs and a fresh HijackThis log.
{{Hmmm it looks like I have you making 3 A/Buster logs...one after fixing items with HJT and in the quote I am using from flrman1, he had that person make 2...one after the HJT fix, and then after a reboot might do it, or you can make all three but number them and post them, in numerical order, I know its a lot to do! Try! }}
AboutBuster is used from Safe Mode, did you run it that way,and did you RE-BOOT TO Safe Mode and run it again???...
there should be 2 logs, one made just before the other, both in Safe Mode, with a reboot back into Safe Mode between them.... the experts will need to see them. Please try again.
You definitely should not be connected to the Net as much as possible, if you have another pc that can connect OK, use that to read the posts here if you like.

looks like you will probably need this, too:

This info is from this page:

http://www.russelltexas.com/malware/HOSTS.htm


The Hoster download may not be needed, it's just in case you do have a HOST file hijack, explanation below.

"" Download the hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

You can CHECK FIRST if you have a hostfile hijacking >>
Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Find this file: (XP systems)
C:\Windows\system32\Drivers\ETC\HOSTS file

The hijacked HOSTfile can display in HJT logs...but I think you have to put the checkmark in a box, you might have taken it out or something...check for a long list of sites in the HOST file this way:

To open and view the HOSTS file to doublecheck for bad entries, left button double click on the HOSTS file. A message will appear saying Windows can't open the file. Check the circle at the bottom entitled:

Select the program from a list.

Now click OK. In the next window....Scroll down in programs until you see Notepad and select it and click OK.

If you see this line below the header info:

127.0.0.1 localhost

....And nothing below it then you have not been hijacked.

If you see many double column entries and most are antivirus and anti-malware sites then remove all the entries leaving only the 127.0.0.1 localhost entry.""

NOTE> pros: -- I hope I got this right, please correct or advise if you spot anything else to "eject"

This post was assembled with of course, a quote from a previous reply by flrman1....some of my experience and a lot of reading....
and, some copy and paste work from a "canned fix" from a very good forum over at: http://www.dslreports.com/forum/rema...2998~mode=flat
They have come up with several different methods...
All in all, I don't think you have the type of infection that AboutBuster takes out, but it cannot hurt anything to use it far as I know...the main key seems to be killing the service, ending the processes, using HJT to fix the things, deleting the files, and AboutBuster...and in this case editing the Registry though I am not sure that would have to be done...

I think a lot more of us are going to have to try fixing these types of infections. I need a canned something right about now ...
Last edited by Byteman : 26-Jul-2004 12:03 AM.
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
26-Jul-2004, 11:39 PM #3
Hi, Some info provided by an expert indicates we are proceeding OK, and you DO indeed need to use AboutBuster...
You most definitely should print all the instructions and ask about anything that is not clear to you.
If you find it too technical to attempt {I do not blame you! It is not very easy to understand it at all}

There are some experts here, who can really write the steps down a lot clearer than I, so just yell if you would like that done!
It is not as hard as it may seem, but you do need to do the things accurately, in order, etc...
It can take some time...especially on a poor running Internet connection...another pc to read replies from, as I said, will make it easier, and leave the infected one off the Net as much as possible. If you have a way to burn CDs that can be a very big plus, as you can simply install programs that way, even update the antispyware tools if need by with floppy disks or CD. And, of course you can copy the logs back to floppy disk to post them here...
Most folks continue using the hijacked pc successfully through the procedures. The success rate is not 100% but getting better.

