browser hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by stansnet, Dec 26, 2004.

  1. stansnet

    stansnet Private E-2

    spent most of the day running scans from sticky thread.
    Trend-2 NarratorA & 2 Small.CB deleted
    Symantec- Backdoor.Dister (haven't deleted)
    Avert-clean
    Adaware-300+ removed (got a close window message on Run32.dlll window while running)
    Spybot-43 removed
    Cw-clean
    kill2me-ok
    Avast- Win32.Adware-007 Trj (system\mqexdlm.srg) can'y remove

    I keep getting new entries added to the startup menu (which i uncheck) every time i websearch.

    suggestions on what to remove and how and if you want HJT log
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!
     
  3. stansnet

    stansnet Private E-2

    i am using MS 98 and Firefox as my browser since experiencing so many problems with IE. Here is the HJT log, I have done all the scans in the sticky thread. Thanks for the help.
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Ok, Your Hijack This log is a mess. BEFORE remove anything with Hijack this please close all applications including all web browsers

    Run Hijack this and have it remove all the following entries:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R3 - Default URLSearchHook is missing

    If you do not want reminders from your HP Deskjet to clean the cartridges from time to time, you can remove the F1 line. Otherwise leave it (Added by chaslang)
    F1 - win.ini: run=hpfsched
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: CBho404 Object - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
    O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
    O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL (file missing)
    O4 - HKLM\..\Run: [XEEHOR] C:\WINDOWS\XEEHOR.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [yawpgqno] C:\WINDOWS\SYSTEM\owfwsbwh.exe
    O4 - HKLM\..\Run: [Zq] C:\WINDOWS\TEMP\ZQ.EXE
    O4 - HKLM\..\Run: [pvyewcfe] C:\WINDOWS\xcdth.exe
    O4 - HKLM\..\Run: [3A2RF6#4B5NYN#] C:\WINDOWS\SYSTEM\Kxa2Xd2c.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
    O4 - HKLM\..\Run: [q34P36V] DECTWH16.EXE
    O4 - HKLM\..\Run: [enklyfmn] C:\WINDOWS\enklyfmn.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\ogqyvi.exe
    O4 - HKCU\..\Run: [b0vFRWZmQ] KSUITK16.EXE
    O4 - Startup: pifyku.exe
    O4 - Startup: BackWeb.lnk = C:\CPQS\BackWeb\Program\backweb.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.topconverting.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)


    NOTE: For the entry below you will need LSP FIX
    Just open this tool, the file will most likely be ready to be remove just click finish, if not select "I know what im doing" and select THIS FILE ONLY!!! DO NOT REMOVE ANY OTHER FILE, if you do it could cause your LSP Chain to be broke. Select the file aklsp.dll and move it to the right and click finish.

    O10 - Broken Internet access because of LSP provider 'c:\windows\system\aklsp.dll' missing
     
    Last edited by a moderator: Dec 26, 2004
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    After you do the steps in my previous post I would like for you to install and run Spy Spweer just to make sure your clean. Follow these steps to do this.

    1)Download SpySweep 3.5

    2)Run Spy Sweeper, After program comes up you may get some Alerts just ignore them for now.

    3)Click Options, Update Definitions

    4)After you update your definitions click on "Sweep Now"

    5)Click START

    6)After the scan is complete click NEXT

    7)Select all object found and remove all


    After you do this scan and remove objects from Hijack this please post a fresh Hijack This log as an attachment. Thanks!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ,

    There is nothing wrong with the following items:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...&s=search&i=enu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...&s=search&i=enu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...&s=search&i=enu
    F1 - win.ini: run=hpfsched
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [Essdc] essdc.exe
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

    If Stansnet fixes those items he is going to run into problems with Windows Media Player, his ATI video card, his sound card, and his software for Dictionary and Encyclopedia. And will also loose his start and search page settings.

    While this F1 - win.ini: run=hpfsched, is certainly not required you should ask the user their preference. HPFSCHED is a small TSR that will remind you to clean the cartridges in your DeskJet from time to time in order to keep print quality high. It can be removed from the run line in win.ini if you do not want that feature.

