Author Topic: recurring spyware nightmare (Read 4552 times)

djkwik · « **on:** March 03, 2005, 10:54:56 AM »

Yesterday (wednesday morning) I spent about 3 hours running AdAware, Spybot Seek & Destroy, HouseCall Anit Virus, and EZ Trust Antivirus. None of them could locate this really persistent virus. I was getting a pop-up window stating that Windows Firewall has detected Spyware activity on my computer, then explorer would open and go to some anti spyware page that refused to close no matter what i did. Then I'd notice 10 new entries in my favorites list, also my homepage kept being set to about:blank...then I realized it was a CWS and ran my CWS Shredder, found the hidden dll. thought that was the end of it....but of course not! 'puter ran fine the rest of the day, yet now again this morning, I get two alerts from my EZ Anti Virus regarding mxbckup.exe and truettf.exe. I got those two yesterday, did a search, and deleted them. Today however, search didn't find them, yet when I run the EZ AV program, and open windows\System 32, they are both right there. the EZ delted them....ok and fine...I think. While in the EZ window, I also notice that the Recycler File (which still boggles my brain) has two entries in it despite the fact that I continually empty my recycle bin....and I had read on some forum or another that if you empty your recycle bin, the recycler folder should be empty. So I am wondering why there are still two things sitting in the recycler folder. And what is up with EZ showing all these folders that you cannot find anywhere but on their tree?

? I'm not the savviest computer user, but I know when my system is under attack and have usually been able to get rid of the problem, but it seems this one has gotten me beat! Any suggestions???

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

guestolo · « **Reply #1 on:** March 03, 2005, 05:43:04 PM »

Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

djkwik · « **Reply #2 on:** March 03, 2005, 06:50:39 PM »

Well, I turned my computer off after starting this thread. Remember that I had just run my EZ Antivirus program and it found the files "mxbkup.exe" and "truettf.exe" and deleted them. well the very moment I started my computer to come to this site and see if you responded yet, right after startup, I got EZ alerts about those same damn two files. I am still thinking it is those two sitting in the recycler that I can't find and EZ wont let me delete them from their tree that actually shows the recycler file. I downloaded the HJT and below are the results:

Logfile of HijackThis v1.99.1
Scan saved at 5:43:29 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\dxconf.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {9490C321-0534-2324-4502-13C8C4B64772} - runload32.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecustom32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SysEntry] prgsys0984.exe
O4 - HKLM\..\Run: [___] WhatsNewBot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WhatsNewBot] xxtoolbar.exe
O4 - HKCU\..\Run: [sound64] PrcIdle.exe
O4 - HKCU\..\Run: [RtlFindVal] browsebar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.176.196,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

Guest · « **Reply #3 on:** March 03, 2005, 07:01:32 PM »

PS, right after sending you the above message with the HJT log, explorer window tried to open again (but I put my LAN/Cable modem on standby) so this page starts to try to load...http\\www.sex-and-poker.com and those same 10 porno sites have been added to my avorites list AGAIN! I'm running the ez to delete those two .exe files. Also, I didn't see those two files on the HJT log anywhere? why is EZ finding them instantly and why won't they stay deleted?

these are the two files that are sitting in my recycler folder:

C:\RECYCLER\S-1-5-21-360472731-572273255-329551234-1005 C:\RECYCLER\S-1-5-21-515967899-1647877149-1801674531-1003 Ok, will leave you alone for now...I know you are helping a LOT of people. HACKERS SUCK!

djkwik · « **Reply #4 on:** March 03, 2005, 07:21:42 PM »

another PS: two actually. forgot to log in last time, thats why it shows my first ps as from guest but it was me. Second: going through temp internet files, I clicked on view objects and it shows downloaded programs. the very first one is an activeX control and is damaged, and when I go further, there are 3 files dependant on it. below is the actual file I am referring to:

{9F1C11AA-197B-4942-BA54-47A8489BB47F} 4KB

I have been seeing that ActiveX controls can also cause a lot of problems and was just wondering if this is something I should be concerned with.

thanks again.

guestolo · « **Reply #5 on:** March 04, 2005, 01:23:53 AM »

Download and save to desktop the standalone version of CWShredder.exe
Don't run this yet

Next: Please download Remv3.zip and UNZIP the folder inside to Desktop
[attachment=51:attachment]
Ensure you unzip the contents, this won't work if left within the zipped archive

