Author Topic: Another Victim of clicksearchclick (Read 3138 times)

Victim999 · « **on:** June 10, 2005, 06:36:38 PM »

My XP Home system has been hijacked by Clicksearchclick. Problems started with spysheriff / clicksearchclick involuntary install. Couldn't make a HJT log; got this error:

"HJT has encountered a problem & needs to close. We are sorry for the inconvenience. If your were in the middle of something, the information your were working on may be lost."

This error looks suspiciously unfamiliar and started getting it frequently after the clicksearchclick problems started. In any case, I studied a recommend approach by Questolo #3825 and used a combination of Hijackthis and Killbox and was able to remove some of the offending .exe’s but upon restart a few continued to re-appear.

I was able to make a HJT log in safe mode only:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:11 AM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
O4 - HKLM\..\Run: [nzalhf] c:\windows\system32\karubkg.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

guestolo · « **Reply #1 on:** June 12, 2005, 12:35:14 PM »

you have a couple nasty infections....
And your way behind on windows updates, your system is open for reinfection
Is this a legit version of Windows, it's possible by the looks of your log it isn't

Let's try the following
Symantec's has a write up on one of your infections
But Miekiemos(A hard working Spyware Fighter from another forum) has made a batch file to help combat one of the infections in your log
Download and Save FixO.exe
from this link
http://users.pandora.be/bluepatchy/FixO.exe

Double click on FixO.exe and choose a folder to extract to by using the browse button
and then click the INSTALL button

EDIT>>Open Hijackthis>Open misc tools section>>Open Process manager
Left click to highlight then kill these processes if you can
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

Navigate to the folder you extracted called FixO
Open the folder and double click on
FixO.bat

Let it run, which won't take long>>follow the prompt to select any key to continue
It will produce a log >>Save this log to a convienent location
I'll want to see it

Restart back to Normal mode

Run another scan with Hijackthis and post a fresh log
Post the log from FixO.bat also

Could you also
Download and UNZIP to a folder or desktop
Search.zip, so you now have Search.bat extracted
Double click on Search.bat and a notepad file will open
Could you post the whole contents of this text file too

NOTE: I need you too redownload hijackthis from my signature below and save it too a permanent folder, don't save it to your temp folder
Then run it from the new location

Victim999 · « **Reply #2 on:** June 12, 2005, 01:44:34 PM »

Thanks for the help.
The OS is a legit version. I upgraded from 98 a long time ago.

I was unable to kill these processes:
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

I tried using Killbox and got the same spyware error message. I proceeded as you said "..if you can".
I later learned that running HJT from the HJT folder rather then the temp folder allowed me to get to the hijackthis process manager.

Here's the first result of fix0.bat:

running from ---
C:\temp\fixO\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------
SMSSU.EXE present
Tmntsrv32.EXE present
explorer32dbg.exe present
iexplore_dbg.exe present
xmllib.dll present
XMLLIBUI.exe present
winadvt.dll present
C:\WINDOWS\hosts present
xmllibw.dll present

existing important bad keys:
-----------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="C:\\WINDOWS\\explorer32dbg.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"Debugger"="C:\\WINDOWS\\iexplore_dbg.exe"

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

Here's the subsequent Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:36 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
C:\windows\system32\iupdate.exe
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\explorer.exe
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

...and another fix0.bat log:

running from ---
C:\temp\fixO\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------

existing important bad keys:
-----------------------------------------------------

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

... and here's the result of Search.bat:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"WindowsUpdate"="C:\\WINDOWS\\System\\svchost.exe /s"
"Service Host"="C:\\WINDOWS\\System32\\Services\\{913AA2B7-9C7C-4200-9964-F019B42DC291}\\SVCHOST.EXE"
"PSGuard"="C:\\Program Files\\PSGuard\\PSGuard.exe"
"Disk Keeper"="C:\\WINDOWS\\System32\\Services\\{BA24EAB8-C35A-4384-AD19-D544845F4255}\\SECURITY.EXE"
"hbgziyg"="c:\\windows\\system32\\xtlmmb.exe r"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"UsbD"="c:\\windows\\system32\\iupdate.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"Wallpaper"="c:\\wp.bmp"
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

I hope this was done properly. Please advise.

guestolo · « **Reply #3 on:** June 12, 2005, 02:03:18 PM »

You must refrain from unzipping programs to your temp folder
I'll wait till later to see your logs until you run them from a different location

Again do the following
Here's is where you are running FixO.bat from
C:\temp\fixO\FixO
I want you to redownload it and install it too a permanent folder
Somewhere other than your temp folders
and then rerun it and post another log

Also you posted a hijackthis log from this location
C:\temp\hijackthis.exe

Please also redownload it and save it too a permanent folder and repost a fresh log
I have a link to it from my signature below

Guest_victim999_* · « **Reply #4 on:** June 12, 2005, 02:47:09 PM »

Fix0.bat, hijackthis.exe, and search.bat were all executed from C:\Fix0, C:\HJT, and C:\Search respectively.

First Fix0:

running from ---
C:\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------

existing important bad keys:
-----------------------------------------------------

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:37:26 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
C:\windows\system32\iupdate.exe
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\explorer.exe
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

2nd Fix0:

running from ---
C:\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------

existing important bad keys:
-----------------------------------------------------

Merging Registry----------

Deleting Files-------------

Searching for files not deleted:
-----------------------------------------------------

Searching for keys not deleted:
-----------------------------------------------------

When executing Search.bat a process window remained open and had this in it:
Cannot access C:\cp.reg

Search.bat results:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"WindowsUpdate"="C:\\WINDOWS\\System\\svchost.exe /s"
"Service Host"="C:\\WINDOWS\\System32\\Services\\{913AA2B7-9C7C-4200-9964-F019B42DC291}\\SVCHOST.EXE"
"PSGuard"="C:\\Program Files\\PSGuard\\PSGuard.exe"
"Disk Keeper"="C:\\WINDOWS\\System32\\Services\\{BA24EAB8-C35A-4384-AD19-D544845F4255}\\SECURITY.EXE"
"hbgziyg"="c:\\windows\\system32\\xtlmmb.exe r"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"UsbD"="c:\\windows\\system32\\iupdate.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"Wallpaper"="c:\\wp.bmp"
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Thanks.

guestolo · « **Reply #5 on:** June 12, 2005, 02:54:00 PM »

Stepping out for awhile
I'll check back later

I guess I don't have to ask you what I want you to do

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
I don't need to see the entry from search.bat again nor the log from fix0.bat
as you now have ran it from a permanent folder

But take a look at where your running hijackthis from
C:\temp\hijackthis.exe

Why don't you delete all version of Hijackthis you believe you have already downloaded
Redownloaded from my signature below, and saved elsewhere than your temp folder
We'll try fixing the rest of this afterwards

Please post a fresh hijackthis log once you have it saved too a folder
EXCLUDING your temp folder

Victim999 · « **Reply #6 on:** June 12, 2005, 03:44:46 PM »

I didn't notice that it was a shortcut in C:\HJT to the executable in the temp folder. I am not using the infected computer as I does not work when connected to the internet, so I'm moving files to and from another computer so I can communicate with you. Even so, sorry I wasted your time - that was no excues.

Here's the log from C:/HJT where the executable now lives:

Logfile of HijackThis v1.99.1
Scan saved at 4:43:30 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
C:\windows\system32\iupdate.exe
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\explorer.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

guestolo · « **Reply #7 on:** June 12, 2005, 05:11:38 PM »

You have a bit of work ahead of you
So make sure you follow all instructions carefully

Since your transferring from one computer to another

First do the following

==Download the Nail/Aurora Spyware Fix from NoIdea.US
Unzip it to a folder of the infected computer but Don't run it yet
And do NOT unzip it to your Temp directory

==Download and UNZIP to the desktop or a folder
DelDomains.zip
So you now have Deldomains.inf extracted
We'll need this later

Download and UNZIP Fixdesktop.zip to a folder
So you have Fixdesktop.reg extracted to a folder
[attachment=261:attachment]
We'll need this later

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
Since you have no Internet access with the infected computer
Also go to this link
http://www.ewido.net/en/download/updates/
Download the FULL DATABASE
Transfer to the other computer
Don't install this until you have Ewido installed on the machine
Install Ewido to it's default location

====Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions below to a Notepad file and save it to the infected computers desktop or a folder

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard
Exit Add/Remove Programs.

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the instructions and copy the file paths below to the clipboard by highlighting ALL of them and pressing
CTRL + C

[color=\"purple\"]Killbox file paths to copy to clipboard between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\perfcii.ini
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
c:\windows\system32\xtlmmb.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System\svchost.exe
C:\windows\system32\iupdate.exe
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Don't worry about any file not found messages

If your computer does not restart automatically, please restart it manually.

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.[/color]

*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete these folders if found
Don't do a search for them, manually look for them

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\PSGuard
C:\Windows\System32\Log Files
C:\WINDOWS\System32\Services

==Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what appears

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.EXE
O4 - HKLM\..\Run: [hbgziyg] c:\windows\system32\xtlmmb.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O21 - SSODL: System - {82CA83E8-568F-4F64-B983-5FFA35C50032} - vr_sys.dll (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Don't open a Browser yet
Instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Double click on Fixdesktop.reg and allow to add or merge to the registry

Restart your computer one more time

Back in Normal mode

Download and Unzip The Hoster to a folder
Open Hoster and
Press "Restore Original Hosts" and press "OK".
Then Exit

If you can connect to the internet
Please run an online virus scan at Panda's
There is a link to it in my signature below
Save the report when it's done and post it back here

Run another scan with Hijackthis and post a fresh log
along with the report from Ewidos
Could you then run Search.bat again and post the log from it too

One last request
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Name the file as Export.bat

Code: [Select]

dir C:\WINDOWS\Resources\Themes\Luna /a h > files.txt
notepad files.txt

Save this file on the desktop
Double click on Export.bat
A text file will open, copy and paste that back here too

Victim999 · « **Reply #8 on:** June 12, 2005, 07:26:09 PM »

I'm working through the instructions and found that I do not have !>>START>>programs>>Cleanup!. Should I skip that step and proceed, or stop?

guestolo · « **Reply #9 on:** June 12, 2005, 07:51:10 PM »

I forgot to link you to it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Can you for now just do a disk cleanup
START>>RUN>>type in cleanmgr
Hit OK

At the step where I ask you to do the following

Quote

Don't open a Browser yet
Instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Can you do it as this
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Victim999 · « **Reply #10 on:** June 13, 2005, 04:55:30 AM »

I went ahead with your instructions. I did not do your most recent instruction as I did not want to break anything already completed.

Ewido got to 87% and crashed (softly), so there is no file to report.

Here is Panda's report:

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/Startpage.ME No disinfected C:\Documents and Settings\Jeanne\Desktop\m00.exe
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Jeanne\LOCALS~1\Temp\DrTemp
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/IGuard No disinfected Windows Registry
Virus:Trj/Downloader.BWL Disinfected Operating system
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Nowfind No disinfected C:\WINDOWS\System32\hst32.dll
Virus:Trj/Small.LV Disinfected Operating system
Adware:Adware/Novo No disinfected Windows Registry
Virus:Bck/Agent.VS Disinfected C:\WINDOWS\SYSTEM\svchosthook.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:Adware/Nowfind No disinfected C:\WINDOWS\SYSTEM32\wcnl32.dll
Adware:Adware/Nowfind No disinfected C:\WINDOWS\SYSTEM32\hst32.dll
Adware:Adware/Craft No disinfected C:\WINDOWS\SYSTEM32\trf32.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\hgjjtbx.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\inscdm\quhgaqmwel.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Virus:Bck/Agent.VS Disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\vx2.game
Adware:Adware/Craft No disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\allstar.exe
Virus:Trj/Hooker.G Disinfected C:\Documents and Settings\Jeanne\Local Settings\Temp\go.exe
Adware:Adware/XmlLib No disinfected C:\Documents and Settings\Jeanne\Desktop\m00.exe
Virus:Trj/MadCow.A Disinfected C:\Documents and Settings\Jeanne\Desktop\Desktop Stuff\Unused Desktop Shortcuts\MadCow.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-349b4d9e.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-622a8cad.zip[Beyond.class]
Adware:Adware/WinTools No disinfected C:\Recycled\Dc72\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc72\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc72\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc72\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc73\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc73\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc73\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc73\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc74\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc74\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc74\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc74\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc75\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc75\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc75\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc75\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc76\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc76\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc76\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc76\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc76\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc77\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc77\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc77\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc77\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc77\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc78\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc78\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc78\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc80\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc80\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc80\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc80\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc81\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc81\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc81\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc82\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc82\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc82\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc83\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc83\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc83\SECURITY.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc84\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc84\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc84\SECURITY.EXE
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc85.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc86.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc87.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.EXE
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc96\{BA24EAB8-C35A-4384-AD19-D544845F4255}\SECURITY.DLL
Adware:Adware/WinTools No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST.DLL
Adware:Adware/Startpage.XY No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SVCHOST32.DLL
Adware:Adware/CWS.Yexe No disinfected C:\Recycled\Dc96\{913AA2B7-9C7C-4200-9964-F019B42DC291}\SECURITY.EXE
Virus:W32/Bagle.CA.worm Disinfected Personal Folders\Inbox\8.zip[1.exe]
Virus:JS/Kak.Worm Disinfected Personal Folders\eBay\TOMIS Review\MSG_HTML.TXT
Virus:JS/Kak.Worm Disinfected Personal Folders\HS\TOMIS Website\MSG_HTML.TXT
Here's hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:59 AM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Here is Search.bat's results:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Win Server Updt"="C:\\WINDOWS\\wupdt.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="1"
"DllName"=hex(2):25,00,00,00,53,00,00,00,79,00,00,00,73,00,00,00,74,00,00,00,\
65,00,00,00,6d,00,00,00,52,00,00,00,6f,00,00,00,6f,00,00,00,74,00,00,00,25,\
00,00,00,5c,00,00,00,72,00,00,00,65,00,00,00,73,00,00,00,6f,00,00,00,75,00,\
00,00,72,00,00,00,63,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,54,00,00,\
00,68,00,00,00,65,00,00,00,6d,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,\
6c,00,00,00,75,00,00,00,6e,00,00,00,61,00,00,00,5c,00,00,00,6c,00,00,00,75,\
00,00,00,6e,00,00,00,61,00,00,00,2e,00,00,00,6d,00,00,00,73,00,00,00,73,00,\
00,00,74,00,00,00,79,00,00,00,6c,00,00,00,65,00,00,00,73,00,00,00,00,00,00,\
00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Here is result from Export.bat:

Volume in drive C has no label.
Volume Serial Number is 07CF-0813

Directory of C:\WINDOWS\Resources\Themes\Luna

03/07/2002 06:28 PM <DIR> .
03/07/2002 06:28 PM <DIR> ..
03/07/2002 06:28 PM <DIR> Shell
08/23/2001 12:00 PM 4,186,256 luna.msstyles
1 File(s) 4,186,256 bytes

Directory of C:\Documents and Settings\Jeanne\Desktop

I will be away from my office until Tuesday afternoon, 6/15/05, but can continue upon my return.

guestolo · « **Reply #11 on:** June 14, 2005, 01:04:53 AM »

Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Code: [Select]

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Win Server Updt"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Check for Updates with Ewido, let's try running another scan in safe mode later

==Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Copy the file paths below to the clipboard by highlighting ALL of them and pressing
CTRL + C

[color=\"purple\"]Killbox file paths to copy to clipboard between dotted lines[/color]
===========================================
C:\WINDOWS\gator*.log
C:\Documents and Settings\Jeanne\Desktop\m00.exe
C:\DOCUME~1\Jeanne\LOCALS~1\Temp\DrTemp
C:\windows\desktop.html
C:\windows\Web\desktop.html
C:\windows\hook.dll
C:\WINDOWS\System32\vx.tll
C:\WINDOWS\System32\hst32.dll
C:\WINDOWS\SYSTEM32\wcnl32.dll
C:\WINDOWS\SYSTEM32\trf32.dll
C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\WINDOWS\System32\nthst32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
C:\WINDOWS\GatorPatch.log
C:\WINDOWS\hgjjtbx.exe
C:\WINDOWS\inscdm\quhgaqmwel.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\Documents and Settings\Jeanne\Local Settings\Temp\allstar.exe
C:\WINDOWS\wupdt.exe
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Don't worry about any file not found messages

If your computer does not restart automatically, please restart it manually.

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.[/color]

In safe mode
Find and delete this folder
C:\Program Files\SurfSideKick 3 <-folder

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.

Double click on fix.reg and allow to merge to the registry

Again, open Ewido and try running a complete full scan
Saving the log afterwards

Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, fix what you see

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Download and Install the free version of Ad-Aware SE Personal 1.06
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Are you comfortable in the registry
Can you check your settings from this link from Sophos please, one infection seems to be related too Troj/Bdoor-IK
http://www.sophos.com/virusinfo/analyses/trojbdoorik.html

Run another scan with Hijackthis and post a fresh log
Also post the report from Ewidos please
Are you having problems with your Anti-Virus and Firewall?

Victim999 · « **Reply #12 on:** June 15, 2005, 09:32:18 AM »

All the steps were performed with apparent success, with the following exceptions:

I reinstalled ewido and its database. It failed again, about at the same percent complete (approx 87.6). I saved the location of the dump file if anyone wants to see it.

I am comfortable in the registry.

I went to the sopho link and didn’t know exactly what to do there so I checked out the status of my Virus (McAfee) software. The last system scan was 3/31/05, however, the last update to its virus database was almost 2 years old so I updated and scanned the entire computer and found/quarantined/deleted about 200 files. All seemed to be in a directory ‘-restore’.

I have a hardware firewall.

Here’s the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:14 AM, on 6/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

guestolo · « **Reply #13 on:** June 15, 2005, 08:13:29 PM »

Quote

All seemed to be in a directory ‘-restore’

That's your System Restore folder, we'll deal with those later after your clean
There safe as long as you don't do a system restore before we're done cleaning

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can I have you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Double click on fix.reg and allow to add or Merge to the registry

Not sure why Ewido's won't finish, but we may as well uninstall it
Can you do this now and restart your computer afterwards

Back in Windows, I would still like you to run a different trojan scanner

Can you do the following please
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when and if prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>

Follow this link on how to update it>> follow the instructions carefully
http://tds.diamondcs.com.au/index.php?page=update
Use the Manual update procedure
Again, don't run a scan yet

Reboot back to Safe mode
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Give this time to finish
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

After you have removed the ones with postitive Identification

Can you do the following please
Go to START>>RUN>>Type in msconfig
Hit OK
Under the General tab Select NORMAL STARTUP
Apply it and then
Restart back to Normal mode

After you have done the above
Post back the scandump.txt from TDS-3 file and a new Hijackthis log
Let me know how everything is running

You still must visit Windows Updates and install Latest Critical updates and Service Packs
Your system is wide open for reinfection without them

Victim999 · « **Reply #14 on:** June 17, 2005, 04:27:50 PM »

All steps were performed as instructed. Created scandump.txt and Hijackthis log. Both are included below. Then I installed SP2, etc.

In regards to system performance…
The system is now FAST and QUIET; has no evidence of any interference. The only exception is when McShield.exe is hogging resources.

