Show Posts

1

Tech Clinic / Another Victim of clicksearchclick

« on: June 22, 2005, 05:23:23 PM »

Did as you suggested. I choose Avast. System seems much less distracted when starting-up, using email. and IE. Made a donation. Thanks for the help.

2

Tech Clinic / Another Victim of clicksearchclick

« on: June 17, 2005, 04:27:50 PM »

All steps were performed as instructed. Created scandump.txt and Hijackthis log. Both are included below. Then I installed SP2, etc.

In regards to system performance…
The system is now FAST and QUIET; has no evidence of any interference. The only exception is when McShield.exe is hogging resources.

This is the case during startup (it takes what seems like three to five minutes for the disk I/O to cease) and when using IE (same disk I/O activity). The interference is so extreme sometimes that the system is not useful for any meaningful work. It seems that the virus software is as troublesome as the viruses and Trojans themselves.

Is there virus software that is less demanding of system resources then McAfee’s? (I know what your thinking: "a week ago I would have given anything just to get the browser to go somewhere other then to searchclicksearch, and now I'm whining about a little performance sacrifice for the sake of security".

scndump.txt:

Scan Control Dumped @ 08:41:27 16-06-05
Suspicious Filename: Dual extensions
File: c:\eicar.com.doc

Suspicious Filename: Dual extensions
File: c:\sandy's docs\ford\hr\hrbo rfq course goals (4.15.04).doc

Suspicious Filename: Dual extensions
File: c:\sandy's docs\ford\hr\hrbo rfq course goals (4.14.04).doc

Suspicious Filename: Dual extensions
File: c:\jns docs\ex.hostagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\trading\schwab.222.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\lms\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\lms\termsofservice.01.dls.doc

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074845.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074867.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074914.exe

Positive identification: Adware.BargainBuddy.y Dropper
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075114.exe

Positive identification (DLL): Adware.ToolBar.ToolBand.a (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075150.dll

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075151.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075193.exe

Positive identification (DLL): Adware.ToolBar.ToolBand.a (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075194.dll

Positive identification: TrojanDropper.Win32.Small.wv2
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075279.exe

Positive identification: Adware.Sahat.f1
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075296.exe

Positive identification (DLL): Adware.Sahat.ad (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075297.dll

Positive identification (DLL): Trojan.Win32.StartPage.xs (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075303.dll

Positive identification: Adware.PurityScan.ca
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075306.exe

Positive identification: TrojanDropper.Win32.Small.wd
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075308.exe

Positive identification: TrojanDownloader.Win32.Adload.a1
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075313.exe

Positive identification (embedded in file): Adware.SmartPops.d (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075321.exe

Positive identification (DLL): Adware.SurfSide.k (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075325.dll

Positive identification (DLL): Adware.SmartPops.d (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075389.dll

Suspicious Filename: Dual extensions
File: f:\jn docs\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\ex.hostagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\lmsagmts\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\lmsagmts\termsofservice.01.dls.doc

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:45 AM, on 6/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Regards,

3

Tech Clinic / Another Victim of clicksearchclick

« on: June 15, 2005, 09:32:18 AM »

All the steps were performed with apparent success, with the following exceptions:

I reinstalled ewido and its database. It failed again, about at the same percent complete (approx 87.6). I saved the location of the dump file if anyone wants to see it.

I am comfortable in the registry.

I went to the sopho link and didn’t know exactly what to do there so I checked out the status of my Virus (McAfee) software. The last system scan was 3/31/05, however, the last update to its virus database was almost 2 years old so I updated and scanned the entire computer and found/quarantined/deleted about 200 files. All seemed to be in a directory ‘-restore’.

I have a hardware firewall.

Here’s the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:14 AM, on 6/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

4

Tech Clinic / Another Victim of clicksearchclick

« on: June 13, 2005, 04:55:30 AM »

I went ahead with your instructions. I did not do your most recent instruction as I did not want to break anything already completed.

Ewido got to 87% and crashed (softly), so there is no file to report.

Here is Panda's report:

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/Startpage.ME No disinfected C:\Documents and Settings\Jeanne\Desktop\m00.exe
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Jeanne\LOCALS~1\Temp\DrTemp
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/IGuard No disinfected Windows Registry
Virus:Trj/Downloader.BWL Disinfected Operating system
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Nowfind No disinfected C:\WINDOWS\System32\hst32.dll
Virus:Trj/Small.LV Disinfected Operating system
Adware:Adware/Novo No disinfected Windows Registry
Virus:Bck/Agent.VS Disinfected C:\WINDOWS\SYSTEM\svchosthook.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:Adware/Nowfind No disinfected C:\WINDOWS\SYSTEM32\wcnl32.dll
Adware:Adware/Nowfind No disinfected C:\WINDOWS\SYSTEM32\hst32.dll
Adware:Adware/Craft No disinfected C:\WINDOWS\SYSTEM32\trf32.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\hgjjtbx.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\inscdm\quhgaqmwel.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Virus:Bck/Agent.VS Disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\vx2.game
Adware:Adware/Craft No disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\allstar.exe
Virus:Trj/Hooker.G Disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\go.exe
Adware:Adware/XmlLib No disinfected C:\Documents and Settings\Jeanne\Desktop\m00.exe
Virus:Trj/MadCow.A Disinfected C:\Documents and Settings\Jeanne\Desktop\Desktop Stuff\Unused Desktop Shortcuts\MadCow.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[Beyond.class]
Adware:Adware/WinTools No disinfected C:\Recycled\Dc72\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc72\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc72\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc72\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc73\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc73\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc73\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc73\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc74\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc74\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc74\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc74\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc75\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc75\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc75\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc75\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc76\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc76\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc76\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc76\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc76\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc77\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc77\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc77\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc77\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc77\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc78\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc78\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc78\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc80\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc80\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc80\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc80\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc81\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc81\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc81\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc82\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc82\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc82\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc83\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc83\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc83\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc84\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc84\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc84\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc85.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc86.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc87.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SECURITY.EXE
Virus:W32/Bagle.CA.worm Disinfected Personal Folders\Inbox\8.zip[1.exe]
Virus:JS/Kak.Worm Disinfected Personal Folders\eBay\TOMIS Review\MSG_HTML.TXT
Virus:JS/Kak.Worm Disinfected Personal Folders\HS\TOMIS Website\MSG_HTML.TXT
Here's hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:59 AM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Here is Search.bat's results:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Win Server Updt"="C:\\WINDOWS\\wupdt.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="1"
"DllName"=hex(2):25,00,00,00,53,00,00,00,79,00,00,00,73,00,00,00,74,00,00,00,\
65,00,00,00,6d,00,00,00,52,00,00,00,6f,00,00,00,6f,00,00,00,74,00,00,00,25,\
00,00,00,5c,00,00,00,72,00,00,00,65,00,00,00,73,00,00,00,6f,00,00,00,75,00,\
00,00,72,00,00,00,63,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,54,00,00,\
00,68,00,00,00,65,00,00,00,6d,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,\
6c,00,00,00,75,00,00,00,6e,00,00,00,61,00,00,00,5c,00,00,00,6c,00,00,00,75,\
00,00,00,6e,00,00,00,61,00,00,00,2e,00,00,00,6d,00,00,00,73,00,00,00,73,00,\
00,00,74,00,00,00,79,00,00,00,6c,00,00,00,65,00,00,00,73,00,00,00,00,00,00,\
00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Here is result from Export.bat:

Volume in drive C has no label.
Volume Serial Number is 07CF-0813

Directory of C:\WINDOWS\Resources\Themes\Luna

03/07/2002 06:28 PM <DIR> .
03/07/2002 06:28 PM <DIR> ..
03/07/2002 06:28 PM <DIR> Shell
08/23/2001 12:00 PM 4,186,256 luna.msstyles
1 File(s) 4,186,256 bytes

Directory of C:\Documents and Settings\Jeanne\Desktop

I will be away from my office until Tuesday afternoon, 6/15/05, but can continue upon my return.

5

Tech Clinic / Another Victim of clicksearchclick

« on: June 12, 2005, 07:26:09 PM »

I'm working through the instructions and found that I do not have !>>START>>programs>>Cleanup!. Should I skip that step and proceed, or stop?

6

Tech Clinic / Another Victim of clicksearchclick

« on: June 12, 2005, 03:44:46 PM »

I didn't notice that it was a shortcut in C:\HJT to the executable in the temp folder. I am not using the infected computer as I does not work when connected to the internet, so I'm moving files to and from another computer so I can communicate with you. Even so, sorry I wasted your time - that was no excues.

Here's the log from C:/HJT where the executable now lives:

Logfile of HijackThis v1.99.1
Scan saved at 4:43:30 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
C:\windows\system32\iupdate.exe
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\explorer.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

7

Tech Clinic / Another Victim of clicksearchclick

« on: June 12, 2005, 01:44:34 PM »

Thanks for the help.
The OS is a legit version. I upgraded from 98 a long time ago.

I was unable to kill these processes:
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

I tried using Killbox and got the same spyware error message. I proceeded as you said "..if you can".
I later learned that running HJT from the HJT folder rather then the temp folder allowed me to get to the hijackthis process manager.

Here's the first result of fix0.bat:

running from ---
C:\temp\fixO\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------
SMSSU.EXE present
Tmntsrv32.EXE present
explorer32dbg.exe present
iexplore_dbg.exe present
xmllib.dll present
XMLLIBUI.exe present
winadvt.dll present
C:\WINDOWS\hosts present
xmllibw.dll present

existing important bad keys:
-----------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="C:\\WINDOWS\\explorer32dbg.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"Debugger"="C:\\WINDOWS\\iexplore_dbg.exe"

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

Here's the subsequent Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:36 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
C:\windows\system32\iupdate.exe
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\explorer.exe
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

...and another fix0.bat log:

running from ---
C:\temp\fixO\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------

existing important bad keys:
-----------------------------------------------------

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

... and here's the result of Search.bat:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"WindowsUpdate"="C:\\WINDOWS\\System\\svchost.exe /s"
"Service Host"="C:\\WINDOWS\\System32\\Services\\{913AA2B7-9C7C-4200-9964-F019B42DC291}\\SVCHOST.EXE"
"PSGuard"="C:\\Program Files\\PSGuard\\PSGuard.exe"
"Disk Keeper"="C:\\WINDOWS\\System32\\Services\\{BA24EAB8-C35A-4384-AD19-D544845F4255}\\SECURITY.EXE"
"hbgziyg"="c:\\windows\\system32\\xtlmmb.exe r"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"UsbD"="c:\\windows\\system32\\iupdate.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"Wallpaper"="c:\\wp.bmp"
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

I hope this was done properly. Please advise.

8

Tech Clinic / Another Victim of clicksearchclick

« on: June 10, 2005, 06:36:38 PM »

My XP Home system has been hijacked by Clicksearchclick. Problems started with spysheriff / clicksearchclick involuntary install. Couldn't make a HJT log; got this error:

"HJT has encountered a problem & needs to close. We are sorry for the inconvenience. If your were in the middle of something, the information your were working on may be lost."

This error looks suspiciously unfamiliar and started getting it frequently after the clicksearchclick problems started. In any case, I studied a recommend approach by Questolo #3825 and used a combination of Hijackthis and Killbox and was able to remove some of the offending .exe’s but upon restart a few continued to re-appear.

I was able to make a HJT log in safe mode only:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:11 AM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
O4 - HKLM\..\Run: [nzalhf] c:\windows\system32\karubkg.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

TheTechGuide Forum

News:

Messages - Victim999

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick

Tech Clinic / Another Victim of clicksearchclick