You had one question I did not reply to: The HomesearchAssistant entry in Add/Remove Programs fails to uninstall from there with an error:
I will look for more info, but, usually these uninstallers do not very much at all, they are fake in other words.
You may need to be connected for them to work,when they actually uninstall anything... but still I do not think it will help...will post if I find anything about it, OK?
Take your time- someone here can help.
Last edited by Byteman : 26-Jul-2004 11:45 PM.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
27-Jul-2004, 10:42 PM #4
-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\msnk.exe
Removed! : C:\WINDOWS\wfbbq.dat
Removed! : C:\WINDOWS\reroa.dll
Removed! : C:\WINDOWS\jungl.exe
Error Removing! : C:\WINDOWS\wzwdyxsh.exe
Removed! : C:\WINDOWS\lsasss.exe
Removed! : C:\WINDOWS\avserve2.exe
Removed! : C:\WINDOWS\ipeg32.exe
Error Removing! : C:\WINDOWS\alchem.exe
Removed! : C:\WINDOWS\crwq.exe
Removed! : C:\WINDOWS\wjuvqn.exe
Removed! : C:\WINDOWS\ipeg32.exe.bak
Removed! : C:\WINDOWS\System32\zpikj.dat
Removed! : C:\WINDOWS\System32\xspvz.dat
Removed! : C:\WINDOWS\System32\iepr32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\wzwdyxsh.exe
Error Removing! : C:\WINDOWS\alchem.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 9:36:59 PM, on 7/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...tomer&Lang=Enu
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/200...Inc/bridge.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
28-Jul-2004, 09:43 AM #5
Hi, Good work! Now there are some things to check for me: You should PRINT this info> (there is a printer-friendly button here at the top of pages, no pics or fancy stuff, just text) Unless you have another pc to read messages> that is the best thing to do.
I'd like you to re-download AboutBuster, they are updating today....hopefully it will include more files that it finds!
http://tools.zerosrealm.com/AboutBuster.zip

You may delete the other aboutbuster.zip file if you still have it.
I think you can simply DELETE aboutbuster.exe>> or rename it to aboutbuster.old so you dont get confused with a new copy.
Unzip the new download to your desktop. We will run it a bit later on....


If you use cable modem, or DSL to get on the Net, and are on the infected machine to read the threads, get a download, etc after you are done and have printed the info, etc, close Internet Explorer etc, and disconnect the network cable from the back of the computer...if you are keeping the bad pc off the Net, so much the better...


By the way> do NOT use AdAware just yet if you have it, there are a few things to do FIRST > we will be getting AdAware later if you do not have it> you will have to download as it does not fit on floppy disk (CD maybe?
It does have to be updated online....more later!

{{Note, I have asked flrman1 to check on one item in the HJT log and post the right way to fix it...so if you get a reply from flrman1, please do what it says!!}

Go to Add/Remove Programs:

Look for and uninstall any of these- VX2, WindowsSA, Internet Optimizer, WebRebates or similar,Cashback, NaviSearch,,Blackstone>> some may not be there at all. Post any that you are not sure about or any questions...

Download from link just below directions, and run it. It may find and delete some files or nothing.

Read the directions, these are the key ones:

If you are running Windows Me or XP, then disable System Restore. Directions for this below>
here is an info page, if you are familiar with this, here are just the steps:
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box .
Click Apply. OK the message about turning it off.


If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
Close open programs before running the tool.
It fits on a floppy disk and you can copy it over to a folder or the desktop and run from there. (if you are using another computer to download small tools, etc)
Double-click the FxSasser.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
http://securityresponse.symantec.com...r/FxSasser.exe

NEXT: From Safe Mode ((almost all our work will be))
Using HJT, have the following fixed:

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
R3 - Default URLSearchHook is missing
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...TInc/bridge.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

After checks are in all of those, fix them. Remember, close all other windows, offline, etc.



RUN box, type services.msc- if any of these are listed double click them, click Action>Properties, and Click STOP, for each of them.
Change their startup type to>>Disabled and click OK and close the Services window.
mslaugh.exe
msconfg.exe- watch the spelling of this one!!!
myrzhg.exe
hzqaxr.exe
alchem.exe--may not be found but look anyway.

((don't stop msconfig.exe, which should not be there, you never know tho))

and, find or search for these files and delete them:
wsaupdater.exe
mslaugh.exe
dailin.exe
msconfg.exe
myrzhg.exe
omniscient.exe
alchem.exe

{I left out hzqaxr.exe hoping that AboutBuster will pick it up}

For those above you will/may have to use the Search>Files or Folders routine, set it to LOOK IN C: or My Computer to find the above files. That's always a good way to check for duplicates or files that sometimes are in other folders than we see in your logs... good typing skills are essential using the FIND/SEARCH feature...

NEXT:
Delete these if found: in Windows Explorer::

C:\WINDOWS\twaintec.dll
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\vettncfz.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\SideFind\sidefind.dll
C:\WINDOWS\msopt.dll
C:\Program Files\WindowsSA\omniscient.exe

NEXT:

FOLDERS to delete:
NaviSearch
BullsEyeNetwork
SideFind
Internet Optimizer
Cashback
WindowsSA
I probably missed a few but we will clean them up.


Post back whether you run into any that will not give permission:
Now, do NOT reboot and do NOT open IE for this:In safe mode still:
Run AboutBuster that you unzipped to your desktop earlier, Start it, hit Ok, Start, And Ok again to start the scan. and save the two logs it makes and post them. And, post a fresh HJT log, please. There will be more HJT work and possibly another run of AboutBuster.

One last: Do you know what these below go to, a program you have, or something?
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe

O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe

Above seems to be ok, it's in your user folder /Watkins, I assume it may be something you created? A scan later on may pick it up. Just run AboutBuster, post the logs and a new HJT log
Last edited by Byteman : 28-Jul-2004 02:13 PM.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
28-Jul-2004, 10:44 PM #6
Panda virus check today.
Ran - W32.Sasser.Worm has not been found on your computer.

In safe mode...internet/cable disconnected

aboutbuster redownloaded today

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\apicg32.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\agzvm.dat
Removed! : C:\WINDOWS\dfppw.dat
Removed! : C:\WINDOWS\cabvn.dll
Removed! : C:\WINDOWS\apicg32.exe.bak
Removed! : C:\WINDOWS\System32\yttad.dat
Removed! : C:\WINDOWS\System32\ipyp.exe
Removed! : C:\WINDOWS\System32\wingp32.exe
Removed! : C:\WINDOWS\System32\ipue32.exe
Removed! : C:\WINDOWS\System32\addzy32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!




-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

programs removed- ? Sidefind & SLotchbar

turned off system restore




no items to stop in run box, no items to delete

delete C: files, did not find C:\Program Files\WindowsSA\omniscient.exe, but do have C:\Program Files\WindowsSA\update,

deleted WindowsSA

no reboot, in safe mode - Aboutbuster scan

-- Scan 1 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 9:39:07 PM, on 7/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll



I do not know what hzqazr.exe or oeta.exe is.

Thanks
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
29-Jul-2004, 12:33 AM #7
Hi, Well there is a bit more to do:

Run HJT and fix these items:

O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

you do still have "Show all Files" enabled, correct?
And, unchecked "Hide file extensions for known file types" correct?
Those settings are in the Windows Explorer top tab of any WinExplorer window...Tools>Folder Options>View Put a mark into "Show hidden files" and uncheck the other, "hide file extensions..." and apply button.


Then, without rebooting, run About Buster, save the logs etc.

NEXT: Try and find these files:
C:\WINDOWS\msopt.dll
C:\WINDOWS\System32\hzqaxr.exe
C:\WINDOWS\system32\sysfe.dll
C:\Program Files\ISTbar\istbar.dll
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\javagx.exe
C:\Documents and Settings\Watkins\Application Data\oeta.exe
C:\WINDOWS\System32\hzqaxr.exe

And delete any you find. Quickly empty your Recycle Bin. Next:
Run Disk Cleanup> Start>All Programs> Accessories>System Tools>Disk Cleanup and put checks into: Recycle Bin, Temp, Temp Internet Files and dump all those....Cookies are good to do, but you have to know your user IDs or passwords and you will have to sign in manually the first time that you go back to sites like TSG where you have a password and username...

