Hi,

I'm quickly turning into the goto guy for all my friends and relatives. They don't seem to realize that this is the goto forum for dealing with this stuff.

Anyway, this guy had CWS and some other stuff on his machine. I booted into safe mode and ran AdAware and Spybot S&D.

Here's the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 8:24:43 PM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnwsq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {84836567-AEF5-EB34-615B-CC16A2E0316D} - C:\WINDOWS\system32\mfczn.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [addwo32.exe] C:\WINDOWS\system32\addwo32.exe
O4 - HKLM\..\RunOnce: [apiok32.exe] C:\WINDOWS\system32\apiok32.exe
O4 - HKLM\..\RunOnce: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\RunOnce: [sysla32.exe] C:\WINDOWS\sysla32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Some of this stuff looks suspicious, but I really can't tell what is what. Can you guys help me out again?

Thanks,
Phil

There is more than "suspicious" stuff there. One of the HJT expert will be along to help.

One of the difficult variants of CWS accompanied by multiple spyware/adware infections. Let us first remove the easier ones. Tick the boxes next to all of the following entries, close all other windows, preferably have only HijackThis running, then click Fix Checked.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

Boot into safe mode by tapping the f8 key as your computer boots. You should do this before you see the Windows splash screen.

Also, make sure you can see hidden files; Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer.

Delete the following files and folders:

C:\Windows\System32\wsaupdater.exe <--- file
C:\Program Files\WindowsSA <----- folder
C:\Program Files\BullsEye Network <----folder

Boot into normal mode, run msconfig, select normal startup in the general tab. Run HijackThis and post a fresh log.

Do not reboot till you get instructions on your fresh HijackThis log.

Hi,

Thanks for the quick response. Sounds like my friend got himself into quite a mess with some spyware.


Here's what I did:

Fixed the items in HJT, rebooted into safe mode.

Deleted the file and two folders, ran AdAware.

AdAware found 11 CWS and "possible hijack" items which I had AdAware fix.

Rebooted into Normal Mode, ran HJT.

Here's the new log:

Logfile of HijackThis v1.98.2
Scan saved at 11:24:30 PM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javade32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\addwo32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\javade32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B62AAF5F-81D0-B02D-AC71-0F194E11C969} - C:\WINDOWS\ipvi.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addwo32.exe] C:\WINDOWS\system32\addwo32.exe
O4 - HKLM\..\RunOnce: [apiok32.exe] C:\WINDOWS\system32\apiok32.exe
O4 - HKLM\..\RunOnce: [javade32.exe] C:\WINDOWS\system32\javade32.exe
O4 - HKLM\..\RunOnce: [csrbr] C:\WINDOWS\sdkyr.exe:csrbr
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


Phil

Good. :) The difficult part follows: :)

Please don't run Adaware or any other tool in between unless requested.

Now, please download About:Buster (http://downloads.subratam.org/AboutBuster.zip) and unzip it to your desktop. Don't run it yet.

Ensure that you have Adaware SE 1.03 installed. Otherwise, download Adaware SE 1.03 (http://lavasoft.element5.com/support/download/#free) and install it.

Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

1. Go to Start > Run > services.msc which will open the Services manager. Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

2. Boot into safe mode by tapping the f8 key as your computer boots. You should do this before you see the Windows splash screen.

3. Also, make sure you can see hidden files; Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer.

4. Tick the boxes next to all of the following entries, close all other windows, preferably have only HijackThis running, then click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fulpg.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B62AAF5F-81D0-B02D-AC71-0F194E11C969} - C:\WINDOWS\ipvi.dll
O4 - HKLM\..\Run: [addwo32.exe] C:\WINDOWS\system32\addwo32.exe
O4 - HKLM\..\RunOnce: [apiok32.exe] C:\WINDOWS\system32\apiok32.exe
O4 - HKLM\..\RunOnce: [javade32.exe] C:\WINDOWS\system32\javade32.exe
O4 - HKLM\..\RunOnce: [csrbr] C:\WINDOWS\sdkyr.exe:csrbr

Delete the following files in Windows explorer if present:

C:\WINDOWS\sdkyr.exe
C:\WINDOWS\fulpg.dll
C:\WINDOWS\ipvi.dll
C:\WINDOWS\system32\addwo32.exe
C:\WINDOWS\system32\apiok32.exe
C:\WINDOWS\system32\javade32.exe

5. Double click aboutbuster.exe on your desktop. Click OK, click Start, then click OK. Save the report as a .txt file and post a copy here once you are done with all the steps.

6.Configure the Adaware for performing a full scan following instrutions below:

Double click on the Adaware icon on the desktop to open the program.
Click 'Check for updates now'
If you use a proxy to connect, Click 'Configure' otherwise Click 'Connect' and download the updated definitions file if available.
Click 'Start' to choose a scan mode.
Select 'Perform Full System scan'
Click 'Next' to start the scan
After the scan is complete, it will list malware files and registry keys, Click 'Next'
Under the critical objects tab, right click in the list, choose Select All, then 'Next'
Choose OK when it asks for verification of checked items
Close Adaware

7. Clean out temporary and TIF files. The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\Your Profile\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\Your Profile\Local Settings\Temp\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temp\
* Empty your "Recycle Bin".

8. Reboot to normal mode, do an online scan at housecall.trendmicro.com (http://housecall.trendmicro.com/) and let it remove any infected files found.

9. Scan again with HijackThis and post a new log (edit:alongwith with aboutbuster report) here.

Wow. That was a long, involved process.

When I ran HJT in safe mode, the names of the files had been changed from fulpg.dll to sdkyr.dll... I assume I was right to remove these?

AdAware full scan found 3 CWS files and 2 VX.2 files which I deleted.

The virus scanner found something like 23 infected, non-cleanable files. I deleted those.

Here's the new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 1:27:38 AM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Am I clean?

What can I do to make sure this guy's computer doesn't get infected again? I don't want to have to go through this process again for him. Should he use Mozilla instead of IE?

Phil

Well done :) Looks pretty clean.

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here (http://www.spywareinfo.com/~merijn/winfiles.html#control) and download the version of control.exe for your operating system. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here (http://members.aol.com/toadbee/hoster.zip) Press 'Restore Original Hosts' and press 'OK'
Exit Program.

As you have Spybot S&D installed you may also need to replace one file.
Go here (http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Now that is done, Reboot 3 or 4 times, go online, surf for sometime. Scan with HijackThis again and post a fresh log to make sure that you are clean, finally.

Did you save the About:Buster log ? please post it here alongwith the HJT log.What can I do to make sure this guy's computer doesn't get infected again? I don't want to have to go through this process again for him. Should he use Mozilla instead of IE? Alternate browsers like Mozilla or Firefox will definitely help in reducing the chance of malware infection. Additionally, I strongly recommend installing two fine freeware SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html) and SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) by JavaCool. SpywareBlaster will prevent installation of Active-X based spyware/adware/hijackers whereas SpywareGuard offers realtime heuristic protection from most spyware installation attempts.

Also look here for tips on avoiding malware (http://computercops.biz/postt7736.html)

Knew I forgot something. Here is the log:



Scanned at: 12:20:44 AM on: 8/18/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 2 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\apiih.exe
Removed! : C:\WINDOWS\apilq.exe
Removed! : C:\WINDOWS\bcjrpf.dat
Removed! : C:\WINDOWS\crbd.exe
Removed! : C:\WINDOWS\crgp32.exe
Removed! : C:\WINDOWS\cssve.dat
Removed! : C:\WINDOWS\d3vq32.exe
Removed! : C:\WINDOWS\fmhth.dat
Removed! : C:\WINDOWS\hscjg.dat
Removed! : C:\WINDOWS\ihcnd.dat
Removed! : C:\WINDOWS\ipjt32.exe
Removed! : C:\WINDOWS\ipjt32.exe.bak
Removed! : C:\WINDOWS\ipne32.exe
Removed! : C:\WINDOWS\ipul.exe
Removed! : C:\WINDOWS\mspr32.exe
Removed! : C:\WINDOWS\netru.exe
Removed! : C:\WINDOWS\nymzt.dll
Removed! : C:\WINDOWS\uvxffr.dat
Removed! : C:\WINDOWS\yrbioi.dat
Removed! : C:\WINDOWS\System32\addag32.exe
Removed! : C:\WINDOWS\System32\addrp.exe
Removed! : C:\WINDOWS\System32\ahuaf.dat
Removed! : C:\WINDOWS\System32\apicu32.exe
Removed! : C:\WINDOWS\System32\apiym32.exe
Removed! : C:\WINDOWS\System32\atldr.exe
Removed! : C:\WINDOWS\System32\atlgg.exe
Removed! : C:\WINDOWS\System32\bhayj.dat
Removed! : C:\WINDOWS\System32\crer.exe
Removed! : C:\WINDOWS\System32\crzb.exe
Removed! : C:\WINDOWS\System32\ddypg.dat
Removed! : C:\WINDOWS\System32\msni.exe
Removed! : C:\WINDOWS\System32\ntiu.exe
Removed! : C:\WINDOWS\System32\winql32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!



I'm going to take care of the other stuff and then I'll probably post a new HJT log tonight or tomorrow.

Thanks for all the help!

Phil

Originally posted by shanmuga

Go here (http://www.spywareinfo.com/~merijn/winfiles.html#control) and download the version of control.exe for your operating system. For Windows XP, copy it to c:\windows\system32\.

Is there another site for downloading control.exe? I can't seem to access spywareinfo.com. I get a "page cannot be displayed" error.

Phil

Spywareinfo seems to be having server problems. You can get those files from this mirror,

merijn.richardthelionhearted.com (http://www.richardthelionhearted.com/~merijn/winfiles.html)

Great. I downloaded the file and replaced the existing one. I don't think I had any problems with the control panel, but better safe than sorry, right?

I installed SpywareBlaster, but haven't installed SpywareGuard yet. Does it take up a lot of system resources? This machine is a 1.8GHz Celeron with 256MB of RAM. I don't know if my friend would notice, but I wouldn't want to put something on his machine that would be a resource hog. Or does the benefit outweight the cost?

Here's the new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 10:14:52 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hjt\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Still clean?

Thanks for all the time you took to help out. You guys are performing an invaluable public service.

Phil

Your log is clean of malware. Spywareguard uses about 5-7 MB of memory with nil cpu usage. It adds another layer of protection and is highly recommended. May be you should try and impress upon your friend to add some more memory. :)