« previous next »
Pages: [1]

Author Topic: Nasty veryeasysearch Bug  (Read 967 times)

Offline RuinerXL

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Nasty veryeasysearch Bug
« on: April 27, 2005, 12:02:36 AM »
Hello, everyone. I just got the veryeasysearch spyware on my computer (the one that makes Internet Explorer always open with the about:blank page and generates popup ads) and I've been trying desperately to get it off by every means I know (Norton, AdAware, HiJackThis, etc.). Nothing so far has been successful, so I would be incredibly thankful to anyone that can lend me a helping hand. My HiJackThis logfile is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:27 PM, on 4/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\msyh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crom32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A509347C-461D-D47A-686D-852C0B1D26EE} - C:\WINDOWS\mfchl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkhg.exe] C:\WINDOWS\system32\sdkhg.exe
O4 - HKLM\..\Run: [netni.exe] C:\WINDOWS\system32\netni.exe
O4 - HKLM\..\Run: [ielo32.exe] C:\WINDOWS\system32\ielo32.exe
O4 - HKLM\..\Run: [mfczx.exe] C:\WINDOWS\system32\mfczx.exe
O4 - HKLM\..\Run: [crom32.exe] C:\WINDOWS\system32\crom32.exe
O4 - HKLM\..\RunOnce: [msyh.exe] C:\WINDOWS\system32\msyh.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkjp.exe (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe" /Service (file missing)
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
« Last Edit: April 27, 2005, 12:10:33 AM by RuinerXL »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Nasty veryeasysearch Bug
« Reply #1 on: April 27, 2005, 03:12:18 PM »
You have a couple different infections on your computer, we'll need a few tools to help get you clean, most won't take that long too run, just Ewido trojan scanner may take a bit of time, please run everything I have supplied

Can you do the following please

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

==Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

====Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download and UNZIP to desktop Cwsserviceremove.zip
So you have cwsserviceremove.reg on the desktop
Cwserviceremove.zip
We'll need this later

==Download Removal.zip and UNZIP the contents too desktop
So you now have removal.bat on your desktop
We'll need this later
[attachment=176:attachment]

==From my signature below, download and save to Desktop CWShredder.exe
Don't run it yet

===Could you next
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

==Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service-- If running
In the drop down menu, change the startup type to Disabled

Do the same for this service name
System Startup Service

==Double click on removal.bat
A dos window will open and close quickly, this is normal

==Using Windows Explore, navigate to these files and delete them if found and if you can, carry on if you can't find or remove them
C:\WINDOWS\system32\sdkhg.exe <-file
C:\WINDOWS\system32\netni.exe
C:\WINDOWS\system32\ielo32.exe
C:\WINDOWS\system32\mfczx.exe
C:\WINDOWS\system32\crom32.exe
C:\WINDOWS\system32\msyh.exe
C:\WINDOWS\sdkjp.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\mfchl32.dll

==Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

==Double click on cwsserviceremove.reg and allow it to merge to the registry

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

==Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but fix what appears

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A509347C-461D-D47A-686D-852C0B1D26EE} - C:\WINDOWS\mfchl32.dll

O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkhg.exe] C:\WINDOWS\system32\sdkhg.exe
O4 - HKLM\..\Run: [netni.exe] C:\WINDOWS\system32\netni.exe
O4 - HKLM\..\Run: [ielo32.exe] C:\WINDOWS\system32\ielo32.exe
O4 - HKLM\..\Run: [mfczx.exe] C:\WINDOWS\system32\mfczx.exe
O4 - HKLM\..\Run: [crom32.exe] C:\WINDOWS\system32\crom32.exe
O4 - HKLM\..\RunOnce: [msyh.exe] C:\WINDOWS\system32\msyh.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkjp.exe (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART the computer back to Normal mode
Back in Windows

===Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
 Under the  Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

I'm going to ask that you post back a number of logs
Try and supply them all, thanks

Post back with a fresh Hijackthis log
Also, post the logs from About:Buster
Include the report from Ewidos trojan scanner

I want to check to see if your hosts file was edited
Could you do the following
==Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Finally, Please download Find_Its.zip from the link below
http://forums.net-integration.net/index.ph...=post&id=142443
UNZIP the contents to desktop
Open the FindIt's folder and double click on the FindIt's.bat

Wait for the log and post it back here


Also, let me know if you have Spybot 1.3 installed, I'm just checking
« Last Edit: April 27, 2005, 03:13:07 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
Nasty veryeasysearch Bug
« Reply #2 on: April 28, 2005, 12:36:25 AM »
First of all, thank you SO MUCH for helping me out. There's no way I would've been able to do this on my own. Now, here's all the information you asked for:

----------

Logfile of HijackThis v1.99.1
Scan saved at 12:13:27 AM, on 4/28/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe" /Service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

----------

Scanned at: 9:56:06 PM   on: 4/27/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\clijj.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

----------

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         12:01:03 AM, 4/28/2005
 + Report-Checksum:      E84FD2C7

 + Date of database:      4/28/2005
 + Version of scan engine:   v3.0

 + Duration:            91 min
 + Scanned Files:         77587
 + Speed:            14.19 Files/Second
 + Infected files:         57
 + Removed files:         57
 + Files put in quarantine:      57
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\

 + Scan result:
   C:\WINDOWS\system32\rtneg.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\WINDOWS\system32\epedach.exe -> Trojan.Agent.cp -> Cleaned with backup
   C:\WINDOWS\system32\pfwjg.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\elugw.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\msyh.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\d3qd32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\crye.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\mspl.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\sdkqi.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\sysms32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\crom32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\flswm.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\chqwfz.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\wzgjat.dat -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\iopgzt.exe -> Spyware.BetterInternet -> Cleaned with backup
   C:\WINDOWS\dcolcv.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\msmsgrxp.exe -> TrojanDownloader.Small.ahg -> Cleaned with backup
   C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
   C:\WINDOWS\yngzrjb.exe -> Spyware.BetterInternet -> Cleaned with backup
   C:\WINDOWS\siqbqf.exe -> Spyware.BetterInternet -> Cleaned with backup
   C:\WINDOWS\utfkzaq.exe -> Spyware.BetterInternet -> Cleaned with backup
   C:\WINDOWS\vlyiwo.log -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\lmfeqe.dat -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\coanzb.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\mdpxmy.dat -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\eeicgi.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\dazyvd.log -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\whbbxr.txt -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\oitgrb.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\zadxde.txt -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\okdgta.txt -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\atlxg.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\Documents and Settings\User1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-446f20e3.class -> Trojan.ClassLoader.Dummy.d -> Cleaned with backup
   C:\Documents and Settings\User1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-3213fa52.class -> TrojanDownloader.Small.WV -> Cleaned with backup
   C:\Documents and Settings\User1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-28c909f1-20215239.class -> Trojan.Nocheat -> Cleaned with backup
   C:\Documents and Settings\User1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ok.class-377e0ae3-39577079.class -> Trojan.Nocheat -> Cleaned with backup
   C:\Documents and Settings\User1\Application Data\Mercora\MercoraClient\Data\MyPictures.dat -> Spyware.Grokster -> Cleaned with backup
   C:\ntdetect.hta -> TrojanDropper.Inor.cj -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\snapshot\MFEX-1.DAT -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\snapshot\MFEX-2.DAT -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\A0363593.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\A0363597.exe -> Trojan.Agent.cp -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\A0363638.exe -> Trojan.Agent.cp -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\A0363647.exe -> Trojan.Stervis.b -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP568\A0363648.DLL -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP569\snapshot\MFEX-1.DAT -> Spyware.HotSearchBar.d -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366301.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366302.exe -> Trojan.Nail -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366305.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366308.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366310.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366311.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366312.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366315.dll -> Trojan.Agent.db -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP579\A0366320.exe -> Trojan.Feat.2 -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP580\A0366352.exe -> Trojan.Stervis.b -> Cleaned with backup
   C:\System Volume Information\_restore{9DA66DEB-9002-4693-9976-C5F2190E5587}\RP580\A0366533.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup


::Report End

----------

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

----------


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 04/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
 
 
»»»»» lagitamate file's can/will show in this section.
 
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»» Checking Windir\svcproc.exe and nail.exe.
 
»»»»» Checking for System32\DrPMon.dll.
 
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
 
 Volume in drive C is HP_PAVILION
 Volume Serial Number is 3226-1CD8

 Directory of C:\WINDOWS\SYSTEM32

04/13/2005  10:24 PM    <DIR>          cache32_rtneg
               0 File(s)              0 bytes
               1 Dir(s)   6,712,721,408 bytes free
»»»»» Checking for SAHAgent ico files.
 Volume in drive C is HP_PAVILION
 Volume Serial Number is 3226-1CD8

 Directory of C:\WINDOWS\system32

04/14/2005  12:30 AM             4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/14/2005  12:30 AM             4,286 mp3red51aads.ico
04/14/2005  12:30 AM             3,262 bingo_big2.ico
04/14/2005  12:30 AM             3,262 popupkiller2asdf1.ico
04/14/2005  12:30 AM             3,262 kas pink1233aadsfa12.ico
               5 File(s)         18,358 bytes
               0 Dir(s)   6,712,721,408 bytes free
 
»»»»»»»»»»»»»»»»»»»»»»»».
 