Open Windows Explorer and navigate to C: click to expand the folder...there you see Documents and Settings expand that you see All Users...go down a ways past All Users...if there is a Default user, open that, go down to Local Settings....then to Temp and highlight temp>>and up at the top select EDIT and then click "Select All" from the drop down menu and then click on EDIT again...this time, click Delete
It might take a few tries...should go easily since we did this not very long ago...

You have to do this for ALL the named users....they all have their own temp and temporary Internet Files...that are not removed by Disk Cleanup.
Now for TIFs, there will be one or two files that cannot be deleted, index.dat and perhaps desktop.ini and that is normal.
Close Windows Explorer>>> and empty the Recycle Bin again...
Now, reboot --and post the new HJT logfile and About Buster logs into a Reply.
I think a run with AdAware 6.0 fully updated will pull out the remains but need to see one more log...
Last edited by Byteman : 29-Jul-2004 01:49 AM.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 09:29 AM #8
Logfile of HijackThis v1.98.0
Scan saved at 5:29:26 AM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cabvn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cabvn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cabvn.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [sdkos.exe] C:\WINDOWS\sdkos.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKLM\..\RunOnce: [netvr32.exe] C:\WINDOWS\netvr32.exe
O4 - HKLM\..\RunOnce: [sdkho.exe] C:\WINDOWS\system32\sdkho.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

enabled already - "show all folders"
unchecked already - hide file extensions for known files

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\agzvm.dat
Removed! : C:\WINDOWS\dfppw.dat
Removed! : C:\WINDOWS\cabvn.dll
Removed! : C:\WINDOWS\netvr32.exe
Removed! : C:\WINDOWS\sdkos.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\System32\yttad.dat
Removed! : C:\WINDOWS\System32\sdkho.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

found and deleted hzqaxr.exe, istbar.dll,
emptied all temp folders for all users and default user
reboot

Logfile of HijackThis v1.98.0
Scan saved at 5:47:48 AM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

-- Scan 1 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
29-Jul-2004, 03:20 PM #9
NOTE to flrman1--If you take a look at this thread: It appears that at 5:29am today she scanned with HJT and the log shows a lot of about:blank items that we removed just last nite...the log was almost clean! Then after she apparently ran AboutBuster and followed the steps again, she ran HJT and the new log is from 5:47am, I guess that was quick thinking on their part, as it does show us something...seems it is coming back on it's own or I missed something to have her do.
Tks flrman1> Byteman

Question: What is up with Internet Explorer being in the RUN section...there was one or two there before and I had her fix them... is that the right place for it to be, I looked at other XP NT logs and they did not show but IE was in correct location of Program Files.....what is this bug we have here??
Hi Daisyflower: have asked for help/support with this! Obviously something happened...the infection was back in full force this morning, so hang on until one or more of the experts stop in. Know you have put in a lot of time with this, and we will still help! Have to figure things out so that it does not return every day. Have you been able to run Windows Update and get anything to cooperate there? Were there any downloads installed successfully or were you hijacked immediately?
Perhaps the computer was A> left connected to cable\ Internet all night and things were bad when it started up? Or, after a reboot last nite? Need to find out when things went bad, and what you did then.


It sure looks to me that you have some things turned off somehow> have you used any startup managers to keep anything from loading when Windows does? I looked up Tech in a Box- do you really need that and did it come with the computer? Have you changed anything with that program?
Have you or anyone been doing what is known as tweaking> trying to improve performance by turning off services to Disable instead of Manual or Automatic> ? Try to answer all the questions, no need to rush, just so any others have some clues to give you good help.
have you by any chance used the Run box command typing msconfig in there....the HJT entry shows repeatedly a <msonfg> entry which I have had you fix with HJT and delete a few times, but comes back with all the other stuff...I am wondering if something like a trojan is loose on there, keeping us from "seeing" everything, or not allowing access to kill it...
Any complaints when you start any programs? Any other popup error messages at startup...any at all legitimate or fake...any blue screens or reboots??
Last edited by Byteman : 29-Jul-2004 04:29 PM.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 05:19 PM #10
ok...here's how it started...about two weeks ago....the computer crashed...and wouldn't start windows back up....everytime it started to roll into windows, it would reboot. So I restored the whole computer. I have also recently got cable acess instead of dial-up. Now when the installer came...he showed me where my e-mail was through Outlook (which I do not use) and I believe that when he opened it...it released a bunch of virus's and worms. I have gone to the microsoft webpage and have downloaded all the critical updates...and do not recall having any problems. I have downloaded my installation for my Lexmark x73 printer from Lexmark, and I have downloaded yahoo messanger and hotmail messanger, and RealPlayer. And have reinstalled certain hardware, cams, ect. all from disks. Other than those...I have not downloaded any other programs from restore time, except Panda virus scan.

I have been avoiding using the computer for the most part. Since placing my inital post...I have run several virus scans, and have downloaded the full version of Panda...it caught several viruses. I do not have the log now...nor do I know if it is still on the computer. But do know it had several trojan viruses and like 8 or 9 when I ran Panda. I will run windows update tonight and post back with an update. The downloads appear to be working successfully, but have noticed the problems from the beginning of restore.

After following instructions last night. I rebooted, posted, and checked my email. I believe I didn't disconnect the cable to the net, but did turn of the connection. This morning, I checked this post, went to safe mode and followed instructions, and then went to post again. I could not get connected to the net again. I was physically connected, but pages would not open. So I posted it at work. In the past I have had errors occuring, (lsass, java/log) but since posting...have not had any, except one last night- called Java.log...something...I'll post it correctly when I get home. Now while checking post this morning before following new instructions, Panda alerted me to a Trojan it disinfected.


I have not altered any start up managers since restore. Tech in a Box is a factory installed program, and have never used it..but have not removed it. Have never tweaked. When I was preparing to have cable installed...I was instructed to find out what my address was, and I believe the instructions were to open the run box, and type in a form on conf, but don't believe it was msconf. No blue screens, no reboots other than the lsass error shutdown in 60 sec (but have not had this recently).

agghh
Last edited by daisy flower : 29-Jul-2004 05:40 PM.
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
29-Jul-2004, 06:52 PM #11
Sorry you had to buy Panda. It cannot deal with what is running on your computer, but as well certainly cannot hurt much.
Thanks for the detailed info, it is going to help us.
When you post a log that has what you have, we are using About Buster...plus a manual fix of things in HijackThis, plus perhaps stopping a process or two if needed, plus deleting files manually...

Just running HJT log and then running AboutBuster isnt going to work, unless you did your own HJT fixing? If not, About Buster is taking out the CWS things, and the only things not good left in your log look like this:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


You may have been originally infected AFTER the restore during the first 10 or less minutes the machine was first connected to the Net...that's how easy it is to get something downloaded before the most recent protection can be downloaded and installed...something as big as Service Pack 1 would give plenty of time for an "invasion"....if being installed as a download...
It could be any on the Internet activity just after the Restore, with your cable modem connected to the computer's NIC and on. I have seen info about this> that's the info posted to prevent the Sasser worm from coming in, just after a new install or Restore...get updates somehow onto the computer before accessing the Net...but how to do this? The ordinary person isn't going to go to a non-infected computer and build a CD with SP1, antivirus updates for his choice of AV app, and various BHO protectors, spywareblasters, etc...but we may all have to learn to do this> stay disconnected until a lot of protection is added to the computer. I am wondering about XP Service Pack 2 right now> hope the complete version will be around soon, but it too has drawbacks...for one, they may be hard to get and people will not stick with the requirements anyway...I do see lots of online places where you can get CDs like this, with SP1 and a few other things...for not much more than shipping costs as per legality, they charge for the cost of the blank cd and shipping, cannot for Microsoft stuff...Service Pack 2 for XP will probably involve mandatory installation for SP2 according to things being written at sites now. [With win2000 of course you (daisyflower) would use the updates for that operating system.]

The process whatever it is is starting from the Registry and is probably some worm that loads IEXPLORE.EXE itself and loads it from the Registry services...and is probably tied with msopt.dll. Somehow we are not stopping msopt.dll from doing it's deeds in time or completely...
EDIT::
OK found this:


Housecall by Trend Microvirus calls this Winshow:

see here: http://www.trendmicro.com/vinfo/viru...HOW.AF&VSect=T

They have it right down to the about:blank items...

Daisy if you want to try> try at the Housecall online scan site
http://housecall.trendmicro.com/

Excerpt from a thread at another forum:

"""My HJT will not delete the msopt.dll file. Is this file important? I can't even find the file in the WINDOWS folder (the path HJT shows it is in). """
Right away it is pretty well hidden> Regedit geniuses, help us!!!!

My reaction= use the Search the registry tool, or at least locate the basic file in Windows....but, how do we simplify the process for Daisyflower?
That's where we need help.


Whether or not it completely cures it depends on what you do after the whole scan and how well that functions> only a complete scan will work and a finished one too....if the files are found to be uncleanable which often they are, next best is quarantine or vault whatever option they give to lock up those files, I am not sure how your computer will react to this, though...if they lock up Internet Explorer's executable file you may not be able to go online on THIS computer...but that might be fixable, too I cannot say.
Any posting ((if you lost access)) would of course have to be from another computer and that can be done.
Any comments welcome! Anyone tried with homepage hijacker and msopt.dll infection at Housecall?
Panda either isnt detecting it, or when you scan it is somehow hidden> maybe a genius can unhide it just before a scan, and you can immediately hit scan and catch the thing...seems that the process can be stopped, but it is pretty tricky! By the time you are online and scanning, the files are "in use" and cannot be stopped there to work on...so they may be able to lock them up, I am not sure...This is what it says about msopt.dll
""However, during testing, this file is not available. "" Meaning I think, when you are running antivirus program that is installed directly on your computer, not meaning the online scan...
MAYBE> a runthough of HJT and AboutBuster, and Unhiding the file by either reanaming it in Safe Mode, changing it's attributes somehow would allow deletion?
Last edited by Byteman : 29-Jul-2004 11:56 PM.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 07:51 PM #12
while reading post, Panda disinfected w32/Korgo.U.worm

ran Panda - no infections

ran Housecall - Housecall has found and cleared malware.Troj_/miserv.c
virus: worm RBOT.ER, noncleanable, C:\Windows\System32\dialin.exe
virus: TROJ DELF.RA, noncleanable, C:\WINDOWS\2_0_1browserhelper2.dll
virus: TROJ DLOADER.F, noncleanabe, D"\Documents and Settings\Watkins\Application Data\oeta.exe

while running Housecall: Panda found and disinfected w32/Korgo.AH.worm found in C:/windows/system32/ftpupd.exe

only other error that still occurs is Java/lang/object
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
29-Jul-2004, 08:00 PM #13
Rather than all my stuff above: Here is a good thread about what Daisyflower has to run through to get rid of this:

With ONE exception> Daisyflower's system is XP, the apparently solved thread at Computer Cops is using win2000, but that should not matter...
ahem I think!
It is extremely interesting & a must read for those of us helping with AboutBuster, the newer CWS hijacks, homepagesearch, etc....and the Winshow trojan. Much like some other forums I have been reading at in the last few weeks> these guys went to school!!

