TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Shaggie30 on April 12, 2005, 05:07:35 PM

Title: DAOSEARCH taken over new install
Post by: Shaggie30 on April 12, 2005, 05:07:35 PM

I reinstalled windows went on the net about 10 mins and I got nailed Here is my logfile


Logfile of HijackThis v1.99.1
Scan saved at 6:01:00 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\System32\dllhost.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Microsoft AntiSpyware\gcasServ.exe
J:\WINDOWS\ALCXMNTR.EXE
J:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\Downloads from web\hijackthis.exe
J:\Program Files\Internet Explorer\IEXPLORE.EXE
J:\WINDOWS\System32\Services\{E892C342-685F-47CC-9DE1-75CBB39C20A5}\SVCHOST.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=186 (http://\"http://daosearch.com/index.php?id=186\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - J:\WINDOWS\drexinit.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - J:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ISUSPM Startup] J:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Uag] J:\WINDOWS\Sfv.exe
O4 - HKLM\..\Run: [Service Host] J:\WINDOWS\System32\Services\{E892C342-685F-47CC-9DE1-75CBB39C20A5}\SVCHOST.EXE
O4 - HKLM\..\Run: [Nkp] J:\WINDOWS\Dbd.exe
O4 - HKLM\..\Run: [Pev] J:\WINDOWS\System32\Utl.exe
O4 - HKLM\..\Run: [Nrs] J:\WINDOWS\System32\Fdp.exe
O4 - HKLM\..\Run: [gcasServ] "J:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Uag] J:\WINDOWS\Sfv.exe
O4 - HKCU\..\Run: [Nkp] J:\WINDOWS\Dbd.exe
O4 - HKCU\..\Run: [Pev] J:\WINDOWS\System32\Utl.exe
O4 - HKCU\..\Run: [Nrs] J:\WINDOWS\System32\Fdp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - J:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - J:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113162013671 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113162013671\")
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: drct16 - J:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Adobe LM Service - Unknown owner - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

Title: DAOSEARCH taken over new install
Post by: guestolo on April 12, 2005, 07:08:41 PM

==Download and UNZIP to a folder on your J: Drive
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please print this out or save to a Notepad file for access
Restart your computer into safe mode

Find and delete these file or folders if found
J:\WINDOWS\Sfv.exe <-file
J:\WINDOWS\Dbd.exe <-file
J:\WINDOWS\System32\Utl.exe
J:\WINDOWS\System32\Fdp.exe
J:\WINDOWS\SYSTEM32\drct16.dll
J:\WINDOWS\drexinit.dll
J:\WINDOWS\desktop.html
J:\WINDOWS\Web\desktop.html

J:\WINDOWS\System32\Services\{E892C342-685F-47CC-9DE1-75CBB39C20A5} <-folder

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=186 (http://\"http://daosearch.com/index.php?id=186\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - J:\WINDOWS\drexinit.dll

O4 - HKLM\..\Run: [Uag] J:\WINDOWS\Sfv.exe
O4 - HKLM\..\Run: [Service Host] J:\WINDOWS\System32\Services\{E892C342-685F-47CC-9DE1-75CBB39C20A5}\SVCHOST.EXE
O4 - HKLM\..\Run: [Nkp] J:\WINDOWS\Dbd.exe
O4 - HKLM\..\Run: [Pev] J:\WINDOWS\System32\Utl.exe
O4 - HKLM\..\Run: [Nrs] J:\WINDOWS\System32\Fdp.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Uag] J:\WINDOWS\Sfv.exe
O4 - HKCU\..\Run: [Nkp] J:\WINDOWS\Dbd.exe
O4 - HKCU\..\Run: [Pev] J:\WINDOWS\System32\Utl.exe
O4 - HKCU\..\Run: [Nrs] J:\WINDOWS\System32\Fdp.exe

O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: drct16 - J:\WINDOWS\SYSTEM32\drct16.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
 and double-click on HSFix.bat.
* It will produce a log file, save it, by default it will be  located here: J:\hslog.txt <--we'll need this later

Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

In the Control Panel>>Open the Display icon
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post back a fresh Hijackthis log
Also the log from hsfix.bat>>J:\hslog.txt

Could you also let me know what other files or folders you see in this folder
J:\WINDOWS\System32\Services

NOTE: If Microsoft's antispyware prompts about a change, allow it or we'll have to disable the realtime protection so it won't interfere with any fixes