Author Topic: Coolwwwsearch & EffectiveBandToolbar (Read 1688 times)

Ikakun · « **on:** May 06, 2005, 10:00:57 PM »

Hello, could you help me? Ive searched on google and found someone with the same problem but didnt understand quite well the solution. My comp can not create a reestore point as well.
This is the hijack log, i already used spybot search & destroy, he finds the two registries infected but doesnt remove it. hijack doesnt work as find it too, ad aware also useless.
As you should know my desktop is bugged, i have no control of it.
Plz help me if you can
btw, how the hell do I start my comp on safe mode with windows ME?
tks

Logfile of HijackThis v1.97.7
Scan saved at 23:54:18, on 6/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9348B8AB-5206-41E5-B267-C3396D275B90} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

guestolo · « **Reply #1 on:** May 06, 2005, 11:41:56 PM »

Have you already tried fixes with Hijackthis???
If you have can you open Hijackthis>>Config>>Backups
and restore all backups

Or if you have entries disabled on startup with Msconfig, can you enable all startup entries
Don't restart the computer when prompted

Instead, I need you to do this
Open Hijackthis>>Config>>Open Misc tools
Check for updates Online
Download the latest version of Hijackthis

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Guest · « **Reply #2 on:** May 07, 2005, 08:53:17 AM »

ok done all that, but some backups could not be reestored, dont know why, displyed message that files could not be found
here is the logfile with the latest version

Logfile of HijackThis v1.99.1
Scan saved at 10:54:27, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128
O2 - BHO: (no name) - {E42775E1-9073-412F-9A04-C7D5115D9A79} - C:\WINDOWS\SYSTEM\LFAP.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\ARQUIVOS DE PROGRAMAS\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\ARQUIVOS DE PROGRAMAS\CXTPLS\CXTPLS.DLL (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {011933AF-03ED-42D0-B14B-645FD4E0525B} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\SHOP1004.EXE run
O4 - HKLM\..\Run: [ot4U36T] JSPCONFG.EXE
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\RunServices: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {329D10B1-1C70-11D6-B49A-0040C7A63343} (ChatWebX Control) - http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activ...ALStreaming.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (CActiveInstaller Object) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c18.cab
O18 - Filter: text/html - {4B5F3CEC-D20D-4C9B-83B4-F52E041866A8} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {4B5F3CEC-D20D-4C9B-83B4-F52E041866A8} - C:\WINDOWS\SYSTEM\LFAP.DLL

guestolo · « **Reply #3 on:** May 07, 2005, 12:55:33 PM »

Can you do the following please

==Download and save to Desktop
SpSeHjfix109.zip
From that link
Unzip the contents, so you now have SpSeHjfix109.exe on your desktop

Restart your computer into Safe Mode
You can do this by tapping the F8 key as the system is restarting, right after the single post beep
Select safe mode

==Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again

Run
SpSeHjfix109.exe again

Access your Add/Remove programs and remove if found
Security iGuard and ShopAtHome Select
Restart your computer if uninstalled

Afterwards,
Download and save too Desktop
FixAprop.exe
by Symantec's

Run the tool and let it scan your drive and fix what it finds
Restart your computer afterwards

Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process
If you can't run Ad-Aware in Normal mode, can you restart into safe mode and run it
after you have checked for updates

Back in Windows

Run another scan with Hijackthis and post a fresh log
Could you also post the logs from
SpSeHjfix109.exe

We'll still have some work to do, but that should be a good start

Ikakun · « **Reply #4 on:** May 07, 2005, 05:03:54 PM »

ok a few problems
as I said my comp doesnt start on safe mode, f8 does nothing I know it sounds weird but it doesnt work (win ME)

second, i ran SpSeHjfix109.exe two times, rebooted the two times, here is the log of the last one:
(5/7/05 18:53:05) SPSeHjFix started v1.09
(5/7/05 18:53:05) OS: WinME (4.90.73010104)
(5/7/05 18:53:05) Language: português
(5/7/05 18:53:37) Disinfect started
(5/7/05 18:53:37) Bad-Dll(IEP): (not found)
(5/7/05 18:53:37) Bad-Dll(IEP) in BHO: (not found)
(5/7/05 18:53:37) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\LFAP.DLL
(5/7/05 18:53:37) Searchassistant Uninstaller - Keys Deleted
(5/7/05 18:53:37) UBF: 6
(5/7/05 18:53:37) UBB: 6
(5/7/05 18:53:37) FilterKey: HKCR\text/html (deleted)
(5/7/05 18:53:37) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/7/05 18:53:37) FilterKey: HKCR\CLSID\{E859D392-B9BD-4757-A654-D987C90D6FE7} (deleted)
(5/7/05 18:53:37) FilterKey: HKCR\text/plain (deleted)
(5/7/05 18:53:37) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/7/05 18:53:37) FilterKey: HKCR\CLSID\{E859D392-B9BD-4757-A654-D987C90D6FE7} (error while deleting)
(5/7/05 18:53:37) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70A37112-0FF7-40FF-8B4A-90BA3E373ED9} (deleted)
(5/7/05 18:53:37) BHO-Key: HKCR\CLSID\{70A37112-0FF7-40FF-8B4A-90BA3E373ED9} (deleted)
(5/7/05 18:53:37) UBR: 32
(5/7/05 18:53:37) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5/7/05 18:53:37) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/7/05 18:53:37) Stealth-String not found:
(5/7/05 18:53:37) File added to delete: c:\windows\system\lfap.dll
(5/7/05 18:53:37) File added to delete: c:\windows\system\lfap.dll
(5/7/05 18:53:37) File added to delete: c:\windows\temp\se.dll
(5/7/05 18:53:37) Reboot
(5/7/05 18:54:26) SPSeHjFix 2nd Step
(5/7/05 18:54:26) RunServicesOnce-Key: (edited)
(5/7/05 18:54:31) Cleaned

