Post by: Maracucho on April 02, 2005, 07:57:41 PM
Post by: guestolo on April 02, 2005, 10:17:35 PM
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip (http://\"http://www.atribune.org/downloads/locate.zip\")
UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat
Could you also
download Startdreck.zip startdreck.zip (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\")
UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.
Copy and Paste the contents of that log back here
Post by: Maracucho on April 03, 2005, 05:45:45 PM
Post by: guestolo on April 03, 2005, 05:48:21 PM
You must post it all back
Also I need you to download Locate.zip and post the info I asked from Locate.bat
Go back and read what I asked from you
Thanks
EDIT>>I guess I forgot to ask for the log from Locate.bat>>Sorry
But could you supply it please along with the full log from Startdreck
Post by: Maracucho on April 04, 2005, 05:49:05 PM
This is the locate report
And this is the full Startdreck log.
Post by: guestolo on April 04, 2005, 06:57:39 PM
I'll have to do some of off the Hijackthis log you first posted
Some things may of changed, but try the following
Download CWShredder.exe from my signature below and save to desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete this file if found
C:\WINDOWS\SYSTEM32\DRIVERS\DCCAMG.SYS <-file
C:\WINDOWS\stsheets.dat <-file
c:\info6_s.cab <-file
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {510E6A69-F6E3-0E22-E504-88142D649AEC} - C:\WINDOWS\system32\HPRTIcno.exe (file missing)
O1 - Hosts: 1159680172 auto.search.msn.com
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Do a Disk Cleanup
Go to START>>RUN>>type in
cleanmgr
Hit OK
Give it time to compress files
Ensure Temp and Temp internet files are checked
Afterwards
With only CWShredder open click the FIX button
Let it fix whatever it finds
Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows
Post back a fresh Hijackthis log
Post by: Maracucho on April 05, 2005, 08:39:28 PM
This is th new Hijackthis log
Post by: guestolo on April 05, 2005, 08:47:47 PM
May be part of the network your on or your ISP
I suspect it's bogus, but I want to make sure
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C8DF4E-3191-4045-B1D6-B75157E3EEB3}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5340B29-942A-4FB0-AF2B-D1E9563FC45F}: NameServer = 69.50.184.85,195.225.176.37
Here's what I can find about it
Click Here (http://\"http://www.dnsstuff.com/tools/whois.ch?ip=195.225.176.37\")
I suspect that there are nasties
Open Control panel>>Network Connections
Right click your connection and select properties
Double click Internet Protocol(TCPIP)
Take note of the settings
With all other windows closed, have hijackthis fix those entries
Restart your computer
If you have trouble connecting back to the Internet
With all browsers closed
Enter your Control panel>>Network Connections
Double click Internet Protocol(TCPIP)
Set to Automatically obtain IP address
Restart your computer
Post back a fresh Hijackthis log afterwards
Post by: Maracucho on April 06, 2005, 06:22:26 PM
Post by: guestolo on April 06, 2005, 06:40:53 PM
More info from Symantec
http://securityresponse.symantec.com/avcen...an.flush.a.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.a.html\")
Do the following
Disconnect from the Internet
With all other Windows closed, including this one
Go to START>>RUN>>type in
cmd
Hit OK
At the prompt type in
ipconfig /flushdns
Hit Enter on the keyboard
Do another scan with Hijackthis and fix checked this entry
O17 - HKLM\System\CCS\Services\Tcpip\..\{88FE6CC4-5EE1-42D7-B879-8623503EC608}: NameServer = 69.50.184.85 195.225.176.37
Restart your computer and post back a fresh Hijackthis log
Post by: Maracucho on April 07, 2005, 08:18:59 PM
Post by: guestolo on April 08, 2005, 01:13:47 AM
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on April 08, 2005, 04:34:54 PM
Many consider backweb as spyware, you can disable the updater if you wish
Check out this link
http://faqs.kodak.com/EasyShare_Software_E...FAQ_13_841.shtm (http://\"http://faqs.kodak.com/EasyShare_Software_English/FAQ_13_841.shtm\")
Post by: Maracucho on April 08, 2005, 04:48:21 PM
Post by: guestolo on April 08, 2005, 05:18:17 PM
If you need it reopened, please PM a Mod or the site Admin and supply a link to this
thread
Take Care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />