1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

i need help with this trojan/spyware hack

Discussion in 'Virus & Other Malware Removal' started by thumbprint, Aug 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    My browser has been hijacked and my homepage is stuck at: res://edelk.dll/index.html#37049

    I've used current updated versions of both Spybot and Adaware to remove the stuff, plus Norton's to remove a trojan that it classifies as unknown. Everytime I remove the bad stuff, it just comes right back...immediately... even if I'm not connected to the internet. I cannot change the homepage back... it just keeps changing it to the above.

    I also have TCActive running, and it picks up some changes in the registry from time to time.

    IE ver 6.0.2800.1106.xpsp2.030422-1633


    =====================================================

    Here is my hijack this log:

    Logfile of HijackThis v1.98.0
    Scan saved at 11:38:44 PM, on 8/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\hijackthis\HiJackThis_Last.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\msoo.exe
    C:\WINDOWS\system32\sysko.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\macromed\flash\GetFlash.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

    =================================================


    1. So what have I got and how do I get rid of it?

    2. How do I keep from getting it again?

    Thanks!!!!!!!!!!!!!!!!!!!!
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Hi thumbprint

    Welcome to TSG! :)

    Download the attached zip file and unzip it to your desktop. Doubleclick to run it. It will get a list of active services. Please post the list that is generated.

    Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     

    Attached Files:

  3. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    Wow! That was a quick reply :)

    Quick question first... is there any chance this is a keylogger? If so, I'm gonna change my password for this forum (using another computer on another net connection) immediately after I post my findings from the two programs you mentioned.
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    No it's not a keylogger.
     
  5. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    The VB Script you had me download triggered Norton... it says it's a malicious script...

    No offense intended, but I'm new to this forum and don't trust anyone at this point. Again, no offense intended... I'm not trying to be a troll. But I was just hoping you could offer an explanation as to Norton AV detecting it as a malicious script.

    I'm going to have my programmers review the vbscript before I run it.

    Thanks :)
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    It's not a malicious script. Norton gives you the option to Allow or Block the script. You need to allow it to run. After all you are the one running it. It's not like it is a unkown script being run by an unknown entity! ;)

    I have to go to bed now. We will have to continue this in the AM.
     
  7. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    Ok, thanks :)

    I just need to make sure I'm safe... I'm sure you can understand :)

    Call me super-paranoid haha!
     
  8. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    Ok, they've verified it's safe :)

    I'll run it and post everything here.

    Thanks!
     
  9. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    By the way, one of the symptoms I'm experiencing is that a window keeps popping up, claiming to be installing Microsoft Office or Office components.

    Anyway, I will not get to working on this problem again until later today, but I'll post everything as soon as I do.
     
  10. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    ok here is the log from the vbscript...




    ==========================================

    These are the Current Active Services:

    WINDOWS AUDIO: AudioSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COMPUTER BROWSER: Browser
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    CRYPTOGRAPHIC SERVICES: CryptSvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    DHCP CLIENT: Dhcp
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    ERROR REPORTING SERVICE: ERSvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COM+ EVENT SYSTEM: EventSystem
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    HELP AND SUPPORT: helpsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SERVER: lanmanserver
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WORKSTATION: lanmanworkstation
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    MESSENGER: Messenger
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK CONNECTIONS: Netman
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK LOCATION AWARENESS (NLA): Nla
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS CONNECTION MANAGER: RasMan
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TASK SCHEDULER: Schedule
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SECONDARY LOGON: seclogon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM EVENT NOTIFICATION: SENS
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    SHELL HARDWARE DETECTION: ShellHWDetection
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TELEPHONY: TapiSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TERMINAL SERVICES: TermService
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    THEMES: Themes
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DISTRIBUTED LINK TRACKING CLIENT: TrkWks
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    UPLOAD MANAGER: uploadmgr
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS TIME: W32Time
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    AUTOMATIC UPDATES: wuauserv
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    WIRELESS ZERO CONFIGURATION: WZCSVC
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYMANTEC EVENT MANAGER: ccEvtMgr
    "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    SYMANTEC SETTINGS MANAGER: ccSetMgr
    "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