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
    <NO NAME>   REG_SZ   Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

----------

Here's to hoping that I'm all clean. Thanks again for all your help! Oh, and no, I don't have Spybot 1.3 installed. Should I?
Logged

Offline RuinerXL

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Nasty veryeasysearch Bug
« Reply #3 on: April 28, 2005, 12:40:25 AM »
Just realized I didn't log in before posting, which is why I showed up as a guest. That was me, however.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Nasty veryeasysearch Bug
« Reply #4 on: April 28, 2005, 12:44:52 AM »
Hi Ruiner, We just have a bit more cleaning to do
I won't have a chance to look over your logs until tomorrow
But we'll get the rest

Try not doing to much surfing, if you do ensure there safe sites until we get some protection on your computer

We don't need these to come back and bite us  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_Alex_*

  • Guest
Nasty veryeasysearch Bug
« Reply #5 on: April 28, 2005, 01:47:02 PM »
Had have the same problem
try to delete the thread(xxx.dll) or use norton antivrus new update or any other he find it run hjhack this to remove the hjhack
then boot  in secured modus and delete javadh32 in system32 folder
reboot and the pc is clean.


[quote name=\'RuinerXL\' date=\'Apr 26 2005, 11:02 PM\']Hello, everyone. I just got the veryeasysearch spyware on my computer (the one that makes Internet Explorer always open with the about:blank page and generates popup ads) and I've been trying desperately to get it off by every means I know (Norton, AdAware, HiJackThis, etc.). Nothing so far has been successful, so I would be incredibly thankful to anyone that can lend me a helping hand. My HiJackThis logfile is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:27 PM, on 4/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\msyh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crom32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\flswm.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A509347C-461D-D47A-686D-852C0B1D26EE} - C:\WINDOWS\mfchl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkhg.exe] C:\WINDOWS\system32\sdkhg.exe
O4 - HKLM\..\Run: [netni.exe] C:\WINDOWS\system32\netni.exe
O4 - HKLM\..\Run: [ielo32.exe] C:\WINDOWS\system32\ielo32.exe
O4 - HKLM\..\Run: [mfczx.exe] C:\WINDOWS\system32\mfczx.exe
O4 - HKLM\..\Run: [crom32.exe] C:\WINDOWS\system32\crom32.exe
O4 - HKLM\..\RunOnce: [msyh.exe] C:\WINDOWS\system32\msyh.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkjp.exe (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe" /Service (file missing)
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
[post=\"37339\"]<{POST_SNAPBACK}>[/post]
[/quote]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Nasty veryeasysearch Bug
« Reply #6 on: April 28, 2005, 09:37:41 PM »
Download the RKFiles.zip
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

Download and UNZIP to desktop
Clear.zip so you now have Clear.reg on your desktop
[attachment=179:attachment]
We'll need this later

Enter your control panel>>open the Java Icon>>Click the Cache tab
Delete Cache

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer back to safe mode

Find and delete these files or folders
Let me know if you found them all
C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa.ico <-file
C:\WINDOWS\system32\mp3red51aads.ico
C:\WINDOWS\system32\bingo_big2.ico
C:\WINDOWS\system32\popupkiller2asdf1.ico
C:\WINDOWS\system32kas\pink1233aadsfa12.ico

Folder
C:\WINDOWS\SYSTEM32\cache32_rtneg <-this folder

Double click on clear.reg and allow to merge to the registry at the prompt

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode

Post back a fresh Hijackthis log and the log from Rkfiles.bat
For a double check, AFTER posting the above logs, could you also run Findit.bat again
and post the log from it too, only do this after you posted the above 2 logs
« Last Edit: April 29, 2005, 12:45:57 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline RuinerXL

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Nasty veryeasysearch Bug
« Reply #7 on: April 30, 2005, 12:28:07 PM »
Firstly, I wasn't able to find C:\WINDOWS\system32kas\pink1233aadsfa12.ico. Secondly, here are the logs you asked for:

----------

Logfile of HijackThis v1.99.1
Scan saved at 12:24:29 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\OB9FUMRT\mscache[1].exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe" /Service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

----------

C:\Documents and Settings\User1\Desktop\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\ODBCJET.HLP: +0`3Spec2
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\MEMORY.DMP: UPX!-
C:\WINDOWS\MEMORY.DMP: UPX!-
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: efsg!>!#ztuf#
C:\WINDOWS\MEMORY.DMP: FSG!-
C:\WINDOWS\MEMORY.DMP: FSG!-
C:\WINDOWS\MEMORY.DMP: efsg!>!#ztuf#
Finished
bye

----------

There you go. I'll post the FindIt's log as soon as I get it.
Logged
Pages: [1]
« previous next »