1
   

Another Searchweb2 victim needs help

Forums: Computers
Email this Topic Print this Page
 
 
Trzbme
 
Reply Sun 27 Mar, 2005 05:47 pm
As it says above this thing has whooped me. Below is the information that other people seemed to supply. Hope it helps. Thanks in advance for ending the madness.


*********************************************

"Silent Runners.vbs", revision 33, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RealFirst" = "C:\DOCUME~1\Richard\APPLIC~1\PLATFO~1\Oozeitch.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"Shim Flag Drive Second" = "C:\Documents and Settings\All Users\Application Data\skip browse shim flag\army plus.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]
{D2FD395D-060A-2560-19B7-9D02DB164EAD}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\KEEP AUDIO.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540}" = "UltimateZip Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ULTIMA~1\uzshlex.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Officexp\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Officexp\Office10\msohev.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Richard\Desktop\world.bmp"


Startup items in "Richard" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "F:\Officexp\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"Uninstall Expiration Reminder" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1" [MS]
"A4AAC6189181406C" -> launches: "c:\docume~1\richard\applic~1\platfo~1\win poll fork.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Virtual NIC Service, PackethSvc, "C:\WINDOWS\System32\PackethSvc.exe" ["America Online, Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

**********************************************





**********************************************
Logfile of HijackThis v1.99.1
Scan saved at 3:41:16 PM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\ULTIMA~1\uzip.exe
C:\DOCUME~1\RICHARD\LOCALS~1\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D2FD395D-060A-2560-19B7-9D02DB164EAD} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\KEEP AUDIO.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [RealFirst] C:\DOCUME~1\Richard\APPLIC~1\PLATFO~1\Oozeitch.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Officexp\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Officexp\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0341517a6331bb129b23/netzip/RdxIE6.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://photocenter.bestbuy.com/downloads/Uploader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab28578.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_11_0.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 701 • Replies: 5
No top replies

 
timberlandko
 
  1  
Reply Sun 27 Mar, 2005 06:01 pm
I might be able to help ya out if you'll do a few things: first, fully update your Windows and Internet Explorer, then place HijackThis into a folder of its own on your root drive and run it from there. Please take a look at this topic: Please perform the following prior to posting a HJT log
0 Replies
 
Trzbme
 
  1  
Reply Mon 28 Mar, 2005 03:46 pm
OK all done ready for CPR
OK ran all the programs on and ended up only deleting 3 files with the Anti-Virus check. Other than that all clear. Here is the HJT log. And thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 1:43:18 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shbbuauhrdisywcolksqn.com/XBfEYRy2J/42sX32MPYpZtQQiPY6EeaCR_bxI2GUhPqWpazZu4kB60P/j48nC4i7.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vgavipnligpkuzptgpl.uk/XBfEYRy2J/4QK1YawX8AjzI7a7clO1iXCTCvL7ySsdU.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {893ECCFB-9BD4-2138-4F8E-86E41FC3D661} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\KEEP AUDIO.exe
O2 - BHO: (no name) - {D2FD395D-060A-2560-19B7-9D02DB164EAD} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\junk army.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Shim Flag Drive Second] C:\Documents and Settings\All Users\Application Data\skip browse shim flag\BROWSEBIN.exe
O4 - HKLM\..\Run: [Manager ace grey eq] C:\Documents and Settings\All Users\Application Data\COMP LOAD MANAGER ACE\Bleh logo.exe
O4 - HKCU\..\Run: [RealFirst] C:\DOCUME~1\Richard\APPLIC~1\PLATFO~1\Oozeitch.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Officexp\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Officexp\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0341517a6331bb129b23/netzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112035934926
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://photocenter.bestbuy.com/downloads/Uploader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab28578.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_11_0.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0 Replies
 
timberlandko
 
  1  
Reply Mon 28 Mar, 2005 08:32 pm
You should copy and print out these instructions before beginnin'. Also, get all downloads before startin' the fix procedure.

Make sure your Windows is operatin' properly apart from your browser issues, then Disable System Restore. This will remove your previous restore points and prevent reinfection from that avenue. Do not re-enable System Restore untill the entire fix procedure has been completed (there may - likely will - be steps beyond this run-through) and we're sure your system is OK.

Make sure you can View All Files and Folders

Go to Add/Remove programs, and if found, uninstall Wildtangent.

Download LSP-Fix. Just download it to a folder you will be able to find easily later. It may or may not be needed, but if it is necessary, you'll have it. Removal of some yuckware can prevent you from accessing the internet. In the event this happens, you will need to run LSP-Fix to repair things. If after performin' any of these repairs you can't connect, run it and follow its instructions; it should get ya back on line.

Download and install Cleanup!. Just download it, note where you put it (its own folder in your Programs file would be good), but don't run it just yet.

Download Stinger, and when the download is complete, open the program by clickin' its icon. When the application opens, check to see that your root drive (C:\), is listed under "Directories to scan", then select "Preferences", then, under "Scan these targets", place a check in the "Boot sectors" box (the "Processes" box already should be selected by default). Under "Virus detection", "Repair" should be selected by default. Under "Detection", "Scan all self extracting executables", Check files for MIME content", and "Check files for UUEncoded content", "Scan compressed files", "Scan subdirectories", and "Scan all files" should be selected by default. When everything is as it should be, click "OK", then click "Scan Now" and let the application run to completion. When it has finished, reboot.

Connect to the internet. Run Windows Security's Trojan Scan. Accept the ActiveX download, and when the applet window fully loads, select "Prompt" and be sure your entire root drive is selected for scan. If you are unsure of anything there, see the FAQ linked on that page. If anything is found, follow the instructions to remove the problem. Reboot when completed.

Connect to the internet. Open Adaware, and click the blue-green globe icon in the upper right corner and follow the onscreen prompts to update AdAware. Its a good idea to always have AdAware check for updates before running the application, BTW. AdAware can be configured to automatically check for updates whenever opened, but for a variety of reasons, I prefer to handle the chore manually.

When AdAware has been updated, click the grey-ish "Gear" icon to open AdAware's Configuration and Settings utility.

On the first tab, "General", be sure all 3 buttons in the top panel, "Safety", are green and checkmarked. Next, from the lefthand colum, select "Scanning". Be sure the 1st 2 buttons in the top panel, "Drives, folders, & files", are green and checkmarked. The 3rd button, "Skip files larger than ... ", should be red and display an "x". If any button is not as it should be, click to change its setting, then click "Proceed" to save the settings, then click the "Gear" icon to re-open the settings utility and continue setting up the application.

Under "Select drives and folders to scan", be certain AdAware is configured to scan your entire root drive (the drive on which Windows resides, usually "C".

In the bottom panel, "Memory & Registry", all buttons should be green and checked.

From the lefthand column, select "Advanced". In the first 2 panels, all buttons should be green and checked. In the bottom panel, "Alternate Data Streams", both buttons should be red and display an "x"

From the lefthand panel, select the last option, "Tweak". In the righthand panel, select the 1st option, "Scanning Engine" to open its tree. The 3rd button, "Run scan as background ... etc", should be red and display an "x", all other buttons should be green and checked.

Click "Cleaning Engine" to open its tree. The first 5 buttons should be green and checked, the last 3 should be red and display an "x".

Click "Proceed" again to save all settings. Do not run an AdAware scan yet, just close the application.

Next, go to LavaSoft and download AdAware VX2Cleaner Plugin[/i][/u]. Read, understand, and follow the directions on that page to install the plugin. Just install it, don't run it yet, but be sure you know how to.

Disconnect from the internet. Reopen AdAware, and run the VX2Cleaner Plugin, then run an AdAware scan usin' the "Custom Settings" you just configured. Let AdAware fix whatever, if anything, it finds.

Run "Cleanup". When it has finished and prompts you to do so, reboot.

Do not re-connect to the internet. Run HJT again, WITH NO OTHER BROWSERS, WINDOWS, OR APPLICATIONS RUNNING. Use Ctrl+Alt+Delete to make sure nothin' else is runnin' before you start HJT. When it has completed, place checkmarks next to the followin', if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shbbuauhrdisywcolksqn.com/XBfEYRy2J/42sX32MPYpZtQQiPY6EeaCR_bxI2GUhPqWpazZu4kB60P/j48nC4i7.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vgavipnligpkuzptgpl.uk/XBfEYRy2J/4QK1YawX8AjzI7a7clO1iXCTCvL7ySsdU.html <--- (Note: These could change to a different, long, gobbledygook URL text string - whatever, click-to-fix)
O4 - HKLM\..\Run: [Shim Flag Drive Second] C:\Documents and Settings\All Users\Application Data\skip browse shim flag\BROWSEBIN.exe
O4 - HKLM\..\Run: [Manager ace grey eq] C:\Documents and Settings\All Users\Application Data\COMP LOAD MANAGER ACE\Bleh logo.exe
O4 - HKCU\..\Run: [RealFirst] C:\DOCUME~1\Richard\APPLIC~1\PLATFO~1\Oozeitch.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0341517a6331bb129b23/netzip/RdxIE6.cab
Click "Fix". Wnen HJT has finished, run Cleanup again. This time, when it asks to reboot, click "No". Go to Start>Turn Off Computer, shut down, and leave the machine off at least one full minute.

Next reboot to safe mode (By tapping the F8 key on start up)
Click Start>Search. Select "All files and folders", then click "More advanced options", and select "Search system folders", "Search hidden files and folders" and "Search subfolders". Search-for-and-delete-if-found any files named or containin' the followin':

BROWSEBIN <--- Delete file(s) only, if found.
COMP LOAD MANAGER ACE <--- Delete file(s) only, if found.
Bleh <--- Delete file(s) only, if found.
Oozeitch <--- Delete file(s) only, if found.
wildtangent <--- Delete entire folder, if found.

Run cleanup one more time, then reboot normally, connect to the internet, and post a fresh-after-boot HJT log to this thread.
0 Replies
 
Trzbme
 
  1  
Reply Tue 29 Mar, 2005 08:24 pm
OK done
Did all the steps and there is already a big difference. Below is a new log just in case I missed anything. Thanks for the great help.

Logfile of HijackThis v1.99.1
Scan saved at 5:55:15 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vcxsqntauyqxjkqf.com/XBfEYRy2J/42sX32MPYpZtQQiPY6EeaCR_bxI2GUhPrK12xJ2ft0mkP/j48nC4i7.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {893ECCFB-9BD4-2138-4F8E-86E41FC3D661} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\KEEP AUDIO.exe
O2 - BHO: (no name) - {D2FD395D-060A-2560-19B7-9D02DB164EAD} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\junk army.exe (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Officexp\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Officexp\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112035934926
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://photocenter.bestbuy.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab28578.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_11_0.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0 Replies
 
timberlandko
 
  1  
Reply Tue 29 Mar, 2005 09:45 pm
We're gettin' there. Frequently, it takes a couple or more run-throughs to get it all.

These still bother me:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vcxsqntauyqxjkqf.com/XBfEYRy2J/42sX32MPYpZtQQiPY6EeaCR_bxI2GUhPrK12xJ2ft0mkP/j48nC4i7.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {D2FD395D-060A-2560-19B7-9D02DB164EAD} - C:\DOCUME~1\Richard\APPLIC~1\STARTR~1\junk army.exe (file missing)

Download and install Microsoft Windows Antispyware. Before runnin' it, click its "Advanced Options" icon, then click the "Browser Hijack Restore" icon. At the bottom of the page that will open, click "Select All", then click "Restore". Go back up to the top of the page, click "File", and click "Check for updates". When that's been done, disconnect from the internet, then click "Spyware Scan". Click "Scan options", and see to it that "Full system scan" is selected, and that all 3 boxes underneath it are checked; Scan Memory", "Scan drives/folders", and "Deep scan folders". Also check to be sure that "Scan drives/folders is configured to scan your entire root drive (click the little folder icon; your root drive - (C) - should be selected). Now, click "Run Scan Now" and let it run to completion, followin' whatever prompts or instructions - if any - it might pop up.

Before re-connectin to the internet, boot into safe mode, run another full scan with MS Antispyware, and then run a full scan with AdAware. Finally, still in safe mode, run HJT again, and click-to fix those entries listed above in bold if they show up. Run Cleanup again, then reboot normally and post a fresh-after-boot HJT log.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Another Searchweb2 victim needs help
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.05 seconds on 12/27/2025 at 07:38:18