« previous next »
Pages: [1]

Author Topic: hiddencws on ME  (Read 645 times)

Offline iago

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
hiddencws on ME
« on: April 04, 2005, 07:35:13 PM »
Hi:

I had this same infection on my system and this site helped me get rid of it. now a friend has it on his, so I'm tryng to help out.

Here are the hjt and stardreck logs from his pc.

Thanks!

StartDreck (build 2.1.7 public stable) - 2005-04-04 @ 19:23:21 (GMT -05:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4807.2300
Logged in as default at COMPUTER

»Registry
 »Run Keys
  »Current User
   »Run
   »RunOnce
    *QRIA=
  »Default User
   »Run
   »RunOnce
    *QRIA=
  »Local Machine
   »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *Service Connection=c:\cpqs\bwtools\sccenter.exe
    *AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    *AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    *AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    *sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
   »RunOnce
   »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
   »RunServicesOnce
    **ew=rundll32 C:\WINDOWS\MODEMCFL.TXT,DllGetClassObject
   »RunOnceEx
   »RunServicesOnceEx
 »File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.disabled
   *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
  +.htm
   *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
  +.html
   *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
  +.js
   *JSFile=C:\WINDOWS\WScript.exe "%1" %*
  +.jse
   *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
  +.vbs
   *VBSFile=C:\WINDOWS\WScript.exe "%1" %*
  +.vbe
   *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.wsh
   *WSHFile=C:\WINDOWS\WScript.exe "%1" %*
  +.wsf
   *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 »Browser Helper Objects (LM)
  *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   `InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
  *{F0031643-8593-47CE-88A8-FF96360BADA5}
   `InprocServer32=C:\WINDOWS\SYSTEM\MEB.DLL
»Files
 »Autostart Folders
  »Current User
  »Default User
  »Local Machine
 »INI-Files
  »WIN.INI\[windows]
   *LOAD=
   *RUN=
  »SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 »Text Files
  *C:\WINDOWS\msdos.sys
  *C:\msdos.sys
  *C:\config.sys
  *C:\autoexec.bat
  *C:\WINDOWS\wininit.bak
  *C:\WINDOWS\dosstart.bat
  *C:\WINDOWS\command\cmdinit.bat
»System/Drivers
 »Running Processes
  +FFEF19AF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFFD25B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFFB19B=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFFB7D7=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFE7E43=C:\WINDOWS\SYSTEM\MSTASK.EXE
  +FFFE316B=C:\WINDOWS\RUNDLL32.EXE
  +FFFE6E5B=C:\WINDOWS\EXPLORER.EXE
  +FFFD76FB=C:\WINDOWS\TASKMON.EXE
  +FFFD087B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  +FFFDD1D7=C:\CPQS\BWTOOLS\SCCENTER.EXE
  +FFFD92AF=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
  +FFFC6643=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
  +FFFC12DF=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
  +FFFD1A43=C:\WINDOWS\SYSTEM\WMIEXE.EXE
  +FFFA4D1F=C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
  +FFF92683=C:\WINDOWS\DESKTOP\STARTDRECK217\STARTDRECK.EXE
 »NT Services
»Application specific
Logfile of HijackThis v1.99.1
Scan saved at 7:22:13 PM, on 4/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {F0031643-8593-47CE-88A8-FF96360BADA5} - C:\WINDOWS\SYSTEM\MEB.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Au...VBAuthentic.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/US205_150.exe
O18 - Filter: text/html - {8961443D-4C33-4ABC-8398-73D5A96C2D07} - C:\WINDOWS\SYSTEM\MEB.DLL
O18 - Filter: text/plain - {8961443D-4C33-4ABC-8398-73D5A96C2D07} - C:\WINDOWS\SYSTEM\MEB.DLL
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hiddencws on ME
« Reply #1 on: April 04, 2005, 11:56:44 PM »
Download and UNZIP to desktop SPSeHjFix.109.zip
So you now have SPSeHjFix_Beta9.exe on your desktop
[attachment=111:attachment]

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Navigate to your temp folders and empty the Whole contents or whatever you can
C:\Windows\Temp
C:\Windows\Temporary Internet Files

With all other windows closed
Open SPSeHjFix_Beta9.exe
Click the Start Disinfection
Let it run and it should Reboot your computer

Allow to Restart back to Normal mode

Post back a fresh Hijackthis log
The log produced by Startdreck
« Last Edit: April 04, 2005, 11:57:19 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »