PDA

View Full Version : Trying to clean up after the trojans



sarah
06-18-2004, 06:24 PM
I came across the discussion forum when I was searching for help on the bridge.dll problem. Using your advice to other postees that particular problem seems to have gone. That leaves me with one less than I had, which seems to be loads!
A whole rash of problems - trojans and horses etc- appeared when my partner went searching for free mp3 downloads. I have spent the week trying to clean it up but I am not at all sure what the problem is any more. (Known) Symptoms:

1. My browser has been taken over by res://vvpbz.dll/index.html#96676
2. Almost every time I try and do something Windows Installer starts up
3. An advert was put on my desktop, an html file called desktop.html which I cannot get rid of.
4. I am getting loads of adverts

I am a bit out of my depth but the postings so far have helped clear up loads of things. Apart from my own anti virus software I have run Spybot, Adaware, Stinger, Trend Micro.

Following the advice of several of your other postings I have run HJT and here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 22:16:33, on 18/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\apiwu32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winus32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\WINDOWS\System32\gxftjf.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\johnny\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vvpbz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vvpbz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vvpbz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.club-vaio.sony-europe.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C086A50D-7FBB-97FD-CFF2-05B844A747E5} - C:\WINDOWS\javaxk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [mifcrga] C:\WINDOWS\System32\gxftjf.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [winus32.exe] C:\WINDOWS\winus32.exe
O4 - HKLM\..\RunOnce: [atlsm.exe] C:\WINDOWS\atlsm.exe
O4 - HKLM\..\RunOnce: [apphq32.exe] C:\WINDOWS\system32\apphq32.exe
O4 - HKLM\..\RunOnce: [addou.exe] C:\WINDOWS\addou.exe
O4 - HKLM\..\RunOnce: [addlv32.exe] C:\WINDOWS\system32\addlv32.exe
O4 - HKLM\..\RunOnce: [ntyo32.exe] C:\WINDOWS\system32\ntyo32.exe
O4 - HKLM\..\RunOnce: [sdkas.exe] C:\WINDOWS\system32\sdkas.exe
O4 - HKLM\..\RunOnce: [cral.exe] C:\WINDOWS\system32\cral.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\d3ed.exe
O4 - HKLM\..\RunOnce: [sdkrq.exe] C:\WINDOWS\sdkrq.exe
O4 - HKLM\..\RunOnce: [winja32.exe] C:\WINDOWS\winja32.exe
O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
O4 - HKLM\..\RunOnce: [iemm32.exe] C:\WINDOWS\system32\iemm32.exe
O4 - HKLM\..\RunOnce: [apitd.exe] C:\WINDOWS\apitd.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O9 - Extra button: DownloadMP3 (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Can you help? How does this work?

PrntRhd
06-18-2004, 10:56 PM
First of all, you should run HJT from a fixed folder, not the desktop, it will not give you the backups needed to restore items if deleted in error.
Wait for one of the experts to comment before fixing.

classicsoftware
06-19-2004, 12:25 AM
Install HJT into a permanent folder and then fix the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vvpbz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vvpbz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vvpbz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vvpbz.dll/sp.html#96676
O2 - BHO: (no name) - {C086A50D-7FBB-97FD-CFF2-05B844A747E5} - C:\WINDOWS\javaxk.dll
O4 - HKLM\..\Run: [mifcrga] C:\WINDOWS\System32\gxftjf.exe
O4 - HKLM\..\Run: [winus32.exe] C:\WINDOWS\winus32.exe
O4 - HKLM\..\RunOnce: [atlsm.exe] C:\WINDOWS\atlsm.exe
O4 - HKLM\..\RunOnce: [apphq32.exe] C:\WINDOWS\system32\apphq32.exe
O4 - HKLM\..\RunOnce: [addou.exe] C:\WINDOWS\addou.exe
O4 - HKLM\..\RunOnce: [addlv32.exe] C:\WINDOWS\system32\addlv32.exe
O4 - HKLM\..\RunOnce: [ntyo32.exe] C:\WINDOWS\system32\ntyo32.exe
O4 - HKLM\..\RunOnce: [sdkas.exe] C:\WINDOWS\system32\sdkas.exe
O4 - HKLM\..\RunOnce: [cral.exe] C:\WINDOWS\system32\cral.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\d3ed.exe
O4 - HKLM\..\RunOnce: [sdkrq.exe] C:\WINDOWS\sdkrq.exe
O4 - HKLM\..\RunOnce: [winja32.exe] C:\WINDOWS\winja32.exe
O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
O4 - HKLM\..\RunOnce: [iemm32.exe] C:\WINDOWS\system32\iemm32.exe
O4 - HKLM\..\RunOnce: [apitd.exe] C:\WINDOWS\apitd.exe

Re-boot into safe mode and delete the following files:
C:\WINDOWS\javaxk.dll
C:\WINDOWS\System32\gxftjf.exe
C:\WINDOWS\winus32.exe
C:\WINDOWS\atlsm.exe
C:\WINDOWS\system32\apphq32.exe
C:\WINDOWS\addou.exe
C:\WINDOWS\system32\addlv32.exe
C:\WINDOWS\system32\ntyo32.exe
C:\WINDOWS\system32\sdkas.exe
C:\WINDOWS\system32\cral.exe
C:\WINDOWS\d3ed.exe
C:\WINDOWS\sdkrq.exe
C:\WINDOWS\winja32.exe
C:\WINDOWS\system32\javakl32.exe
C:\WINDOWS\system32\iemm32.exe
C:\WINDOWS\apitd.exe

Re-run Hjt and post a new log

sarah
06-19-2004, 07:06 AM
I have followed your advice, thank you so much. i could not find javaxk.dll and there are still lots of misbehaviours. here's the log
Logfile of HijackThis v1.97.7
Scan saved at 10:57:48, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\apiwu32.exe
C:\WINDOWS\ntvj32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Sarah P\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fecok.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fecok.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fecok.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {655FEBD8-A207-53DF-F9DA-DFBED81D4B04} - C:\WINDOWS\ntvj32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [ntvj32.exe] C:\WINDOWS\ntvj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DownloadMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadMP3:t
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O4 - HKLM\..\RunOnce: [d3ro32.exe] C:\WINDOWS\system32\d3ro32.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Steve
06-19-2004, 10:19 AM
Hi sarah,

You have one of the new CoolWebSearch variants and the usual HJT fixes aren't going to work on it. I have worked up a fix by putting your particular info into a "canned fix" that is being made available by the anti-spyware folks. I offer no guarantees but think it's worth a try.

First back-up all your important data. I can't emphasize this enough. Then create a new restore point. Then put HijackThis.exe into a permanent folder. Right click on your desktop, choose "new" then "folder"and create a new folder. Name it HJT and extract HijackThis.exe to that folder.

Look it over and see if it's something you want to try. I'll be around most of the day if you need help. We have a few other folks who can also help out with this.

The fix

1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "" & "". If you find the files, click on them, and then click End Process => Exit the Task Manager.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.

4. Scroll down and find the service called "Network Security Service".

5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fecok.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fecok.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fecok.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fecok.dll/sp.html#96676
O2 - BHO: (no name) - {655FEBD8-A207-53DF-F9DA-DFBED81D4B04} - C:\WINDOWS\ntvj32.dll
O4 - HKLM\..\Run: [ntvj32.exe] C:\WINDOWS\ntvj32.exe
O4 - HKLM\..\RunOnce: [d3ro32.exe] C:\WINDOWS\system32\d3ro32.exe

7. Reboot into Safe Mode and delete the following files:

C:\WINDOWS\system32\fecok.dll/sp.html#96676
C:\WINDOWS\ntvj32.dll
C:\WINDOWS\ntvj32.exe
C:\WINDOWS\system32\d3ro32.exe

8. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".

9. Once the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.

10. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

11. Exit regedit and reboot in Normal Mode.

12. Two files (Possibly three) were also deleted from your computer and need to be replaced.
* control.exe - Go to Merijn Files (control) (www.spywareinfo.com/~merijn/winfiles.html#control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
* Download the Hoster from here (members.aol.com/toadbee/hoster.zip) . Press "Restore Original Hosts" and press "OK". Exit Program.
* If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) (www.spywareinfo.com/~merijn/winfiles.html#sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

13. Run HiJackThis again and post a new log in this thread.

sarah
06-19-2004, 05:15 PM
Hi Steve, I have run through all the points. I have a question. If one of the steps cannot be completed, should I carry on to the end of the list? A couple of things.
From your point on HJT, I cannot right click on the desktop to create new folders, because of the html file sitting on it.
From your point 2 - no "&" files found
From your point 7 - I found no ntvj32.dll file, but did find an ntvj32.exe.bak which I did not delete, should I have?

Point 10, I found LEGACY_NS_Service_3 but it would not allow me to delete it.

Point 12 - re downloading the hoster, where should I download it to? I downloaded it to a folder on the desktop. When I extracted it it gave me a 'you do not appear to have a host file' message

My HJT log is
Logfile of HijackThis v1.97.7
Scan saved at 21:14:19, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\system32\d3wr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\crxf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah P\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utgbr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://utgbr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://utgbr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utgbr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://utgbr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\utgbr.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BB0058FA-B2CF-E8A4-7D77-15E7458BC241} - C:\WINDOWS\system32\appxe32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [d3wr.exe] C:\WINDOWS\system32\d3wr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DownloadMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadMP3:t
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [crxf.exe] C:\WINDOWS\system32\crxf.exe
O4 - HKLM\..\RunOnce: [ntpg32.exe] C:\WINDOWS\ntpg32.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I appreciate your help

Steve
06-19-2004, 06:08 PM
Hi sarah,

If you can't create a new folder on the desktop, maybe you can create one in Windows Explorer. Open Windows Explorer and follow the same process. You can even drag and drop the hijackthis.exe to the new folder this way. This is just so that the backup files that HJT makes will be safe and easily accessable.

"&"...that was my mistake. Sorry. It should have read your executable files. In your case:

C:\WINDOWS\ntvj32.exe
C:\WINDOWS\system32\d3ro32.exe

Stopping those processes is important.

Point 7: This seems to be where things are going wrong. Are you sure you have "show hidden files and folders" enabled? And yes, you have to delete the files found.

Point 10: You still need to be in safe mode at this point. Deleting the above files should help with deleting those registry entries. If the files are still active, you wont be able to delete the registry entry.

Point 12: That's OK. Not everyone uses a Hosts file.

And sure. If you can't complete one step, give the rest a try. You probably don't have much to loose. With this kind of spyware infection, your browser probably isn't working that well anyway.

Ya know. I've never recommended it here, but sometimes, if you have little data to save or if you have already backed everything up, a format and reinstall isn't out of the question. You can get a fresh start and by using an alternative browser, avoid this whole situation.

classicsoftware
06-19-2004, 11:21 PM
Steve:

Where can I read up on this?

Steve
06-20-2004, 08:56 AM
There's pretty good info over at TC's Classroom. PGPhantom and grinler both posted canned fixes yesterday. The one I'm using here is PGPhantom's. He says he's used it more than thirty times successfully so I'm hoping it works for Sarah.

SpywareInfo was down all day yesterday so I haven't checked over there yet but I'm sure there's good info in the Bootcamp.

:)

sarah
06-20-2004, 04:07 PM
Hi Steve, I have run through the instructions several times. Neither of the exe files were listed as running, and I can find none of the files listed for deletion in the C: drive - so still cannot delete the LEGACY_NS_Service_3 folder.
Should it make any difference which account I log in with? I logged in with Administrator and my own account in Safe Mode and it didn't make a difference.
I am anticipating a reformat suggestion but here's the log file anyway, and thanks again

Logfile of HijackThis v1.97.7
Scan saved at 19:55:15, on 20/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ntpg32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\system32\d3wr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Sarah P\Desktop\hjt\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BB0058FA-B2CF-E8A4-7D77-15E7458BC241} - C:\WINDOWS\system32\appxe32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [d3wr.exe] C:\WINDOWS\system32\d3wr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DownloadMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadMP3:t
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [javaed.exe] C:\WINDOWS\javaed.exe
O4 - HKLM\..\RunOnce: [javara32.exe] C:\WINDOWS\javara32.exe
O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Steve
06-20-2004, 05:12 PM
One of the problems with this kind of spyware is that the .exe files change name on each reboot. If you're up for one more try, and haven't rebooted since you posted this last log, I might be able to walk you through it in real time if we post back and forth.

Want to try it?

:)

sarah
06-20-2004, 05:15 PM
yep, kids are asleep, I'm game, sarah

Steve
06-20-2004, 05:30 PM
OK. I'm here. Have you rebooted since the last log?

Well, I can see that you're logged in. Any time you want to get started, just post back with the answer. ;)

sarah
06-20-2004, 05:46 PM
Hi Steve no I haven't rebooted since the last post, and I am ready to go. How does this work, do I stay in the thread and hit refresh every so often?
Sarah

Steve
06-20-2004, 05:49 PM
Yep. Give me about 5 mins. to right the first post. If you have any problems or when you complete the tasks post back.

Steve
06-20-2004, 05:56 PM
Open a Windows Explorer window and
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select "Show hidden files and folders".
- UNcheck the "Hide protected operating system files (recommended)" option.
- UNcheck "Hide file extensions for known file types"
- Click Yes to confirm.
- Click Aplly > OK.

Then using the Task Manager (Ctrl+Alt+Delete) > Processes tab > end the task on the following processes:

ntpg32.exe
d3wr.exe
javaed.exe
javara32.exe
syswn.exe

sarah
06-20-2004, 06:05 PM
Done Windows Explorer bit.

But only ntpg32.exe and d3wr.exe listed as processes in the task manager.

Steve
06-20-2004, 06:12 PM
OK. Using the search function (start > search) run a search for each of the files that did not appear in task manager. If you find them, right click and try to delete them.

sarah
06-20-2004, 06:15 PM
Do I delete the prefetch file aswell?

Steve
06-20-2004, 06:18 PM
If it is associated with the files mentioned, yes.

I should have been saying "end process" instead of end task on the first step. Did you end process on them?

sarah
06-20-2004, 06:18 PM
Other files now deleted but not the prefetch ones

sarah
06-20-2004, 06:21 PM
Yes, I ended the process and all files and .pf files are deleted

Steve
06-20-2004, 06:26 PM
Next, go to Start > Run > type Services.msc enter
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows.

Be sure to close all browser and explorer windows before continuing.

Run HJT again and fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {BB0058FA-B2CF-E8A4-7D77-15E7458BC241} - C:\WINDOWS\system32\appxe32.dll

O4 - HKLM\..\Run: [d3wr.exe] C:\WINDOWS\system32\d3wr.exe

O4 - HKLM\..\RunOnce: [javaed.exe] C:\WINDOWS\javaed.exe

O4 - HKLM\..\RunOnce: [javara32.exe] C:\WINDOWS\javara32.exe

O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe

sarah
06-20-2004, 06:27 PM
Should/can I keep the browswer open while I do this?

sarah
06-20-2004, 06:28 PM
sorry, forget that message I have just read what you wrote

sarah
06-20-2004, 06:32 PM
ok, thats all done

Steve
06-20-2004, 06:38 PM
Go to Start > Run > type regedit hit enter.

Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\__NS_Service_3
Hilight __NS_Service_3 > right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY___NS_Service_3
Hilight LEGACY___NS_Service_3 then right click on it and choose delete from the menu

Exit regedit, reboot and post back.

sarah
06-20-2004, 06:43 PM
It's still not letting me delete the LEGACY folder :(

Steve
06-20-2004, 06:51 PM
OK. Reboot into safe mode and using the search function see if you can find any of these files.

ntpg32.exe
d3wr.exe
javaed.exe
javara32.exe
syswn.exe

If you find any, delete them. Then navigate to that registry entry again (while still in safe mode) and try to delete it again.

sarah
06-20-2004, 07:10 PM
Again all files deleted where found but still can't do the LEGACY folder

Steve
06-20-2004, 07:16 PM
What is keeping you from deleting it? An error message? Access denied? Running process?

Please be exact on this...:)

sarah
06-20-2004, 07:22 PM
Message says 'Cannot delete LEGACY_NS_SERVICE_3: Error while deleting key.

I am not sure what this registry entry refers to but before I came to the discussion forum I was running various cleanups. NOrton found a trojan horse on a file called MsTasks3, which it quarantined but could not fix. Any connection?

Steve
06-20-2004, 07:28 PM
Yes. Actually I think it's crippled at this point and that is causing the problem. That might not be a bad thing. :)

Chance are two files were also deleted from your computer and need to be replaced.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Reboot and post a fresh HJT log.

sarah
06-20-2004, 07:38 PM
This is the log after the reboot :)

sarah
06-20-2004, 07:40 PM
:o
Logfile of HijackThis v1.97.7
Scan saved at 23:38:15, on 20/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Documents and Settings\Sarah P\Desktop\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utgbr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://utgbr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://utgbr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utgbr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://utgbr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\utgbr.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DownloadMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadMP3:t
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Steve
06-20-2004, 07:52 PM
Well, we failed to kill it. You still have it. :(

Those R1 and R0 entries show it loud and clear. I'm sorry but that's pretty much all I can do. Maybe a format and reinstall is going to be the solution for you.

Most of these malware programs come to your computer through the Internet Explorer browser. If you do end up reinstalling please consider using an alternate browser such as Mozilla, Firefox, Opera, etc.

I'm not sure what went wrong. Probably not being able to delete that last registry entry. The proceedure has been working on other computers. Maybe the extent of your original trojan problem contributed to the lack of success.

Sorry I couldn't have been of more help.

:)

sarah
06-20-2004, 07:56 PM
Well, I have to say thankyou so much anyway for all your help, I have learnt such a lot! What a great thing you do, And I've learnt such a lot from the site too, I will be recommending this,

Thanks again,

sarah :)

Steve
06-20-2004, 08:00 PM
There's actually one more thing we can try. Fix those R1 and R0 entries with HJT and then download and run CWShredder (http://www.net-integration.net/tools/hijackthis.html) letting it fix all it find.

Scroll down the page to find the shredder.

That last log shows only a partial infection. Give it a try.

classicsoftware
06-20-2004, 11:34 PM
I know it's a long shot. But I would download and install Eraser 5.7 (http://www.heidi.ie/eraser/download.php). Set it to erase your TEMP and TIF folders without removing the folder themselves.
Re-run HJT and appy the fixes for the R1 and R0 entries. They could be hiding in these folders and re-installing themselves.
Shutdown and then see if they are still there.
It's easier than a format & re-install.

Then boot into safe mode and try the registry fix again. Then load HJT and fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\utgbr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://utgbr.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://utgbr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\utgbr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= res://utgbr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\utgbr.dll/sp.html#96676

O4 - HKCU\..\Run: [DownloadMP3] rundll32.exe
C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTMLownloadMP3:t

O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t
O9 - Extra button: MP3download (HKLM)

The 04 entries seem to have appeared after the first log

sarah
06-21-2004, 05:38 PM
Hi, I don't know if you're around tonight (is it tonight with you?) but I tried both suggestions.

I had already run CWshredder and it found nothing to fix.

However I ran through the advice about Eraser and although I still could not delete the LEGACY folder things seem to have calmed down. The browser is not getting taken over, no more popups although I won't speak to soon, and Installer is no longer trying to load Office.

The only problem left seems to be the html file that is sitting on the desktop.

I am posting the HJT log just in case you can bear another one

Logfile of HijackThis v1.97.7
Scan saved at 21:30:18, on 21/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Documents and Settings\Sarah P\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.labourstart.org/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

:)

Steve
06-21-2004, 07:01 PM
Hi sarah,

Things are looking better, but there's an item I'm not sure about.

Do you know what this is?

C:\WINDOWS\system32\UStorSrv.exe

If not could you find the file, right click on it and check the properties to see if there is any info?

Also, could you right click on that desktop file and check the properties on it too?

:)

ErnieK
06-21-2004, 07:17 PM
If I am poking my nose at the wrong time please accept my appoligise.

Sarah
The html file on your desktop.
Try renaiming it to something like 123.doc (or txt or what ever file type you want except html or htm) then see if you can delete it. First check the properties of it to make sure it is not read only.

Once again, sorry if I am butting in wrongly.

Steve
06-21-2004, 08:07 PM
No problem, Ernie and CS! Any suggestions that might help are certainly welcome by me and I'm sure by Sarah.

;)

classicsoftware
06-21-2004, 08:28 PM
Steve:

This is two different people who have been hijacked that could not be fixed until the TEMP and TIF folders have been erased. I know it's anecdotal, but I think I am going to start recommending everyone do this before using HJT fix things.

What do you think????

Budfred
06-21-2004, 08:38 PM
classicsoftware,

It certainly is unlikely to hurt anything and it will help in a number of situations, so it is worthwhile to recommend... PGPhantom on SWI recommends that for everyone as a final cleanup on a fix....

Steve
06-21-2004, 08:56 PM
I think it just might help. I have two computers here with the same problem as Sarah. One of them cleaned up perfectly with PGPhantoms fix. The other one, no matter what I try, keeps reinfecting even though it's not connected to the internet. I'm searching and studying this computer to try and find what keeps the infection going but I can't seem to find a difference in the two.

I must admit the idea (and time) of overwriting 35 times seems like tremendous overkill. But I've used Eraser for ultra cleaning whole drives containing things that need to just go away completely. So maybe it would help in these odd cases.

BTW, CS, you should get yourself a copy of the "Killbox". A great little tool. It will even delete running processes.

OOOPS..Sorry. Here's the link.

http://www.downloads.subratam.org/KillBox.zip

sarah
06-22-2004, 06:16 AM
Hi Steve

Do you know what this is?

C:\WINDOWS\system32\UStorSrv.exe

I don't know what it is
Properties:
Description: OTi Content Service
Size: 136 kb
Created: 24.5.04
Copyright 2004



Also, could you right click on that desktop file and check the properties on it too?

General: n/a
Protocol: File Protocol
Type: HTML document
COnnection: Not encrypted
Address: file://c:\WINDOWS\web\desktop.html
Size: n/a
Created: n/a
Modified: n/a


:)

sarah
06-22-2004, 06:22 AM
Ernie,


Originally posted by ErnieK
If I am poking my nose at the wrong time please accept my appoligise.


The html file on your desktop.
Try renaiming it to something like 123.doc (or txt or what ever file type you want except html or htm) then see if you can delete it. First check the properties of it to make sure it is not read only.

Once again, sorry if I am butting in wrongly.

I cannot rename simply by right clicking. Can I do anything else to rename it. I only get options like view source, encoding etc. with a right click. I have tried messing with the html in the source code but that doesn't seem to make a difference. Originally it had a lot of images on it. These were stored locally and I found and deleted them. Now it is a blank white page.
Sarah

malcore
06-22-2004, 06:29 AM
Hi,

If you wish to delete this file, try this bit of software. It's called GiPo@MoveOnBoot. Using this software you can select a file or files you wish to delete completely, and it will be removed upon your next boot.

You can get it here (http://www.gibinsoft.net/gipoutils/) . Scroll to the bottom to the Program List. Select File Utilities. On the next page, scroll to the bottom and download the old version (freeware) of
GiPo@MoveOnBoot 1.9.5 (English), EXE-setup (644 Kb). Handy utility, easy to use.

It will create a new entry in the right click context menu of any and all files. Simply right click the file you wish to delete, and select "delete file(s) on the next boot."

http://img78.photobucket.com/albums/v294/melcore/ScreenShot007.png

Steve
06-22-2004, 07:18 AM
Hi Sarah,

I'd suggest finding and deleteing UStorSrv.exe. Try it in normal mode first and if you can't delete it, try in safe mode.

Then give Malcores advice a try to remove that desktop file.

I'm heading off to work. I'll be back later in the day.

:)

sarah
06-22-2004, 05:20 PM
Hi there, here's an update. I have deleted the UStorSrv.exe file in Safe Mode.

I have also downloaded the software Malcores suggested. My problem with whatever it is that is sitting on the desktop is that I can't find it to delete it.

Still almost everything else seems fine, esp the browser. Still getting popups but the only evidence of the problem is the desktop :)

Steve
06-22-2004, 05:58 PM
Well, I guess this is going to go one little step at a time. ;) What a stubborn hijack.

What do you mean by "I can't find it to delete it." Doesn't the file address c:\WINDOWS\web\desktop.html work?

sarah
06-22-2004, 06:48 PM
Using search I can find desktop.html, in my Local Settings folder. Deleting it makes no difference. There is no file listed in C:\windows\web.
If you right click on the desktop and open the source code, the file name is C__WINDOWS_Web_desktop[1]. I have found and deleted these with no effect.
When I reboot, my original wallpaper appears right through the boot until the last minute when the html file appears.

Steve
06-22-2004, 07:19 PM
That seems to suggest that the file is in your temp. internet files. (the [1]) How about deleteing all temp. and .tif files. You can do it with "disk cleanup". Start > All programs > Accessories > System Tools > Disk Cleanup. If it wont go in normal mode, try safe mode.

We'll get it sooner or later...;)

classicsoftware
06-22-2004, 11:54 PM
When you run eraser, did it say it couldn't erase a certain file?
Please advise. The only file you sould not be able to delete is index.dat. If there is more, we may have to kill a running processes before eraser. It works better than the built in Windows version of erasing TIF.

sarah
06-23-2004, 05:18 PM
Hi classicsoftware, I didn't have a problem deleting any files with Eraser. The thing I couldn't do was delete a folder in the registry - LEGACY_NS_SERVICE_3

Steve, I have run clean up and then checked through all the temp and tif folders and cleaned them out. This has not killed the dfesktop file. What does seem to have vanished is the Network Security Serice form the list of services.?



:) sarah

Steve
06-23-2004, 06:36 PM
What does seem to have vanished is the Network Security Serice form the list of services.?
That's a very good thing. That was a bogus service installed by the hijacker. At this point I think we have defeated the hijack. But...

That .html file is starting to make me mad. ;)

The Eraser program should have a drag and drop feature that you might be able to use to delete it. If you can find the file in Windows Explorer you should be able to use that eraser feature.

I'll download Eraser to this computer in case you have a problem figuring it out. One of us here can walk you through it. Make sure you check in task manager to see if the file is there as a running process. If it is "end process" on it before you try to delete it.

I hope this does it for you. You have been very patient through this whole thing.

:)

Donn
06-23-2004, 11:20 PM
Hi Sara, also sorry to interrupt here, but scratch an itch for an old guy....I know Steve told you to set a new restore point, but did you re-enable your system restore afterwards, or is it still disabled?

sarah
06-24-2004, 05:01 AM
Hi Donn I haven't re-enabled the system restore.

and it is driving me mad that I cannot find the file. Can I post the html code for the file and see if I am missing somenthing? The file is called C_WINDOWS_web_desktop[1].txt. I have of course looked in that folder and there is no file listed.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#0000ff leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/Documents%20and%20Settings/Sarah%20P/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp">
</DIV><IFRAME id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 733px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html" resizeable=""> </IFRAME>&nbsp;
</BODY></HTML>

Let me know when you are fed up with this problem you have all been very patient!! thanks sara

Steve
06-24-2004, 07:19 AM
I'd say, make sure you have your system set to show hidden files and folders. We did it earlier but you should just make sure. Windows Explorer > Tools > Folder Options > View. Make sure "Hide extensions for known file types" is unchecked. Then use the search function to see if you can find it. Maybe even use the *.txt wildcard as a search term and see if you can find anything that might be that file.

Setting a new restore point turns that function on, not off. I had you set a restore point because, at that time, I wasn't farmiliar with the canned fix and wanted you to be able to return to a known point if nessesary.

It would probably be a good idea now to go and turn the restore function off, until we know your system is clean.

classicsoftware
06-25-2004, 08:00 PM
Humor us old guys for a second and try this:

Create a new user:

logon as a new user and see if the items appears on your desktop.

If it does not, you should be able to delete:

c:\documents and settings\user name goes here\desktop\C_WINDOWS_web_desktop[1].txt

Steve
06-26-2004, 03:49 PM
Sarah,

If you're still lurking, here is some info I just found. It might help you find that file.

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here:

http://www.davehigham.zen.co.uk/downloads/xphidden.zip

to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

I hope it helps...:)

sarah
06-28-2004, 04:24 PM
Hi guys, I'm afraid I got a bit browned off when I found that the thing taking over the browser was still active in the other account I have. I cannot find the desktop file anywhere and I just got a virus report from Norton saying it had found a trojan on the MsTasks2.exe file.

When I open the source txt file and make changes, then close without saving it the save message says I have made change to C:Documents and Settings\Sarah P\Local Settings\TIF\Content.IE5\TCOFL9KS\C_Windows_web_de sktop[1].txt

Needless to say I scurried off and deleted the whole folder from my settings and both other accounts on the system. This is not the first time I have deleted the files - see previous advice from you guys.

I then did a bit of a hunt about what the IE5 folder was and apparently it should not be deleted.

Thanks, Steve and classicsoftware, for your last postings. I did both things and still no joy.

I am poised to reformat!!

Can I post a HJT log in case anything looks glaring?

Logfile of HijackThis v1.97.7
Scan saved at 20:24:06, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah P\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.labourstart.org/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K 2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MP3download (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam1.east-ayrshire.gov.uk/activex/AxisCamControl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

:) Sarah

classicsoftware
06-28-2004, 04:43 PM
Originally posted by sarah
When I open the source txt file and make changes, then close without saving it the save message says I have made change to C:Documents and Settings\Sarah P\Local Settings\TIF\Content.IE5\TCOFL9KS\C_Windows_web_de sktop[1].txt

This means you did not erase the correct folder.

Set eraser to erase
C:Documents and Settings\Sarah P\Local Settings\TIF
set it to erase sub folders
and set it to erase only subfolders.

This will erase the contents of the content.ie5 folder and this may finally solve your problem. You must delete this folder. I do it all of the time.

Steve
06-28-2004, 08:11 PM
Sarah, this is the first time, here in the forums, that I've suggested reformatting because of spyware. I've done it a few times in the shop when a customer was overwhelmed with viruses, trojans and spyware. I've recommended it to friends when I knew there was not much of anything to save on the computer. You had over a dozen trojans running when you first got here, if I remember correctly, plus the hijack and maybe some viruses.

If there is one good thing about spyware it's that it doesn't infect your data files. It infects the browser. If you don't have alot of data files, or if you do but have them backed up, go ahead, format and reinstall. You'll have a brand new computer. The problems will be gone. You can then concentrate on making sure it doesn't happen again. You have been taken advantage of by these jerks and it just ain't right. We can show you how to avoid the whole situation. (well...almost the whole situation)

That is (hehe)...unless you are of the geeky sort, like alot of us here, and enjoy this stuff. Finding it challenging and interesting. If so, CS has suggested the next step...:)

classicsoftware
06-28-2004, 11:00 PM
Steve:

I just hate to let the bastards get the best of me. If I was charging a client for this mess, I would probably re-format also Since I give myself away for free, I would like to keep going and snuff this crap out. It's up to Sara of course...

sarah
06-29-2004, 02:01 PM
ok I ran another full system search last night after various bits of file hunting and cleaning and it found trojans on 6 files!!

I feel slightly under seige now and will definitly reformat - although you are right, I have been enjoying trojan hunting more than I would admit to my friends!

Rather than run the risk of reformating and getting the whole lot back is there preventative/protective stuff I should do? I have not looked at Opera, but all the advice points that way, anything else I should know?

thanks for all your help guys, sarah :) :)

Steve
06-29-2004, 07:26 PM
Hi Sarah,

You asked for suggestions about protection and I'm sure you're going to get plenty. ;)

Browser and E-mail:

First, you need to decide on an alternative browser and e-mail program. Internet Explorer and Outlook Express just have to many security problems and are targeted more than any other browser and e-mail client.

Mozilla is a complete suite. It includes browser, email program, irc chat client, etc. You can also get the stand alone programs from Mozilla, Firefox for browser and Thunderbird for e-mail. That is the combo that I use. There is also Opera which is highly recommended. I haven't used it in a couple of years but had a favorable impression of it when I used it. The free version has an ad banner that I found annoying but the paid version is ad free.

Antivirus:

Next you need to decide which virus protection program you will use. I use AVG and like it. It's free. :) Norton is also good but costs. In my experience AVG identifies more trojans than Norton.

Firewall:

After that, you need to decide on a software firewall. I use and recommend Zone Alarm. It's free, easy to setup and does a good job. The firewall monitors and controls which programs can access the internet and warns of any that try to access your computer from the internet. A must have.

Security Programs:

Then download some more security programs. I recommend, Spybot Search & Destroy, AdAware, and Spyware Blaster.



Once you have decided which programs you will use and before you format and reinstall, download the programs and put them on CD-R. That way you can install them before you ever expose your new install to the internet.

You're going to still have IE on your computer so once everything is loaded, the first thing you do when you connect to the internet for the first time, is go straight to the Windows Update site and install ALL service packs and updates. This is very important because it closes many of the security holes in Windows. A must do, IMHO. After that, the only time you use IE is to check for updates. Other than that forget it exists.

Then, once a week, update and run your A/V program, Spybot and AdAware. Once a week update Spyware Blaster. You don't have to deliberately run it as it runs in the background.

That's the setup that I use on my main computer and I can't get infected or hijacked even when I try. But don't try. Practice good surfing habits and you'll be fine.

Well, that's my take on it. I included only the programs I have used and like. Others will have more suggestions, I'm sure.

Let us know if you have any questions...:)

classicsoftware
06-30-2004, 12:33 AM
Right now, I really Like Avast (http://www.avast.com/eng/products/free_software/avast_4_home/free_antivirus_softw.html). It's really execllent. The only drawback to the free version is you cannot schedule a scan. It auto-updates and tells you when program updates are available.

As for a firewall I have Zone Alaram on some of my systems, but I really like Sygate (http://smb.sygate.com/products/spf_standard.htm)

For-mail. Your best best is the one Steve Suggested.