    DNS CLIENT: Dnscache
    C:\WINDOWS\System32\svchost.exe -k NetworkService

    EVENT LOG: Eventlog
    C:\WINDOWS\system32\services.exe

    PLUG AND PLAY: PlugPlay
    C:\WINDOWS\system32\services.exe

    GEAR SECURITY SERVICE: GEARSecurity
    C:\WINDOWS\System32\gearsec.exe

    IPOD SERVICE: iPodService
    C:\Program Files\iPod\bin\iPodService.exe

    TCP/IP NETBIOS HELPER: LmHosts
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SSDP DISCOVERY SERVICE: SSDPSRV
    C:\WINDOWS\System32\svchost.exe -k LocalService

    WEBCLIENT: WebClient
    C:\WINDOWS\System32\svchost.exe -k LocalService

    MACHINE DEBUG MANAGER: MDM
    "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

    WINDOWS INSTALLER: MSIServer
    C:\WINDOWS\System32\msiexec.exe /V

    NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
    "C:\Program Files\Norton AntiVirus\navapsvc.exe"

    WORKSTATION NETLOGON SERVICE: O?’ŽrtñåȲ$Ó
    C:\WINDOWS\msoo.exe /s

    IPSEC SERVICES: PolicyAgent
    C:\WINDOWS\System32\lsass.exe

    PROTECTED STORAGE: ProtectedStorage
    C:\WINDOWS\system32\lsass.exe

    SECURITY ACCOUNTS MANAGER: SamSs
    C:\WINDOWS\system32\lsass.exe

    REMOTE PROCEDURE CALL (RPC): RpcSs
    C:\WINDOWS\system32\svchost -k rpcss

    SAVSCAN: SAVScan
    C:\Program Files\Norton AntiVirus\SAVScan.exe

    PRINT SPOOLER: Spooler
    C:\WINDOWS\system32\spoolsv.exe

    WINDOWS IMAGE ACQUISITION (WIA): stisvc
    C:\WINDOWS\System32\svchost.exe -k imgsvc

    SYMANTEC CORE LC: Symantec Core LC
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    =============================================
     
  11. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    here is the log from the latest hijack this that you had me download:



    =========================================

    Logfile of HijackThis v1.98.2
    Scan saved at 7:09:32 PM, on 8/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\msoo.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sysko.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\hijackthis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

    ============================================
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    First Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

    ___________________________________________________________________________
    Copy the contents of the Quote Box to Notepad.

    Name the file as fix.reg
    Save as Type: All Files
    ****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.

    ______________________________________________________________________
    Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
    ______________________________________________________________________

    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
    _____________________________________________________________________

    Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Restart to safe mode.

    How to start your computer in safe mode


    Perform the following steps in safe mode:

    ____________________________________________________________________

    Double click on fix.reg that you saved earlier to enter into the registry. Answer yes when asked to have it's contents added to the registry.
    ____________________________________________________________________

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Put a check by these entries in Hijack This and click the "Fix Checked" button:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edelk.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edelk.dll/sp.html#37049

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edelk.dll/index.html#37049

    O2 - BHO: (no name) - {DD7A2326-1F54-E57F-D5FC-759AD0FB0647} - C:\WINDOWS\appct32.dll

    O4 - HKLM\..\Run: [sysko.exe] C:\WINDOWS\system32\sysko.exe

    O16 - DPF: {11111111-1111-1111-1111-114309210546} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe

    O16 - DPF: {11111111-1111-1111-1111-115179419929} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe

    Find and delete these files:

    C:\WINDOWS\msoo.exe
    C:\WINDOWS\appct32.dll
    C:\WINDOWS\system32\sysko.exe

    Delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Owner (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    ________________________________________________________________________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _______________________________________________________________________

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
    _______________________________________________________________________

    Boot back into Windows now.


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.



    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.



    When you are sure you are clean turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
     
  13. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    Ok, thanks :)

    Question: wouldn't it just be easier to reformat the hard drive, zeroing out the bytes, then reinstalling winXP? I don't believe there is anything of any real value saved on the computer, so no important files will be lost.

    Would this work, or is there some sneaky little trick they have to get around a reformat? Also, if there were floppies or other discs inserted into this computer, could they be infected too?
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    This would not infect floppies or disks.

    I guess it's your call, but it can be fixed if you follow my directions. A reformat etc.. would take longer than this.
     
  15. thumbprint

    thumbprint Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    11
    Ok, I'm not sure if I'm gonna reformat or what, but either way, thank you!

    I guess my next big question is... what can I do to prevent this in the future? Is this an active x thing that loads this on the computer in the first place... or what? I know there is no kazaa or anything like that on the computer, and I'm reasonably sure this mess didn't come from an email.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/260179