http://computercops.biz/postp242969.html

You do need to do the whole process to have the WORKSTATION NETLOGON SERVICE shut down as shown...problem is, these services that are only created by the infection can be any of about 3 maybe more named services, and you have to get them all... The link above shows a download that will list the active services, how to shut down the active service, how to find the files to delete, and how to find the correct key in the Registry to delete...
msopt.dll survives all the way to the last regedit...
The whole procedure is still dependent on the user staying off the Internet...which, on cable, means not opening any IE windows at all, and pulling the network cable out of the cable modem, ((for the less protected systems...still, it will prevent an accident!))
Following the steps should be easy enough. Print it out if possible.
Note that the key random files are loaded in C:\WINNT on the solved thread while daisyflower's would be found in C:\Windows
Last edited by Byteman : 29-Jul-2004 09:22 PM.
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
29-Jul-2004, 08:01 PM #14
I jus got you PM Bill. I need to answer a ton of emails as I just got home. Will you or Daisy post a synopsis of where you are with this one right now on this and I'll check nack after I answer a few emails.

I did catch the part about HJT not removing this entry:

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

That is because of a bug in the new HJT. To fix that one do this:

Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg
Save as Type: All Files
****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.


Quote:
REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
Byteman's Avatar
Moderator with 14,939 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
29-Jul-2004, 08:50 PM #15
Right, flrman1, the link in one of my replies above has a solved thread with the .reg file, and also uses Get Active Services to find the service running (if any are.)..our user daisyflower here at TSG is running XP Home but not with NT so here paths are C:\Windows for the random files as you can see.

About Buster works fine on removing all the files, it has twice.
What I did not have her do:
--The correct steps after typing services.msc in RUN box- got confused with processes and had her looking for random FILES in services
--change the file attributes for the random file found
--Run the .reg file
--and check for instances of the same random .exe AND same filename but as a .DLL
I guess they can exist so that so might be a good idea...

The end result was a clean log...until next morning when as she posted, things were so bad she just made a new HJT log right then. The trojan downloader worked hard all nite apparently...

Then she posted another log about 15 minutes later AFTER apparently running only aboutbuster, that log was clean except for the Winshow trojan downloader msopt.dll, and I did not know how to deal with that, then. I think she may have done her own fixing with HJT then, not sure...
So, all she needs is a rerun through the steps and then perhaps the Getactiveservices checker and the .reg file and regedit to get rid of it I hope...
There are a lot of Google results today for msopt.dll showing the same thing, but also the correct fix.

You dont really need much else but a new HJT log, and to have her download the two new things. Wonder if AboutBuster has updated...I will give her the link to that below. I will PM her and have her bounce a log back for you and find out if she is going to try tonite.

Does AB have built in updating? I've never used it hands on. She did get the latest 1.32 just a day or two ago.

I was trying to keep using this XP eMachine I was working on the other day when I PMed you twice....to look over the locations of files, etc. BUT> I need to get this back to owner in the morning and I have been up way way too late all week. I got to get the firewall and some other stuff set up on here, I just have SP1 and AVG going... and I dont want these aliens invading tonite! I suppose I could lift the steps from the CC forum post and sub in her filenames but I cannot work that way...

Quote:
Originally Posted by daisy flower
while reading post, Panda disinfected w32/Korgo.U.worm

ran Panda - no infections

ran Housecall - Housecall has found and cleared malware.Troj_/miserv.c
virus: worm RBOT.ER, noncleanable, C:\Windows\System32\dialin.exe
virus: TROJ DELF.RA, noncleanable, C:\WINDOWS\2_0_1browserhelper2.dll
virus: TROJ DLOADER.F, noncleanabe, D"\Documents and Settings\Watkins\Application Data\oeta.exe

while running Housecall: Panda found and disinfected w32/Korgo.AH.worm found in C:/windows/system32/ftpupd.exe

only other error that still occurs is Java/lang/object
This will continue to happen until the msopt.dll issue is fixed!

Don't worry, help will be coming soon. You are able to get online with the infected computer now and pages in IE open?
As I posted above> it would be best if you could read posts here from a good computer at the same location> and keep the infected one off the cable! All the tools or fixing can be done with floppy disk and disconnected completely from the Internet...
Last edited by Byteman : 29-Jul-2004 10:09 PM.
Closed Thread Bookmark and Share
Page 1 of 3 1 23

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 02:39 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.