    You also need to complete the cleanup procedure by removing all the baddies from the computer.

    I'm going to edit your message to prevent the user from having problems. Your original message will remain here in the quoted box.

     
    Last edited: Dec 26, 2004
  7. stansnet

    stansnet Private E-2

    unfortunately, i had already deleted those items suggested in the first thread.
    After i ran spy sweeper, I had problems getting online(fierefox would not load, and explorer would open, but then close)
    I restored the deleted files from sweeper. ran new adaware and spybot and a new HJT log if you want it.
    I still have many strange entries in Startup list and suspect i still have Backdoor.dister, since I have not removed it (symantec scan didn't delete)
    should i restore the files from HJT you suggested
    (you were right, my monitor didn't start on boot (ati commands?)
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Restore all fixed items with HJT. Now remove the entries below:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R3 - Default URLSearchHook is missing
    If you do not want reminders from your HP Deskjet to clean the cartridges from time to time, you can remove the F1 line. Otherwise leave it (Added by chaslang)
    F1 - win.ini: run=hpfsched]
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: CBho404 Object - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
    O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
    O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL (file missing)
    O4 - HKLM\..\Run: [XEEHOR] C:\WINDOWS\XEEHOR.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [yawpgqno] C:\WINDOWS\SYSTEM\owfwsbwh.exe
    O4 - HKLM\..\Run: [Zq] C:\WINDOWS\TEMP\ZQ.EXE
    O4 - HKLM\..\Run: [pvyewcfe] C:\WINDOWS\xcdth.exe
    O4 - HKLM\..\Run: [3A2RF6#4B5NYN#] C:\WINDOWS\SYSTEM\Kxa2Xd2c.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
    O4 - HKLM\..\Run: [q34P36V] DECTWH16.EXE
    O4 - HKLM\..\Run: [enklyfmn] C:\WINDOWS\enklyfmn.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\ogqyvi.exe
    O4 - HKCU\..\Run: [b0vFRWZmQ] KSUITK16.EXE
    O4 - Startup: pifyku.exe
    O4 - Startup: BackWeb.lnk = C:\CPQS\BackWeb\Program\backweb.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.topconverting.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)


    NOTE: For the entry below you will need LSP FIX
    Just open this tool, the file will most likely be ready to be remove just click finish, if not select "I know what im doing" and select THIS FILE ONLY!!! DO NOT REMOVE ANY OTHER FILE, if you do it could cause your LSP Chain to be broke. Select the file aklsp.dll and move it to the right and click finish.

    O10 - Broken Internet access because of LSP provider 'c:\windows\system\aklsp.dll' missing


    I do apologize for any inconvenience this may have caused.

    Can you post me a log from SpySweeper?
     
  9. stansnet

    stansnet Private E-2

    restored HJT and removed list in last post.
    LSP was cleared yesterday and is clean
    Spybot is clean
    Avast was clean
    Spysweeper startup shield listed these 2 (narrator and pifyku.exe)
    log is attached
    i didn't delete these, because of yestredays browser failure (could this be picking up quarantined files from other scans.
    thanks for the help
     
  10. stansnet

    stansnet Private E-2

    just realized the file didn't attach, here it is
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Spy Sweeper doesnt find any quarantined files from anything other than what it detects and you remove.


    I noticed from your Spy Sweeper log that you have a good bit of spyware & trojan horse infections. Did you remove these infections from SpySweeper? If not run a full scan and remove all found traces. Doing this should not affect your internet, this will remove your bad infections. After you do this run TrojanHunter, click C: and do a full scan. Reboot and post me a new HJT log. Thanks!

    Download TrojanHunter

    Note: During installation of TrojanHunter it will prompt to update. Update Definitions
     
  12. stansnet

    stansnet Private E-2

    ran both scans and removed listings.
    browsers still working (yes!)
    still have repetitive links (that were removed in past scans) in HJT
    The only thing i can think of is the Backdoor.dister that symantec found in the
    windows\wavplay.exe file (this has not been removed through any scan.
    I think we're close, much is gone and no redirects lately in browser, but still many unknown files in the start up folder

    here is the HJT log
     

    Attached Files:

  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Ok, remove these items from HJT, before fixing anything close all browsers including this one.

    O4 - HKLM\..\Run: [Zq] C:\WINDOWS\TEMP\ZQ.EXE
    O4 - HKCU\..\Run: [Floppy Master] C:\WINDOWS\wavplay.exe
    O4 - HKCU\..\RunServices: [Floppy Master] C:\WINDOWS\wavplay.exe
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: topconverting.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: slotchbar.com
    O15 - Trusted IP range: ysbweb.com
    O15 - Trusted IP range: crazywinnings.com
    O15 - Trusted IP range: skoobidoo.com
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O15 - Trusted IP range: topconverting.com (HKLM)
    O15 - Trusted IP range: clickspring.net (HKLM)
    O15 - Trusted IP range: mt-download.com (HKLM)
    O15 - Trusted IP range: flingstone.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: slotchbar.com (HKLM)
    O15 - Trusted IP range: ysbweb.com (HKLM)
    O15 - Trusted IP range: crazywinnings.com (HKLM)
    O15 - Trusted IP range: skoobidoo.com (HKLM)
    O15 - Trusted IP range: searchmiracle.com (HKLM)
    O15 - Trusted IP range: windupdates.com (HKLM)


    After removal of these entries, reset web settings, default all settings and reboot. Post new log Thanks!

    Did TrojanHunter find anything?

    If the wavplay.exe is still there we will delete it via Killbox. I will look at new log to determine.
     
  14. stansnet

    stansnet Private E-2

    TrojHunter found and deleted
    HKey_localmachine\software\wildarcade
    180search in system\lycos.dlllsb7.xe
    sidefind in angelex.exe
    sidefind in windows\zeta.exe
    found but not deleted possible trojan
    system\twink64.exe

    followed steps in your post
    trusted zones keep returning
    could it be the twink64?

    computers running much better, i think we're close
    here's HJT
     

    Attached Files:

  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, The twink64.exe is a Trojan.Downloader

    Go into System directory and delete the file manually. This should take care of that file.

    HJT logs looks ok except for these entries below, remove those again.
    Before you remove these entries, go into Internet Properties and default all your settings.

    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: topconverting.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: slotchbar.com
    O15 - Trusted IP range: ysbweb.com
    O15 - Trusted IP range: crazywinnings.com
    O15 - Trusted IP range: skoobidoo.com
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O15 - Trusted IP range: topconverting.com (HKLM)
    O15 - Trusted IP range: clickspring.net (HKLM)
    O15 - Trusted IP range: mt-download.com (HKLM)
    O15 - Trusted IP range: flingstone.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: slotchbar.com (HKLM)
    O15 - Trusted IP range: ysbweb.com (HKLM)
    O15 - Trusted IP range: crazywinnings.com (HKLM)
    O15 - Trusted IP range: skoobidoo.com (HKLM)
    O15 - Trusted IP range: searchmiracle.com (HKLM)
    O15 - Trusted IP range: windupdates.com (HKLM)


    Also, did the wavplay.exe delete? It seems to be gone per the log.
     
  16. stansnet

    stansnet Private E-2

    removed twink 64
    wavplay still exists as a windows file should i delete it through find files
    restored all defaults (moved from high to medium)security and privacy
    removed all the trusted zone in HJT
     
  17. stansnet

    stansnet Private E-2

    trusted Ip range entries reappear after removing with HJT
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    There is a wavplay.exe thats a system file. Thats most likely what that is. You can scan it online by going to this website and selecting browse, upload the file and it will detect if its infected or not. Did the HJT trusted zones return?
     
  19. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Do you have Kazaa or P2P networking installed on this machine?

    Also, do a search for twink64.exe and delete any files found.
     
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    NOTE: Before modifying the registry please do a backup.

    Navigate to the following key:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

    If these entries appear, delete and reboot!

    Windows = "%System%\windows\services.exe"

    ControlPanel = "%System%\twink64.exe
    internat.dll,LoadKeyboardProfile"

    IST Service = "%Program Files%\ISTsvc\istsvc.exe"

    Internet Optimizer = "%Program Files%\Internet Optimizer\optimize.exe"

    Windows SyncroAd = "%Program Files%\Windows SyncroAd\SyncroAd.exe"

    (RANDOM)qdlctojxybe = "%System%\kxkqbbdn.exe"

    msbb = "c:\temp\msbb.exe"

    "%Windows%\xmdsl.exe"
     
  21. stansnet

    stansnet Private E-2

    twink64 is gone
    i don't have p2p or kazaa
    registry was clear
    trusted site list is back in HJT
    wavplay.exe was infected with malware (upx) according to your site scan i ran trojan hunter on that one file and it was ok
    i also came across two strange files i scanned on your online site-
    wrapperOuter.exe (said might be infected malware
    system_angelex.exe.tcf (infected with malware UPX) i think this was renamed by trojan hunter and supposedly deleted
     
  22. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    wrapperOuter.exe is part of VirtualBouncer this should be deleted.

    system_angelex.exe.tcf is a infected file renamed by TrojanHunter

    There still seems to be spyware on this machine. Make sure your running definitions 437 on SpySweeper. Do another scan with SpySweeper and post me a new SpySweeper log. These entries should be detetced.

    Go into Internet options>security
    Make sure "Internet" is set to "medium" and "Local intranet" is set to "medium-low"

    If TrojanHunter said it was clean then it probably is.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sometimes simple fixes of the trusted zones do not work.

    Copy the contents of the bold print in the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
    Now run HJT and fix all the O15 - Trusted Zone: items that are list.

    Then reboot your computer and get a new HJT log to post here.
     
  24. stansnet

    stansnet Private E-2

    followed your directions and attached HJT log
    i deleted two traces of wrapperOuter.exe
    Spysweeper log was clean
    trojanhunter scan was clean

    trusted zone entries still are there
    any ideas
     

    Attached Files:

  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you get any error messages after click on move.reg? Did you say yes to confirm the merge into the registry? Did it appear to work?

    Also, I missed one you can add to that file:

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windupdates.com]
    "*"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windupdates.com]
    "*"=dword:00000004



    Try it again after booting into safe mode (DO NOT RUN ANYTHING ELSE) but before double clicking on the move.reg file, bring up Task Manager by clicking CTRL-ALT-DEL and make sure that,
    THGUARD
    FIREFOX

    are not running. If they are, kill them. Then do the merge. After doing that and while still in safe mode. Run Internet Explorer and click on Tools, Internet Options, Security, Trusted Sites. Then click the Sites button. Tell me if anything appears in the list! If they do, click on each one and select Remove (one at a time). Tell me what happens during all of this.

    By the way, are you running SpywareBlaster or SpyBot S&D?
     
  26. stansnet

    stansnet Private E-2

    the move.reg seemed to go fine
    there were the sites listed as trusted in the HJT log listed under sites in trusted zone tab in properties (by the way the defaults too this down to low, should it be raised). I removed them one at a time
    i then booted out of safe mode and ran a new HJT log

    i am running
    avast
    trojan hunter guard
    Spybot is on immunize
    Just downloaded zone alarm (which seems to be stopping access with several alerts)
     

    Attached Files:

  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay try using this set of commands. Overwrite the old file.

     
  28. stansnet

    stansnet Private E-2

    in safe mode added the move.reg
    removed the 015 list
    rebooted in safe mode, ran scan and saved log attached
     

    Attached Files:

  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Something has to be blocking registry changes!
    Temporarily uninstall Spybot S&D and then reboot to safe mode.

    In safe mode and run Task Manager (CTRL-ALT-DEL and select processes) do the following:
    - end all processes related to avast
    - end processes related trojan hunter guard

    Then merge in the new move.reg file. Now look at a HijackThis log right now in safe mode.
    Are those O15 lines gone?
    Reboot normal mode? What's the status now?
     
  30. stansnet

    stansnet Private E-2

    removed spybot
    moved.reg in safe
    removed 015 list
    rebooted (they're still there)

    are these elements harmful where they are? the computer appears to be running well
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes they are harmful and we need to find out what is locking them in place. Sounds like another VX2 type problem. Download all the following tools:

    Generic Detection Tool
    http://www.downloads.subratam.org/DllCompare.exe
    http://www.downloads.subratam.org/VX2Finder.exe
    http://www.downloads.subratam.org/KillBox.zip

    Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

    The tool should generate a long text file. Please attach that to your next post.