thought i couldnt use on safe mode, i left only Explorer oppened, closing on the manager (ctrl alt del)

now im running FixAprop.exe and will continue
on add/remove programs, i didnt find the ShopAtHome, but is almost sure I have it here
the iguard security i could remove
for now just these probs, no safe mode and no ShopAtHome found

guestolo · « **Reply #5 on:** May 07, 2005, 05:44:54 PM »

Just for future reference
This is another way to start in SAFE MODE
We may still have to do that, the tool is better run that way

Ikakun · « **Reply #6 on:** May 07, 2005, 08:16:42 PM »

ok tks a lot for that one, ran again the spsehijfix on safe mode and i made to remove shopathome
i also ran ad aware se, found aroun 300 infected objects, removed and quarinted most of them or them all
also ran the fixaprop and found some entries and fixed it too

here is the new log for hijack
Logfile of HijackThis v1.99.1
Scan saved at 22:15:55, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARQUIVOS DE PROGRAMAS\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\IUC0_QC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (disabled by BHODemon)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {C91703D2-FAFB-41B8-821A-7FFC70203755} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [Security iGuard] C:\ARQUIVOS DE PROGRAMAS\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [KAVPersonal50] C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [projselector] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [kavsvc] C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {329D10B1-1C70-11D6-B49A-0040C7A63343} (ChatWebX Control) - http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activ...ALStreaming.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (CActiveInstaller Object) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab
O18 - Filter: text/html - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL

but i guess the main problem is still not solved, I still have no control over my desktop and the pop ups and home of my IE.

guestolo · « **Reply #7 on:** May 08, 2005, 04:30:50 PM »

Still some work to do
Can you do the following please
have your computer set up to be ready to start into safe mode, but don't restart yet

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido

Print the rest of this out or save too a notepad file for reference

Set Windows to show hidden files
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128

O2 - BHO: (no name) - {C91703D2-FAFB-41B8-821A-7FFC70203755} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe

O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [Security iGuard] C:\ARQUIVOS DE PROGRAMAS\SECURITY IGUARD\SECURITY IGUARD.EXE

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE

O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab
O18 - Filter: text/html - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer into safe mode

Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\SVCHOST.SCR <-file
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\SYSTEM\IUC0_QC.EXE
C:\WP.EXE
C:\wp.bmp
C:\bsw.exe
C:\bsw.bmp
C:\Windows\System\wldr.dll

In Safe mode
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Run SpSeHjfix109.exe again in SAFE MODE
Let it restart your computer or restart anyways

Back in Windows
Post back a fresh Hijackthis log and the Report from Ewidos
Also post the lates log from SpSeHjfix109

Ikakun · « **Reply #8 on:** May 08, 2005, 06:07:17 PM »

this program is only for windows 2k and XP, mine is ME..

guestolo · « **Reply #9 on:** May 08, 2005, 06:28:21 PM »

Can you carry on with the rest of the instructions
Sorry about that

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

TheTechGuide Forum

News:

Author Topic: Coolwwwsearch & EffectiveBandToolbar (Read 1688 times)

Ikakun

Coolwwwsearch & EffectiveBandToolbar

guestolo

Coolwwwsearch & EffectiveBandToolbar

Guest

Coolwwwsearch & EffectiveBandToolbar

guestolo

Coolwwwsearch & EffectiveBandToolbar

Ikakun

Coolwwwsearch & EffectiveBandToolbar

guestolo

Coolwwwsearch & EffectiveBandToolbar

Ikakun

Coolwwwsearch & EffectiveBandToolbar

guestolo

Coolwwwsearch & EffectiveBandToolbar

Ikakun

Coolwwwsearch & EffectiveBandToolbar

guestolo

Coolwwwsearch & EffectiveBandToolbar