Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

i need help with this trojan/spyware hack

(New)
(!)

thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
09-Aug-2004, 10:45 PM #1
i need help with this trojan/spyware hack
My browser has been hijacked and my homepage is stuck at: res://edelk.dll/index.html#37049

I've used current updated versions of both Spybot and Adaware to remove the stuff, plus Norton's to remove a trojan that it classifies as unknown. Everytime I remove the bad stuff, it just comes right back...immediately... even if I'm not connected to the internet. I cannot change the homepage back... it just keeps changing it to the above.

I also have TCActive running, and it picks up some changes in the registry from time to time.

IE ver 6.0.2800.1106.xpsp2.030422-1633


=====================================================

Here is my hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 11:38:44 PM, on 8/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\hijackthis\HiJackThis_Last.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msoo.exe
C:\WINDOWS\system32\sysko.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

=================================================


1. So what have I got and how do I get rid of it?

2. How do I keep from getting it again?

Thanks!!!!!!!!!!!!!!!!!!!!
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
09-Aug-2004, 10:47 PM #2
Hi thumbprint

Welcome to TSG!

Download the attached zip file and unzip it to your desktop. Doubleclick to run it. It will get a list of active services. Please post the list that is generated.

Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
09-Aug-2004, 10:55 PM #3
Wow! That was a quick reply

Quick question first... is there any chance this is a keylogger? If so, I'm gonna change my password for this forum (using another computer on another net connection) immediately after I post my findings from the two programs you mentioned.
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
09-Aug-2004, 11:03 PM #4
No it's not a keylogger.
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
09-Aug-2004, 11:07 PM #5
The VB Script you had me download triggered Norton... it says it's a malicious script...

No offense intended, but I'm new to this forum and don't trust anyone at this point. Again, no offense intended... I'm not trying to be a troll. But I was just hoping you could offer an explanation as to Norton AV detecting it as a malicious script.

I'm going to have my programmers review the vbscript before I run it.

Thanks

Last edited by thumbprint; 09-Aug-2004 at 11:21 PM..
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
09-Aug-2004, 11:19 PM #6
It's not a malicious script. Norton gives you the option to Allow or Block the script. You need to allow it to run. After all you are the one running it. It's not like it is a unkown script being run by an unknown entity!

I have to go to bed now. We will have to continue this in the AM.

Last edited by flrman1; 09-Aug-2004 at 11:29 PM..
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
09-Aug-2004, 11:22 PM #7
Ok, thanks

I just need to make sure I'm safe... I'm sure you can understand

Call me super-paranoid haha!
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 08:49 AM #8
Ok, they've verified it's safe

I'll run it and post everything here.

Thanks!
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 10:27 AM #9
By the way, one of the symptoms I'm experiencing is that a window keeps popping up, claiming to be installing Microsoft Office or Office components.

Anyway, I will not get to working on this problem again until later today, but I'll post everything as soon as I do.
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 06:08 PM #10
ok here is the log from the vbscript...




==========================================

These are the Current Active Services:

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

MESSENGER: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYMANTEC EVENT MANAGER: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

SYMANTEC SETTINGS MANAGER: ccSetMgr
"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

GEAR SECURITY SERVICE: GEARSecurity
C:\WINDOWS\System32\gearsec.exe

IPOD SERVICE: iPodService
C:\Program Files\iPod\bin\iPodService.exe

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

MACHINE DEBUG MANAGER: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

WINDOWS INSTALLER: MSIServer
C:\WINDOWS\System32\msiexec.exe /V

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

WORKSTATION NETLOGON SERVICE: O?rtȲ$
C:\WINDOWS\msoo.exe /s

IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

SAVSCAN: SAVScan
C:\Program Files\Norton AntiVirus\SAVScan.exe

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

SYMANTEC CORE LC: Symantec Core LC
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


=============================================
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 06:10 PM #11
here is the log from the latest hijack this that you had me download:



=========================================

Logfile of HijackThis v1.98.2
Scan saved at 7:09:32 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\msoo.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sysko.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

============================================
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
10-Aug-2004, 06:29 PM #12
First Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

___________________________________________________________________________
Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg
Save as Type: All Files
****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.

Quote:
REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]
______________________________________________________________________
Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
______________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
_____________________________________________________________________

Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Restart to safe mode.

How to start your computer in safe mode


Perform the following steps in safe mode:

____________________________________________________________________

Double click on fix.reg that you saved earlier to enter into the registry. Answer yes when asked to have it's contents added to the registry.
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049

O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll

O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe

O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe

O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe

Find and delete these files:

C:\WINDOWS\msoo.exe
C:\WINDOWS\appct32.dll
C:\WINDOWS\system32\sysko.exe

Delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Owner (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.



Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.



When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 06:50 PM #13
Ok, thanks

Question: wouldn't it just be easier to reformat the hard drive, zeroing out the bytes, then reinstalling winXP? I don't believe there is anything of any real value saved on the computer, so no important files will be lost.

Would this work, or is there some sneaky little trick they have to get around a reformat? Also, if there were floppies or other discs inserted into this computer, could they be infected too?
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
10-Aug-2004, 07:08 PM #14
This would not infect floppies or disks.

I guess it's your call, but it can be fixed if you follow my directions. A reformat etc.. would take longer than this.
thumbprint's Avatar
thumbprint thumbprint is offline
Junior Member with 11 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
10-Aug-2004, 09:38 PM #15
Ok, I'm not sure if I'm gonna reformat or what, but either way, thank you!

I guess my next big question is... what can I do to prevent this in the future? Is this an active x thing that loads this on the computer in the first place... or what? I know there is no kazaa or anything like that on the computer, and I'm reasonably sure this mess didn't come from an email.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2