This is the case during startup (it takes what seems like three to five minutes for the disk I/O to cease) and when using IE (same disk I/O activity). The interference is so extreme sometimes that the system is not useful for any meaningful work. It seems that the virus software is as troublesome as the viruses and Trojans themselves.

Is there virus software that is less demanding of system resources then McAfee’s? (I know what your thinking: "a week ago I would have given anything just to get the browser to go somewhere other then to searchclicksearch, and now I'm whining about a little performance sacrifice for the sake of security".

scndump.txt:

Scan Control Dumped @ 08:41:27 16-06-05
Suspicious Filename: Dual extensions
File: c:\eicar.com.doc

Suspicious Filename: Dual extensions
File: c:\sandy's docs\ford\hr\hrbo rfq course goals (4.15.04).doc

Suspicious Filename: Dual extensions
File: c:\sandy's docs\ford\hr\hrbo rfq course goals (4.14.04).doc

Suspicious Filename: Dual extensions
File: c:\jns docs\ex.hostagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\trading\schwab.222.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\lms\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: c:\jns docs\lms\termsofservice.01.dls.doc

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074845.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074867.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1067\a0074914.exe

Positive identification: Adware.BargainBuddy.y Dropper
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075114.exe

Positive identification (DLL): Adware.ToolBar.ToolBand.a (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075150.dll

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1068\a0075151.exe

Positive identification: Trojan.Win32.StartPage.xp
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075193.exe

Positive identification (DLL): Adware.ToolBar.ToolBand.a (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075194.dll

Positive identification: TrojanDropper.Win32.Small.wv2
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075279.exe

Positive identification: Adware.Sahat.f1
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075296.exe

Positive identification (DLL): Adware.Sahat.ad (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075297.dll

Positive identification (DLL): Trojan.Win32.StartPage.xs (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075303.dll

Positive identification: Adware.PurityScan.ca
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075306.exe

Positive identification: TrojanDropper.Win32.Small.wd
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075308.exe

Positive identification: TrojanDownloader.Win32.Adload.a1
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075313.exe

Positive identification (embedded in file): Adware.SmartPops.d (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075321.exe

Positive identification (DLL): Adware.SurfSide.k (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075325.dll

Positive identification (DLL): Adware.SmartPops.d (dll)
File: c:\system volume information\_restore{2ef95418-159c-4ef4-8d62-f4e507cdddda}\rp1069\a0075389.dll

Suspicious Filename: Dual extensions
File: f:\jn docs\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\ex.hostagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\lmsagmts\hostingagree.01.dls.doc

Suspicious Filename: Dual extensions
File: f:\jn docs\lmsagmts\termsofservice.01.dls.doc

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:45 AM, on 6/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://mail.tommisonline.com/crystalreport...rintControl.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Regards,

guestolo · « **Reply #15 on:** June 18, 2005, 11:58:07 PM »

Everything looks good in your log

If everything is running better
Go back and hide Hidden Files and folders

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well
I'll have to trust you installed SP2

About McAfee's
I haven't used McAfee's in many years
I do however, use a couple free programs
You can find In This Link

Remember, don't run more than one AV at one time
I would totally uninstall McAfee's before you install another AV
But make sure you download the installer first to desktop before you uninstall McAfee's

Personally, I go with AVG or Avast
You decide
I have AVG on this computer and Avast on another
If you go with Avast, it comes with 6 built in scanners
All of which you may not need running

Victim999 · « **Reply #16 on:** June 22, 2005, 05:23:23 PM »

Did as you suggested. I choose Avast. System seems much less distracted when starting-up, using email. and IE. Made a donation. Thanks for the help.

guestolo · « **Reply #17 on:** June 22, 2005, 10:09:39 PM »

Thanx for the donation Victim 999
I'm going to lock this topic
If you need it reopened
Please PM a Mod or the site admin and supply a link to this thread

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Another Victim of clicksearchclick (Read 3138 times)

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Guest_victim999_*

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick

Victim999

Another Victim of clicksearchclick

guestolo

Another Victim of clicksearchclick