Jump to content


Photo

Please!! Someone!! Help!!

Started By St3vien1x , Apr 08 2005 07:24 PM

  • Please log in to reply
1 reply to this topic

#1 St3vien1x

St3vien1x

    New Member

  • Member
  • 1 posts

Posted 08 April 2005 - 07:24 PM

>_<

Logfile of HijackThis v1.99.1
Scan saved at 3:16:29 PM, on 4/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\atllm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-O0KWKW9JWC\Desktop\Stephanie's Stuff\hijackthis\HijackThis.exe
C:\WINDOWS\mfcwv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {84B24A78-E175-AED1-512C-CFF226F9C0DB} - C:\WINDOWS\system32\ntwz.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B7222E7-0B3D-4C74-9077-E29A2AE10141}: NameServer = 205.188.146.145
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Remote Procedure Call (RPC) Helper (? 6Q??'????8) - Unknown owner - C:\WINDOWS\atllm.exe" /s (file missing)

#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • General Admin
  • 15,738 posts

Posted 08 April 2005 - 10:13 PM

Print these instructions so you will ahve them to refer to. Most of what you will be doing is going to be in Safe Mode.

Before we begin the fixes, download AboutBuster from here:
http://www.malwareby...AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on.

Now to begin.....
First:
If running, kill the follow processes in Task Manager:
desktop.exe
edmond.exe
ffisearch.exe

Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

CODE
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000



Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Execute the following commands:
Start -> Run -> regsvr32 /u C:\Windows\isrvs\mfiltis.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\msdbhk.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\sysupd.dll

Fourth:
Reboot your computer into Safe Mode* (stay in Safe Mode until directed otherwise)

Delete the following files/folders (if present) in C:\Windows\ or C:\Windows\System32\
delprot.ini
delprot.log
desktop.exe
isrvs (delete the entire folder)

Fifth:
Delete the following file:
C:\windows\system32\drivers\delprot.sys

Sixth:
Delete the following files/folder (if present) in C:\Documents and Settings\\Desktop\
anal exploits.url
big dick school for 2.95.url
evidence eraser.lnk
popup blocker stops popups.lnk
spyware avenger.lnk
virus hunter security.lnk
your platinum visa.lnk

Seventh:
1. We need IE to remain closed throughout the process.

2. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

4. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406

5. Scan with Hijack This (current version is 199.1) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vkqkl.dll/sp.html#12345
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {84B24A78-E175-AED1-512C-CFF226F9C0DB} - C:\WINDOWS\system32\ntwz.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Remote Procedure Call (RPC) Helper (? 6Q??'????8) - Unknown owner - C:\WINDOWS\atllm.exe" /s (file missing)

Delete the following files/folders:
C:\WINDOWS\atllm.exe
C:\WINDOWS\system32\vkqkl.dll
C:\WINDOWS\system32\ntwz.dll
C:\WINDOWS\System32\private-zone.exe

6. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

8. Reboot to normal mode, scan again with Hijack This and post a new log here.

9. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.c...n/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

10. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

11. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com


Eighth:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.

Ninth:
Download and install Microsoft AntiSpyware from this link:
http://www.microsoft...re/default.mspx

Start the program
Select File -> Check for updates

Once updated press the Target icon at the top right
Select 'Scan Options'
Select 'Full system scan' and be sure 'Save these options' is also checked
Press 'Run Scan Now'


Last:
Run HiJackThis again and post a new log in this thread.
Back to HELP! Think you are Infected?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Gladiator Security Forum
  2. Malware Help Forum
  3. HELP! Think you are Infected?
  4. Privacy Policy
  5. GSF Board Rules ·