After using generic solution for Shopping Assistent

gapkojh · Jan 17, 2005

I ran through the whole generic solution, but--idiot me-- I did not disable system restore before starting. So, what happened is that the system seemed clean, I had started and restarted IE, then the program crashed, so I had to close IE. Upon starting the program again, i was back to an about:blank page. Is this outcome consistent with my having left sytem restore on throughout the process?

Any help would be appreciated,

Joe Gapko

I'm attaching a clean HJT logfile after coming back out of safe mode, then the HJT logfile after problems returned

chaslang · Jan 18, 2005

Your safe mode log show me a few things:
1) you did not get all of the problem files:
O2 - BHO: (no name) - {56474FA3-EE2A-DC66-C8A6-35AC8A3C5C6C} - D:\WINDOWS\system32\addut32.dll
O4 - HKLM\..\Run: [javaft32.exe] D:\WINDOWS\system32\javaft32.exe

There could be more hidden on you disk too.

2) These should not be running when scanning with HJT:
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE

3) You did not run all the steps of the procedure as written. If you had, this would not be your start page and SearchHook:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing

4) You never ran the steps of the READ ME FIRST either.

chaslang · Jan 18, 2005

You now have a mutated version that also has an ADS infected file: D:\WINDOWS\lyeut.txtqnxp

Here are the problems from your last log, but they may be changed after reboot.

D:\WINDOWS\system32\javaft32.exe
D:\WINDOWS\lyeut.txtqnxp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\clhlq.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {32A6CEC2-152D-9C47-1D16-97AAFF45661E} - D:\WINDOWS\msdb32.dll
O4 - HKLM\..\Run: [javaft32.exe] D:\WINDOWS\system32\javaft32.exe
O4 - HKLM\..\RunOnce: [oqnxp] D:\WINDOWS\lyeut.txtqnxp
O23 - Service: Workstation NetLogon Service - Unknown - D:\WINDOWS\crui32.exe (file missing)

You also have a Chainsaw Worm: D:\WINDOWS\system32\winmine.exe
http://securityresponse.symantec.com/avcenter/venc/data/w32.chainsaw.worm.html

That may have been picked up if the READ ME FIRST was run.

The below two lines should also be fixed:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/089eec73bd43e3abd622/netzip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

Log in or Sign up

After using generic solution for Shopping Assistent

gapkojh Private E-2

Attached Files:

hijackthis3.log

hijackthis6.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member