Sponsored By

Dankwsc

Browser Hijacked-please Help!

Recommended Posts

Browser has been hijacked...not sure how, when, or why. I was receiving assistance with this till the forum I was on before is no longer working. Could someone please take over where we left off? Attached is my most recent HijackThis Log. Unfortunately, this nasty "thing" has rendered my internet useless therefore I will be corresponding from another computer, so I appreciate your patience. Thanks in advance!

Logfile of HijackThis v1.99.1

Scan saved at 3:01:06 PM, on 6/13/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\userinit.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ctfmon.exe

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R3 - URLSearchHook: (no name) - {C6000CE3-6670-D005-3C35-F82D96F63836} - NsCplTray.dll (file missing)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O2 - BHO: Internet Explorer Hot Fix - {D849BA66-677C-421A-9916-FCFB5D6B9A75} - C:\WINNT\system32\itunb.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINNT\System\svchost.exe /s

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn64.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [abrek] PasswdMon.exe

O4 - HKLM\..\Run: [MONITER] DTOURS.exe

O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [eB7mRPfsj] aamcom.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [setupExeDll] RtlFindVal.exe

O4 - HKCU\..\Run: [keybdll] SysEntry.exe

O4 - HKCU\..\Run: [xxtoolbar] 34763.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)

O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted IP range: 67.19.178.84

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINNT\q20924938_disk.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Awlwsterkfp - Unknown owner - (no file)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Share this post


Link to post
Share on other sites

Hi Dankwsc, I'm guessing the forum you were being helped at is Spywareinfo :). That's my home forum, so it's only fitting that I should continue. Can you tell me the name of the helper that was working on your log so I can inform him/her, so they don't take the time to respond to your log when SWI gets back online?

The HijackThis log you posted appears to be done in Safe Mode. Please post a log from Normal Mode, it's important I see everything that's running, and I'll be happy to help. Also, can you tell me what you mean when you say your Internet is "useless"? Is it that you can't get online at all, or that it's too messed up to do anything? I'd say we need to fix that as quickly as possible.

Share this post


Link to post
Share on other sites

Thanks insipid for your reply. To answer your question, Dave38 on spywareinfo was in the process of helping me. The log that I listed was in fact done in safe mode as that is the only mode that I can truly operate on. When I try to run a hijack this log in the normal mode, Spy Sheriff and Ware out completely shut me down and wont let me finish running it(it freezes my computer and I am getting tons of popups). My internet will not work properly as a result of this too. That is why I am having to correspond with you from my office at work, so please be patient with me. Once you give me direction(s) I will usually have to go home at night and work on it, then I will email you back the next day with the result until we can get the internet up and running again. My computer is barely breathing, but I am confident that help is on the way!! Thanks again!

Share this post


Link to post
Share on other sites

Isipid,

-I will try to get a log in normal mode today if I can, otherwise the most recent log run in safe mode is on the original message. Thanks!

Share this post


Link to post
Share on other sites

Dankswsc, since I haven't heard back I'm going to work with this log. You have quite a mess there, so this may take a few posts to clear up.

First, download and install CleanUp! but do not run it yet *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen

You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update
  • Click on Start

The update will start and a progress bar will show the updates being installed.

After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Run Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).

After you're done running Cleanup! follow the instructions below

  • Run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:

    • Binder
    • Crypter
    • Archives

    [*]Click on Start Scan

    [*]Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

  • Click Save report
  • Save the report to your desktop

Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Program Files\SpySheriff <-whole folder

C:\Windows\Desktop.html

C:\winstall.exe

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R3 - URLSearchHook: (no name) - {C6000CE3-6670-D005-3C35-F82D96F63836} - NsCplTray.dll (file missing)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O2 - BHO: Internet Explorer Hot Fix - {D849BA66-677C-421A-9916-FCFB5D6B9A75} - C:\WINNT\system32\itunb.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINNT\System\svchost.exe /s

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn64.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [abrek] PasswdMon.exe

O4 - HKLM\..\Run: [MONITER] DTOURS.exe

O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe

O4 - HKCU\..\Run: [eB7mRPfsj] aamcom.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [setupExeDll] RtlFindVal.exe

O4 - HKCU\..\Run: [keybdll] SysEntry.exe

O4 - HKCU\..\Run: [xxtoolbar] 34763.exe

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)

O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted IP range: 67.19.178.84

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab

O20 - Winlogon Notify: style2 - C:\WINNT\q20924938_disk.dll

O23 - Service: Awlwsterkfp - Unknown owner - (no file)

Close HiJackThis.

Please delete these Folders and Files using Windows Explorer:

C:\WINNT\q20924938_disk.dll << This file

C:\Program Files\WareOut << This folder

C:\Program Files\WareOut\WareOut.exe << This file

* 34763.exe << This file

* SysEntry.exe << This file

* RtlFindVal.exe << This file

C:\Program Files\WareOut\WareOut.exe << This file

* aamcom.exe << This file

* winole.exe << This file

* DTOURS.exe << This file

* PasswdMon.exe << This file

C:\WINNT\system32\popcorn64.exe << This file

C:\WINNT\System\svchost.exe << This file

C:\Program Files\PSGuard << This folder

C:\WINNT\system32\perfcl.exe << This file

C:\WINNT\system32\vfxrc.dll << This file

C:\WINNT\system32\itunb.dll << This file

C:\WINNT\system32\vfxrc.dll << This file

C:\WINNT\ceres.dll << This file

* Locate via Start > Search

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, please reboot your computer.

You should be able to change your desktop back to normal now.

Post the report from Ewido and a new HiJackThis log into this topic.

Share this post


Link to post
Share on other sites

Insipid,

-Unfortunately last night when I tried to run a log in normal mode, it would cut me off every time. I will proceed today with your instructions. Thanks!

Share this post


Link to post
Share on other sites

Insipid,

-I installed both cleanup and Ewido, however when I tried to update Ewido per your instructions, I could not since my internet isn't working. I guess we need to fix the internet problem before I can go any further with the instructions above. Please advise. Thanks!

Share this post


Link to post
Share on other sites

I proceeded with your instructions despite not being able to use ewido even in safe mode. However, when I started to "fix all checked" in Hijack This(normal mode) I would get the following window and it would closethe program down:

The instruction at "0x100018a6" referenced memory at "0xeb01001b". The memory could not be "written".

Very frustrated!!!

Share this post


Link to post
Share on other sites

Insipid,

-Here is my last Hijack this Log that I ran in safe mode:

Logfile of HijackThis v1.99.1

Scan saved at 8:49:18 PM, on 6/27/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [xdkbyxru] c:\winnt\system32\xdkbyxru.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Awlwsterkfp - Unknown owner - (no file)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Share this post


Link to post
Share on other sites

Dankwsc, that actually did quite a bit of good. We have more to do, though.

Please first save these directions to the desktop as a text file, because you will need to copy and paste part of them later, once we are in Safe Mode.

Click Start >> Run

Type "services.msc" (without the quotes) in the run box that pops up.

Locate Awlwsterkfp, right-click on it and select 'Properties'.

Click 'Stop'.

Set 'Startup Type' to 'Disabled'.

Exit services.msc.

1) Please download the Killbox.

Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\winnt\system32\xdkbyxru.exe

C:\WINNT\wupdt.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Rescan with HijackThis and place a checkmark next to the following entries:

O4 - HKLM\..\Run: [xdkbyxru] c:\winnt\system32\xdkbyxru.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O23 - Service: Awlwsterkfp - Unknown owner - (no file)

Did you, an Administrator, or a program such as Spybot Search & Destroy set the following restriction? If not, fix it too.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.

Reboot normally and post a fresh HJT log for review. If you still can't get one from Normal Mode, redownload HijackThis from Here .

Unzip it to the same folder you have HJT in now, allowing it to overwrite the current version. If it still doesn't work, go ahead and post a log from Safe Mode.

Share this post


Link to post
Share on other sites

Insipid,

-Did all that you had instructed. However, i did not fix: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present---as I wasn't sure what that was. Should I still delete it or leave it alone. Here is the new log:

Logfile of HijackThis v1.99.1

Scan saved at 9:20:26 PM, on 6/29/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\AIM\aim.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINNT\NCLAUNCH.EXe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Share this post


Link to post
Share on other sites

Well, this log is from Normal Mode, well done :). You can leave that 06 entry if you're not sure about it. The only thing I see that's left is this line:

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

WildTangent is thought to collect data regarding your surfing habits and report back to it's controlling server. I suggest removing it, but the choice is yours. If you choose to remove it, fix the entry with HJT and then remove 'WildTangent' in Add/Remove Programs.

Other than that, your log is clean. How's it running?

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:

Kerio Personal Firewall

Zone Alarm

Sygate Personal Firewall

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.

Share this post


Link to post
Share on other sites

Insipid,

-It is running much better! I will proceed with your instructions. I am still however having problems getting on the internet. Could it be that all this software that I have added since the beggining is blocking my connection? Should I delete Hijack this, Ewido,etc. when we are all finished?

Share this post


Link to post
Share on other sites

You could uninstall Ewido, the real-time protection is only a 14-day trial, but it's good to keep around for scanning purposes, you can still use it for that afterwards. I very much doubt it or HJT are blocking your connection.

Can you describe your connection difficulties in more detail?

Share this post


Link to post
Share on other sites

Insipid,

-Solved the internet problem. Computer is running like new. Thanks for all your help. Don't know what I would have done withour your help. I am installing the programs that you had recommended so that this does not happen again!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.