Please print this out or save to a Notepad file on the desktop

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

RESTART your Computer in SAFE MODE

Look for and delete these files or folders if found,
C:\WINDOWS\system32\connmie.exe <--file, exact name
C:\WINDOWS\system32\dxconf.exe <--file
C:\WINDOWS\system32\iecustom32.dll <--file

Search for these next ones and delete them if found
prgsys0984.exe
WhatsNewBot.exe
xxtoolbar.exe
PrcIdle.exe
browsebar.exe

C:\Program Files\WareOut <--this folder

Stay in safe mode and do a Disk Cleanup
START>>RUN>>type in cleanmgr
Hit OK
Ensure Temp and Temp Internet files are selected

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R3 - URLSearchHook: (no name) - {9490C321-0534-2324-4502-13C8C4B64772} - runload32.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecustom32.dll

O4 - HKLM\..\Run: [SysEntry] prgsys0984.exe
O4 - HKLM\..\Run: [___] WhatsNewBot.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WhatsNewBot] xxtoolbar.exe
O4 - HKCU\..\Run: [sound64] PrcIdle.exe
O4 - HKCU\..\Run: [RtlFindVal] browsebar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.176.196,195.225.176.37

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, we'll need this later

Stay in safe mode and open just CWShredder and click Only the FIX button
Let it fix what it finds

Restart back to Normal Mode

Post back a Fresh Hijackthis log afterwards
Remv3 would of produced a log, can you also post this log please
C:\log.txt

If you find you cannot connect to the Internet later
Close all other windows
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.

Restart your computer again and come back here and post a fresh hijackthis log
and log.txt

djkwik · « **Reply #6 on:** March 05, 2005, 03:48:48 AM »

Man, I couldn't get into your site all day today, had me worried. Ok, I did what you listed and the two logs are below. I want to know about those two items sitting in the recycler file though...also...these are the three thngs that my EZantivirus keeps poping upeverytime I connect to the net: mxbkup.exe , truettf.exe , iecustme.exe EZ deltese them, but they just keep coming back. I guess i will see what happens after this most recent HJT cleanup and the next step after you see the remv3 log. Thanks again for all your help.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:41:41 AM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

remv3 log:

Files Found.................
----------------------------------------
run_dos.dll
sprmover.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdyue.dll
msi.dll
Finished

djkwik · « **Reply #7 on:** March 05, 2005, 11:26:38 AM »

Well, I went to bed after sending the last post with the latest HJT log and the remv3 log. When I got up today, and went online, the very first thing to happen was that EZanitvirus detected two of those trojans AGAIN and then those 10 sites were listed in my favorites file AGAIN, so i turned off the modem and started running the various scans AGAIN. While running the AdAware (just for sake of seeing if IT can find the ones that EZ keeps finding over and over and over again), and while it was running, ie explore windows kept trying to open to various sites AGAIN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
NOTHING has changed so far. Oh, except that everytime EZantivirus always states that mxbkup.exe is a win32.netmesser.F trojan yet today, i used the ez tree to see if it was in system32 fole, sure enough it was there, but this time not detected as that trojan!!! This is making NO SENSE! and as I am typing this, some damn gambling thing just started to download!!! some Carnival Casino thing!!! If anything, my computer has gotten worse! HELP!!!!!!!! I also need to know why is that when I open up the Windows System 32 folder via my computer, these things never list, even when I have unchecked the hide file extensions, etc, etc, etc, etc, etc!!!!! Yet they all list up for the EZ antivrus program. I go into Windows system 32 via that and there are 20 times more files listed! And regarding the RYCYCLER folder, those same two entries are still there. I was able to go into the recycler folder and one of them would delete, but the other one says it cannot be deleted because it is being used by another person or program! Then the second one always shows up again later! THIS IS BEGINNING TO PISS ME OFF SO BAD I'M ABOUT READY TO TAKE A SLEDGEHAMMER TO THIS COMPUTER!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wacko.gif\' class=\'bbc_emoticon\' alt=\':wacko:\' />

guestolo · « **Reply #8 on:** March 05, 2005, 03:32:00 PM »

Let's try this
Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\System32\hdyue.dll

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select YES.

Please allow to Reboot, but reboot to safe mode

Find and delete any files found bad by EZTrust again

Stay in safe mode and run Remv3.bat again
Ensure your set to Show Hidden files and folders

Stay in safe mode and recheck to make sure that
Obtain DNS server address automatically is still selected

Restart back to Normal mode

Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too
along with the new C:\log.txt

djkwik · « **Reply #9 on:** March 05, 2005, 09:53:50 PM »

ok man, I give up! i did EXACTLY what you told me to do. first EZ couldn't find anything at all while in safe mode. i did the remv3 and this time those files didn't list. I used the killbox and it told me that the file I copy/pasted into it was erased by an outside source! Then when I come back online to download the Mwav.exe thing, EZ THEN starts going crazy the moment I went online, finding those same recurring trojans! Then I went offline and ran the Mwav! it finds 24...count them 24 viruses! BUT I go to copy and paste the list in the lower box just like you said and the damn thing won't let me! So i go to view the log itself, what do I find, a trillion line log that I start to painstakingly go through to try to find all 24 that say "no action taken" so I can copy and paste them here....only I start getting inundated with pop-upwindows again, DESPITE NOT BEING ONLINE!!!and while trying to close them all down, I wound up closing the log file I was working with! NOW I CAN'T RETRIEVE IT! I gave up and went to eat some dinner. I come back, run the EZ again, it deletes the truettf.exe win32.bloon.c trojan, and the iecustme.exe win32.startpage.NW trojan. I ran the remv3 again and this time it finds only one file....I tried to run it 3 times in a row and each time it finds different files altogether! so how the hell am I supposed to use KillBox to get rid of them when they keep changing on me! I am now running another Mwav, and this time its only finding the Java based viruses-last time there were 4 of them, now there are 8! And I will bet anyone a million dollars that as soon as I am done, I will get all those pop-ups again, the ten porn entries on my favorites list for the 20th time and when i go to do all of this again it will all be different YET AGAIN!

SO, i am thinking of just salvaging what I can to cdrom from files I know have never shown up as being infected (personal stuff...all the viruses seem to be in program or system files esp. system32) just save what I can, dump the core and just reload my windows xp from my start-up disc. Do you think THAT would finally get rid of this S--T?!

Oh, incidentally...as I am typing this right now, I am getting slammed with frikken pop-ups AGAIN! oh, and now the MWav has stalled out entirely! do you have any other ideas, or do you think I would just save myself a lot of time and all this irritation by dumping the core and starting over again like i just bought this computer!?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

guestolo · « **Reply #10 on:** March 05, 2005, 10:23:56 PM »

Can you reboot in Safe mode and run the MWav scan

Save the log to a Notepad file
Remember you have to Highlight the results and use the Ctrl + C keys on the keyboard to copy the results

Run RemV3.bat in safe mode also

Back in Normal mode
Return here with a fresh hijackthis log
Post the C:\Log.txt
and the results from eScan Mwav scan

djkwik · « **Reply #11 on:** March 06, 2005, 01:05:19 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> WHEW. Ok, here are the log entires you requested. You didn't specify whether to do the final hijackthis scan in safe or normal mode, so I did both and they are both here. running the mwav in safe mode found all those trojans. the java trojans i mentioned in my last post...I wrote them all down and deleted them manually (have had to do those before...get alot of those java trojans and ad-aware usually finds them) anyways...here ya go...hope you can do something for me...I still think it would take a lot less time to dump the core and reload windows and all my programs from scratch.

HJT log (safe mode):

Logfile of HijackThis v1.99.1
Scan saved at 11:45:39 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6:user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -
http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) -
http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

HJT log (normal mode):

Logfile of HijackThis v1.99.1
Scan saved at 11:54:36 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96]-C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -
http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control)http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O17-HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

Mwav log (safe mode):

File C:\WINDOWS\system32\mslcy.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\hdmoo.dll infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sprmover.exe infected by "Trojan-Downloader.Win32.Small.agg" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\hdmoo.dll infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sprmover.exe infected by "Trojan-Downloader.Win32.Small.agg" Virus. Action Taken: No Action Taken.