    Do not reboot after that because that can cause the files to mutate.
     
  32. stansnet

    stansnet Private E-2

    these scans can be done while online? Do i do all 4 scans (any order).If i need to shut down after the general detection scan for some reason, can it harm my computer?
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not say do all 4. I only said to download all of them and to run findit.bat from the Generic Detection Tool.

    Shutting down can causes any VX2 problems that you may have to mutate (change filenames, change infected registry locations etc). It has nothing to do with the scanning itself. They will not break your PC. If you shut down you could just be wasting your time and my time because the log you post may no longer be valid and neither will the fixes I suggest.

    Can you run them while online? Sometimes but I would say at a minimum exit all programs before running any of them. If you really want to be more thorough, physically disconnect (unplug cables), before running them.
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you logged in with Administrator priviledges?
     
  35. stansnet

    stansnet Private E-2

    here is the text file from find.bat
    How do I know if i am logged on as administrator
     

    Attached Files:

  36. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    1) Go into Control Panel

    2) Go to User Accounts

    3) If the account your logged in under has "Computer Administrator" under the name then you have Administrator privileges, if it says "Limited Account" under the name then you have Limited privileges.

    NOTE: If your on a limited account, please logon to an account with Administrator privileges.
     
  37. stansnet

    stansnet Private E-2

    there are no user accounts set up (am i logged on as all users?)
    to create a user account requires restart

    since i ran the find.bat scan, when i double click a desktop icon, i get properties 'general'
    type: all of type
    location: various folders
    instead of opening
    when i single click and click open it will pull up other programs like firefox or Word, etc)
     
  38. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I apologize as I thought you were running WinXP. The instructions I gave where for WinXP.


    As far as findit.bat, I will wait for chaslang to return because Im not familiar with findit.bat and this new tool. He will return shortly to finish helping you with your problem.
     
  39. stansnet

    stansnet Private E-2

    when i double click any desktop icon, i get Compaq "system properties" window

    when i right click any icon on desktop and choose open, it opens msworks, recycling bin, and my computer all at once.

    i have to log on internet from programs\firefox
     
  40. stansnet

    stansnet Private E-2

    bjgarrick said chaslang needs to look at the find.bat file i attached at 11:00, any suggestions would be appreciated
     
  41. stansnet

    stansnet Private E-2

    all desktop icons working fine after reboot, will post new find.bat file when convenient for you
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! I forgot you had Win98! findit.bat is really only going to work on WinNT,2K, and XP systems. (the same is true for DLLCompare and VX2finder). There is another tool for Win98 call AgentRansack

    http://www.mythicsoft.com/agentransack/download.aspx

    but I have never used it and am not sure at this point how to configure it to find what we are looking for. Basically we are trying to find files mark as hidden, system or hidden and system that are located in your c:\windows folder and in c:\windows\system folder. Take a look at the AgentRansack program and see if you can do that. I'll have to see if I can get it onto a Win98 system to check it out. DO NOT FIX/DELETE ANYTHING withit. Just because files are hidden, system or hidden and system does not mean they are bad.
     
  43. PhilliePhan

    PhilliePhan Guest

    Hey guys,

    Configure Agent Ransack in this manner:

    1) Select the BROWSE button and where it says look in, navigate to C:\WINDOWS\System (for NT systems - C:\Windows\system32 )

    2) Uncheck the box to look in sub folders

    3) In the containing text box, type Umonitor

    4) Click Start Search

    After the search is finished, select File > Save Results

    Uncheck the File Contents Box

    Then, Check the box for file ---> [x]file

    Please save the file as a text file, exit Agent Ransack, then attach the saved file.

    PP :)
     
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks PP! I did not have time to check it out yet.
     
  45. stansnet

    stansnet Private E-2

    ran ransack for c:\WINDOWS\System
    containing text= Umonitor
    IT RAN THROUGH 800+ FILES
    it found no files, so i didn't attach a text file
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds