Author Topic: clicksearchclick.com invasion!!!! (Read 2543 times)

griffinsgirl13 · « **on:** August 11, 2005, 03:20:05 PM »

Hello,
I am new to these boards and a newbie to computer virus problems and how to fix them. My computer has been invaded with this clicksearchclick.com link. It takes over my homepage nd won't allow me to download important things, it takes me to a link that searches for the word I clicked on. Please help!!! I have posted a hijack log as per other threads concerning this matter......any help is appreciated.

Thank you

Logfile of HijackThis v1.99.1
Scan saved at 12:50:43 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Services\{BE5D499D-8397-4997-B886-8E4C56FF5A12}\SVCHOST.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\My Documents\download\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dynajm.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dynajm.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rampagegaming.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{BE5D499D-8397-4997-B886-8E4C56FF5A12}\SVCHOST.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BE5D499D-8397-4997-B886-8E4C56FF5A12}\SECURITY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E055C159-AAEA-4D16-8CB2-52A67DB035FD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E055C159-AAEA-4D16-8CB2-52A67DB035FD} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123780325859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

guestolo · « **Reply #1 on:** August 11, 2005, 11:14:56 PM »

Welcome griffinsgirl13
Can you download the following tools please

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and save to your desktop
WinsockXPFix.exe
It's important you don't run this from a floppy or cd
Keep it on your desktop
We may not need it but we have it just in case

==Download and Install Ad-Aware SE Personal 1.06
Ensure you have the latest version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing ad-aware may update, allow it but Don't run a scan yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Give it time to load
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dynajm.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dynajm.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{BE5D499D-8397-4997-B886-8E4C56FF5A12}\SVCHOST.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{BE5D499D-8397-4997-B886-8E4C56FF5A12}\SECURITY.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {E055C159-AAEA-4D16-8CB2-52A67DB035FD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E055C159-AAEA-4D16-8CB2-52A67DB035FD} - (no file) (HKCU)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process
Please restart your machine back into Safe mode

Back in Safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
1. Reboot back to Normal mode
2. Go to the WinPFind folder
3. Locate WinPFind.txt in the WinPfind folder

Post the results of the WindPFind.txt

Run another scan with Hijackthis and post a fresh log and please post the report from Ewidos

NOTE: If you do happen to lose your Internet connection after performing the above fixes, simply open WinsockXPFix.exe and run the FIX with all other windows closed
Follow the prompts and restart your computer afterwards

griffinsgirl13 · « **Reply #2 on:** August 12, 2005, 03:04:48 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> You are awesome!!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> Thank you for your reply......here are the follow ups you requested.

The WinPFind.txt

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\LPT$VPN.641
qoologic 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\LPT$VPN.641
SAHAgent 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\LPT$VPN.641
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
PECompact2 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\VPTNFILE.641
qoologic 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\VPTNFILE.641
SAHAgent 5/25/2005 2:35:58 PM 15007983 C:\WINDOWS\VPTNFILE.641
UPX! 5/25/2005 2:35:58 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 5/25/2005 2:35:58 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 3/31/2003 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 3/31/2003 6:00:00 AM 133120 C:\WINDOWS\SYSTEM32\mmutodbc.exe
Umonitor 3/31/2003 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 8/12/2005 11:42:38 AM 47616 C:\WINDOWS\SYSTEM32\__delete_on_reboot__flsmngr.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/12/2005 1:51:32 PM 2048 C:\WINDOWS\bootstat.dat
H 8/10/2005 10:11:10 AM 54156 C:\WINDOWS\QTFont.qfn
H 8/12/2005 1:51:26 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/12/2005 1:51:44 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/12/2005 1:51:34 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/12/2005 1:52:46 PM 65536 C:\WINDOWS\system32\config\software.LOG
H 8/12/2005 1:51:34 PM 733184 C:\WINDOWS\system32\config\system.LOG
SH 8/8/2005 5:36:16 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5bf9f523-14fb-4ffd-9fc6-52af25d516d1
SH 8/8/2005 5:36:16 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/12/2005 1:50:50 PM 6 C:\WINDOWS\Tasks\SA.DAT
SH 8/9/2005 10:50:42 AM 6656 C:\WINDOWS\Web\printers\images\Thumbs.db
SH 8/9/2005 10:48:28 AM 77312 C:\WINDOWS\Web\Wallpaper\Thumbs.db

Checking for CPL files...
Microsoft Corporation 3/31/2003 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 8/15/2003 1:37:10 AM 10435072 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 3/31/2003 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/22/2004 11:44:42 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    = C:\Program Files\WS_FTP Pro\wsftpsi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    = C:\Program Files\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
   Yahoo! Companion BHO = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
   &Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx
   {327C2873-E90D-4c37-AA9D-10AC9BABA46C}    = Easy-WebPrint   : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88}    = &Yahoo! Companion   : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
   ButtonText    = Messenger   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
   ButtonText    = Research   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
   Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
   &Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion   : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/12/2005 1:57:32 PM

THE Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 2:03:08 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\My Documents\download\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rampagegaming.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123780325859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Let me know what you think.....

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />
Sorry for the late reply I don't get to work until 10:00 am mountain standard time.....thank you

griffinsgirl13 · « **Reply #3 on:** August 12, 2005, 03:15:30 PM »

Oh and one more thing, sorry about this, but my desktop has been covered up by a html document. The html document used to read "DANGER - all of your actions are recorded onto this computer, and can be tracked by anyone and seen by......" blah blah blah....
So I found where the file was stored and deleted it and it "recovered itself" so I deleted it again and now it is just a white html document that still covers my desktop. Can this be fixed?

Thanks again....you are great!!!

guestolo · « **Reply #4 on:** August 13, 2005, 08:24:01 PM »

Sorry for the delay,
We're not done yet
I was hoping to see the report from Ewidos also
If you saved it can you please post it, thanks
If you didn't save it can you open Ewido and check for updates
Return to safe mode and run another scan with it with the previous instructions

Save the report
Reboot back to Normal mode

Post the report from Ewidos
Could you also let me know what other folders and files you see in this folder
C:\WINDOWS\System32\Services

Could you also try the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Also, Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as Export.bat

Save this file on the desktop

Code: [Select]

regedit /e Export.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"

Double click on Export.bat, a text file will be placed on your desktop called Export.txt
Open it and post the whole contents please

griffinsgirl13 · « **Reply #5 on:** August 14, 2005, 03:30:27 PM »

I apologize.....here is the ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:08:22 PM, 8/12/2005
+ Report-Checksum:      7DBFAA46

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
   [444] C:\WINDOWS\System32\flsmngr.dll -> Spyware.Searcher : Cleaned with backup
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\WINDOWS\sys1522.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys1523.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys2140.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys2141.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys2142.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys410.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys49.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5130.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5131.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5132.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5617.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5619.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5620.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5811.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5814.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\sys5815.exe -> Trojan.Crypt.c : Cleaned with backup
   C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os : Cleaned with backup
   C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch : Cleaned with backup
   C:\WINDOWS\system32\dnruvpqi.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\dnvcxaaa.exe -> TrojanDropper.Agent.ii : Cleaned with backup
   C:\WINDOWS\system32\flsmngr.dll -> Spyware.Searcher : Cleaned with backup
   C:\WINDOWS\system32\gpukraaa.exe -> Trojan.LowZones.bm : Cleaned with backup
   C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
   C:\WINDOWS\system32\jkjbaaaa.exe -> TrojanDropper.Small.wv : Cleaned with backup
   C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.i : Cleaned with backup
   C:\WINDOWS\system32\percxaaa.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
   C:\WINDOWS\system32\spoolsrv32.exe -> Spyware.FindSpy : Cleaned with backup
   C:\WINDOWS\system32\srpcsrv32.dll -> TrojanDownloader.Adload.g : Cleaned with backup
   C:\WINDOWS\system32\thun32.dll -> TrojanProxy.Small.bk : Cleaned with backup
   C:\WINDOWS\system32\txfdb32.dll -> TrojanDownloader.Adload.g : Cleaned with backup
   C:\WINDOWS\system32\usrdtea.exe -> TrojanDownloader.Agent.am : Cleaned with backup
   C:\WINDOWS\system32\win32.exe -> Trojan.Crypt.i : Cleaned with backup
   C:\WINDOWS\system32\wldr.dll -> TrojanProxy.Small.bo : Cleaned with backup
   C:\WINDOWS\system32\z.exe -> Trojan.WebSearch.j : Cleaned with backup
   C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup
   C:\WINDOWS\xirepbj.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   E:\Apps\Diablo II\Cd Key Changer\showcdkey.zip/showcdkey.exe -> TrojanSpy.Lucyfer : Error during cleaning

::Report End

I manually searched for the C:\WINDOWS\System32\Services folder and came up with nothing there is not a services folder in the System32 folder. I searched via the search option and got these files

services.exe C:\WINDOWS\System32 99KB Application

services.msc C:\WINDOWS\System32 33KB Microsoft Common Console Doc.

services C:\WINDOWS\System32\drivers\etc 7KB File

and here are the contents of the Export.txt file

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

I can see my desktop picture now...
What is next???
Thanks again

guestolo · « **Reply #6 on:** August 14, 2005, 05:26:08 PM »

Good work, there still may be leftovers to take care of

I see you have no Anti-Virus running, if you don't have your own to install
Please follow the below link
http://free.grisoft.com/doc/2/lng/us/tpl/v5

In that link scroll down to the following
AVG Free Edition installation files
File Version
avg70free_338a597.exe <-this link or similiar
Save the installer to desktop
Double click to run
After installation ensure AVG is right up to date but don't run a scan yet

Afterwards
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Reboot back to Safe mode
Find and delete these files if found
C:\WINDOWS\SYSTEM32\mmutodbc.exe
C:\WINDOWS\SYSTEM32\__delete_on_reboot__flsmngr.dll
C:\WINDOWS\RMAgentOutput.dll

Run a Full System Scan with AVG

Reboot back to Normal mode

Manually look for that folder one more time, just as a double check, and let me know it's contents if found
C:\WINDOWS\System32\Services <-folder

In normal mode, run another scan with Hijackthis and post a fresh log
Let me know how everything's on your end

griffinsgirl13 · « **Reply #7 on:** August 16, 2005, 01:04:18 PM »

I found and deleted these two of the three files, the other was not present.

C:\WINDOWS\SYSTEM32\mmutodbc.exe
C:\WINDOWS\SYSTEM32\__delete_on_reboot__flsmngr.dll

Here is a new Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 11:52:25 AM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\66RTDFH7\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rampagegaming.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123780325859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

After I ran the AVG Program it found 1 infected file. Here is that name
Trojan Horse BackDoor Generic.EWC and AVG deleted it.

I still cannot locate the System32\Services folder. Is this a bad thing? Is it something that can be fixed or restored? Is that folder something the computer needs?

Thank you for all your help, it is much appreciated. Let me know what I need to do next.

Thanks

guestolo · « **Reply #8 on:** August 17, 2005, 12:07:46 AM »

Don't worry about not being able to find the Services folder
We can do without it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
One last request
Open Hijackthis>>Open Misc tools section>>Open "Delete a file on Reboot"
In the File name field, copy and paste the below in bold and then hit OK
C:\WINDOWS\RMAgentOutput.dll

Don't allow the computer to restart yet

Instead
If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Now would be a good time to update to Service Pack 2
This is important in keeping your system secure also
Please see these links
http://www.microsoft.com/windowsxp/sp2/topten.mspx
http://www.microsoft.com/windowsxp/sp2/default.mspx

griffinsgirl13 · « **Reply #9 on:** August 18, 2005, 01:38:14 PM »

Okay

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> Thank you so much!!!! My computer is running a lot better now.

Is there anything else that I need to do?? Or are we finished???

Thanks Again!!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #10 on:** August 21, 2005, 10:08:44 AM »

Glad to help
I'll lock this topic as your problems appear resolved
If you need it reopened, please PM myself or the site admin and supply a link to this thread

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: clicksearchclick.com invasion!!!! (Read 2543 times)

griffinsgirl13

clicksearchclick.com invasion!!!!

guestolo

clicksearchclick.com invasion!!!!

griffinsgirl13

clicksearchclick.com invasion!!!!

griffinsgirl13

clicksearchclick.com invasion!!!!

guestolo

clicksearchclick.com invasion!!!!

griffinsgirl13

clicksearchclick.com invasion!!!!

guestolo

clicksearchclick.com invasion!!!!

griffinsgirl13

clicksearchclick.com invasion!!!!

guestolo

clicksearchclick.com invasion!!!!

griffinsgirl13

clicksearchclick.com invasion!!!!

guestolo

clicksearchclick.com invasion!!!!