REMV3 Log (safe mode):

Files Found.................
----------------------------------------
run_dos.dll
connmie.exe
dxconf.exe
mxbkup.exe
sprmover.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be

careful while deleting
-----------------------------------------------------------------
hdmoo.dll
msi.dll

tablante · « **Reply #12 on:** March 06, 2005, 01:19:43 AM »

LOG REMOVED
Can you please start your own post
Tablante, thanks
~guestolo~

guestolo · « **Reply #13 on:** March 06, 2005, 01:31:05 AM »

djkwik

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS

Name the file as Rootkit.bat

Save this file on the desktop

Quote

regedit /e Rootkit.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd"

Double click on Rootkit.bat and a new reg file may be placed on your desktop called
Rootkit.reg
Right click on Rootkit.reg and select EDIT
Post the contents back here

One more thing too please
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

Quote

@echo off
cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

Double click to run it
Notepad will open with a long list in it
Can you copy and paste the whole contents please back here

I'll edit out what we don't need later

djkwik · « **Reply #14 on:** March 06, 2005, 10:02:32 AM »

When I ran the Rootkit.bat, a small DOS window openend for a second, then closed, but no file named Rootkit.reg showed up. I ran a search but nothing came up. Here is the Export.bat results as requested. Oh, when I came online to do this, I got slammed with the iecustme.exe and the truettf.exe (startpage.NW trojan & bloon.c trojan) again and that Carnival Casino started to download yet again. I am going to run ez antivirus to get rid of the trojans again and go in and manually delete the downloading program for Carnival Casino yet again (about 5th time now) Let me know what to do next. I'm pushing about 30 hours worth of time on this endeavor so far>

Volume in drive C has no label.
Volume Serial Number is FC93-C619

Directory of C:\WINDOWS\system32

03/05/2005 08:06 PM 8,192 Thumbs.db
03/02/2005 06:14 PM 52,968 perfc009.dat
03/02/2005 06:14 PM 380,680 perfh009.dat
03/02/2005 06:14 PM 439,376 PerfStringBackup.INI
03/02/2005 04:39 PM 9,216 wosys32.dll
03/02/2005 04:39 PM 648,357 woinst.exe
03/02/2005 01:37 AM 20 date.dat
03/02/2005 01:37 AM 5,555 menu.txt
02/11/2005 05:08 PM 176,167 rmoc3260.dll
02/11/2005 05:08 PM 5,632 pndx5032.dll
02/11/2005 05:08 PM 6,656 pndx5016.dll
02/11/2005 05:08 PM 278,528 pncrt.dll

guestolo · « **Reply #15 on:** March 06, 2005, 02:28:23 PM »

Take a look here at some more info from Symantec
You will want to edit the registry in safe mode
https://www-secure.symantec.com/avcenter/ve...an.flush.a.html

Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it

Add this to the list of files

sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll

Save the change and close it out

Can you download and save to desktop IEFix.zip
Unzip the contents so you will now have IEFix.reg on the desktop
Don't run it yet, we'll need it later
[attachment=52:attachment]

With Windows set to show Hidden files and folders
Print the rest out or save to a Notepad file on the desktop

RESTART to safe mode

Navigate to Remv3.bat and run it

Look for any of these files and delete them if they exist
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe

Navigate to this folder and delete the Whole contents
C:\WINDOWS\Prefetch <--delete the whole contents

If this folder exists remove it
C:\Program Files\Casino Online<---or similiar

Stay in safe mode
Go to START>>Run>>type in regedit
Hit OK
Navigate to this key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Highlight Run
On the right hand side look for this entry and delete it
sysobj.exe

Also look for the ones recommended by Symantec's for removal
In the registry, you may also want to highlight MyComputer
Click EDIT>>FIND
Look for this entry, remove or let me know if found
69.50.184.84

Exit the Reg Editor

Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found

Go to START>>Run>>type in cmd
At the prompt type in
ipconfig /flushdns

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll

O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to and manually delete the Whole contents of your Temp folders
or whatever you can, it's safe to delete the Whole contents
C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Access Internet Options via Control Panel
Under the General tab---Delete files + offline content

Double click on IEFix.reg you unzipped earlier to desktop and allow to merge to the registry

Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab>> Reset home page if required

You may want to run one more Online Virus scan at Housecall's
Set to Autoclean

Post back a fresh hijackthis log afterwards
and the log from Remv3.bat

djkwik · « **Reply #16 on:** March 06, 2005, 02:53:43 PM »

i don't have a symantec program i don't think. isn't that norton? I found a file, but it only contains a shared folder...don't know how to do a live update if I don't have the program?

?

guestolo · « **Reply #17 on:** March 06, 2005, 03:04:14 PM »

Quote

i don't have a symantec program i don't think. isn't that norton? I found a file, but it only contains a shared folder...don't know how to do a live update if I don't have the program??

I don't know what your talking about
I never asked you to install Norton's
I just supplied a link with additional information

I'm assuming by our past posts your ok editing the registry
Take a look at the link I supplied from Symantecs
and in safe mode remove the entries they recommend for removal

djkwik · « **Reply #18 on:** March 06, 2005, 04:39:28 PM »

OK, there were no entries in the registry that Symantec's site listed..onto other things:

I had problems with your last set of instructions:

Your instruction:

Navigate to Remv3.bat and run it

Look for any of these files and delete them if they exist
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe

I ran Remv3. Am I supposed to look for and delete these files directly on the notepad log? Or was I supposed to use start>>search and look for them (that is what I did...I only found two of them and deleted them)

Your instruction:

Look for this entry, remove or let me know if found
69.50.184.84

I did start>>search and found one similar...it was exactly as above but followed by: ,195.225.176.37 so I left it alone since it was not JUST the 69.50.184.84 by itself.

Your instruction:

Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found

I don't have an option under the View tab that says Classic View. I have it set up as Icons..I double clicked the "my network connections" icon, and the folder is empty. I have a cable LAN set-up. When I go into Internet Properties , and click on the LAN settings tab at the bottom of the Connections page, "automatically detect settings is checked. Is this the same thing?

??

Your Instruction:

Go to START>>Run>>type in cmd
At the prompt type in
ipconfig /flushdns

I got an error when I tried to do this.so i closed out the dos window and moved onto your next instruction.(however, once back in normal mode, I did it again so I could tell you the exact error message, but this time it worked and i got the message successfully flushed~ etc etc. did I screw something up doing it in normal mode? and why didn't it work in safe mode??..

Your Instruction:

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll

O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37

The second 017 entry above ( \CS2\ ) did not exist. my log had a \CS1\ so I left it alone, but the others were there and I checked/fixed them.

Your Instruction:

Navigate to and manually delete the Whole contents of your Temp folders
or whatever you can, it's safe to delete the Whole contents
C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

I did this and was wondering if I was supposed to also go into the Local Service-Temp internet files and delete them as well...I tried to but got a warning about deleting one of the files, so I played it safe and left it alone.

Your Instruction:

Restart back to Normal mode

The very second Windows tried to load back in normal mode, I got the following error window:

Generic Host Process for Win32

the error signature is as follows:

BC Code: a0 BCP1:00000101 BCP2:00000007 BCP3:F970D7A4 BCP4:00000000 OSVer: 5_1_2600 SP:0 2_0 Product: 768_1

I kept clicking "don't send" eventually windows opened into normal mode and I was able to run the HouseCall and it immediately found a MalWare trojan in the system files and deleted it.

I then ran another HJT and Remv3 and those logs are to follow:

Logfile of HijackThis v1.99.1
Scan saved at 3:15:08 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdguz.dll
msi.dll
Finished

Waiting anxiously for your next post...........

guestolo · « **Reply #19 on:** March 06, 2005, 04:56:29 PM »

Are you saying you didn't manually access your System32 folder and delete these files?
That is what I wanted you to do, there in bold
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe

DELETE those files in bold

Also Quote++I did start>>search and found one similar...it was exactly as above but followed by: ,195.225.176.37 so I left it alone since it was not JUST the 69.50.184.84 by itself.

Again, I have no idea what you mean by this
Are you looking in the registry?

?
Yes, as you can see by the Hijackthis log this is part of the problems
Look at the address in the Hijackthis log
that I asked you to remove
Example
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37

Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found
Ummm, if you open up Control Panel
On your left hand side you will see "Switch to Classic View"

Symantec's recommends that you navigate and remove some values in the registry
Did you do this?

?
Did you look at the link I supplied to Symantec's carefully?

I'm sorry, I thought you were more confortable in the registry

Also, you have a new file in the system32 folder we must remove
hdguz.dll

P.S. Yes it's fine to run ipconfig /flushdns in Normal mode

Also, as mentioned, it's safe to delete EVERYTHING in the TEMP Folders
Did you delete the whole contents of the Prefetch folder???
If you see any entries with this ip address in hijackthis log
NameServer = 69.50.184.84,195.225.176.37
It's safe to remove

News:

Author Topic: recurring spyware nightmare (Read 4552 times)

Guest