Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Home Page hijacked by About:Blank

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Home Page hijacked by About:Blank

Unread postby steved99 » August 2nd, 2005, 4:44 pm

I'm trying to sort out a neighbours computer whose homepage has been hijacked by About:Blank. I had a similar problem recently. I've run FxAgentB.exe and CWShredder (nothing found on either). Then I ran Ad-Aware-SE which found 195 critical objects (all now quarantined). Finally, I've re-run Hijackthis but not sure what to delete (log attached below).

Computer has to be run in Safe Mode as on normal startup it takes ages to load and finally locks up. It only a 733Mhz CPU with 64MB RAM and I think there are too many programs being started for it to cope with. There’s 40% free disk space and I ran scandisk and defrag a couple of days ago. 4 Questions:-
1) Task manager shows multiple iexplorer sessions opened – could this be related to the About:Blank problem?

2) If not, how do I reduce the number of programs loaded on startup?

3) Are the steps I've taken above to remove About:Blank valid if only running in Safe Mode? If not, how do I get round the problem?

4) What do I delete from Hijackthis log please?

Any help greatly appreciated. Hijackthis log details now below:-

Logfile of HijackThis v1.99.1
Scan saved at 7:57:00 PM, on 8/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\STEVE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O2 - BHO: Class - {3C4FB260-BBD6-49C3-2E0D-3398A55D8E8A} - C:\WINDOWS\SYSTEM\NETUA32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ADDDH32.EXE] C:\WINDOWS\SYSTEM\ADDDH32.EXE
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\RunServices: [APIUC.EXE] C:\WINDOWS\SYSTEM\APIUC.EXE /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MSXE32.EXE] C:\WINDOWS\SYSTEM\MSXE32.EXE /s
O4 - HKLM\..\RunServices: [WINQA.EXE] C:\WINDOWS\SYSTEM\WINQA.EXE /s
O4 - HKLM\..\RunServices: [MFCQJ32.EXE] C:\WINDOWS\MFCQJ32.EXE /s
O4 - HKLM\..\RunServices: [ADDIH32.EXE] C:\WINDOWS\ADDIH32.EXE /s
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: Lanceur Pointsoft.lnk = C:\pointsoft\lanceur.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\My Documents\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\My Documents\programs\dad9.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm
Advertisement
Register to Remove

Unread postby LDTate » August 3rd, 2005, 7:46 pm

removed
Last edited by LDTate on August 3rd, 2005, 7:48 pm, edited 1 time in total.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Elrond » August 3rd, 2005, 7:47 pm

Hi steved99
Welcome to Malware Removal Forums.
I'm looking over your log file and will get back to you either tonight or tomorrow morning.

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Elrond » August 4th, 2005, 12:16 am

Hi steved99

You have a nasty infection that will need some special treatment. However it is extremely difficult to fix it if you can not run in normal mode.

Perhaps this will reduce the running programs to the level so that you can get a log in noemal mode and download some programs that we need.


In safe mode run HijackThis and checkmark the following lines:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe


CLOSE ALL PROGRAMS and BROWSERS that are running, except HijackThis and then click the "fix" button.

Now delete the following files:
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe

Try to reboot in normal mode.
If you succeed please run HijackThis and post the log and we will continue with the rest of the cleanup which is not simple.
If you cannot run in normal mode we will have to think it through again.

If you get the computer to run in normal mode please do the following:

Step#1:Make Sure Hidden Files Are Visible
  • Please make sure you can view all Hidden Files by choosing the instructions for your Windows OS.


Step#2:Download and Update CWShredder
  • Download CWShredder.Do Not Use It Yet
  • Save CWShredder.exe to a convenient location.
  • make sure it is up to date.


Step#3:Download DllCompare


Step#4:Download Killbox
  • Download the Killbox.Do Not Use It Yet
  • Unzip the contents of KillBox.zip to a convenient location.

Step#5:Download About Buster
  • Please download About:Buster from here: Do Not Use It Yet
  • About Buster.
  • extract it to c:\aboutbuster.
  • update. to latest definitions



E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby steved99 » August 4th, 2005, 2:33 am

Thanks, much appreciated. Will get back to you later today.
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Updated HJT file

Unread postby steved99 » August 4th, 2005, 3:24 am

Good news. I can now start up in normal mode. I'll download the other stuff ready for your next instructions. In the meantime, here's the latest HJT log. Many thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:15:34 AM, on 8/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\APIUC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WINQA.EXE
C:\WINDOWS\MFCQJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\ADDDH32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MFCQJ32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\WINDOWS\SYSTEM\APIUC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\POINTSOFT\LANCEUR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\PROGRAMS\ALARM.EXE
C:\MY DOCUMENTS\PROGRAMS\DAD9.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.1.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\MFCQJ32.EXE
C:\STEVE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O2 - BHO: Class - {3C4FB260-BBD6-49C3-2E0D-3398A55D8E8A} - C:\WINDOWS\SYSTEM\NETUA32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ADDDH32.EXE] C:\WINDOWS\SYSTEM\ADDDH32.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\RunServices: [APIUC.EXE] C:\WINDOWS\SYSTEM\APIUC.EXE /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MSXE32.EXE] C:\WINDOWS\SYSTEM\MSXE32.EXE /s
O4 - HKLM\..\RunServices: [WINQA.EXE] C:\WINDOWS\SYSTEM\WINQA.EXE /s
O4 - HKLM\..\RunServices: [MFCQJ32.EXE] C:\WINDOWS\MFCQJ32.EXE /s
O4 - HKLM\..\RunServices: [ADDIH32.EXE] C:\WINDOWS\ADDIH32.EXE /s
O4 - Startup: Lanceur Pointsoft.lnk = C:\pointsoft\lanceur.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\My Documents\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\My Documents\programs\dad9.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Re. downloads

Unread postby steved99 » August 4th, 2005, 4:50 pm

Hi Elrond,
I forgot to mention that C:\WINDOWS\Issas.exe was not found in My Computer, so couldn't delete it. Deleted all the others though.

Also, the infected computer is not online at present so I'm trying to download the various software on another computer and then copy to CD before copying to the infected computer.

1) Which file(s) do I need to copy after checking for updates to ensure I have the latest versions?

2) Do I copy the zip files/folders and then unzip after copying to the infected computer, or do I have to do the unzip before copying (and if so how do I do this?).

Thanks
steved99
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Unread postby Elrond » August 4th, 2005, 6:26 pm

Hi Steve

Wonderful news.

Will do my best to help you to get around the problem that you have no internet conection from the infected computer at the moment. Perhaps it is a blessing in disguise as the infection updates itself from the net.


Step 1: Show hidden files:

Click My Computer > Tools menu (at top of page) > Folder Options > View tab
Under "Hidden files and folders" select Show hidden files and folders
Uncheck Hide protected operating system files (recommended).
Uncheck Hide file extensions for known file types.
Click [OK].


Step 2: CWShredder: Download it from http://www.intermute.com/spysubtract/cw ... nload.html and copy CWShredder.exe onto the infected computer. You should get the latest version. No need to update.


Step 3: Download DLLCompare from http://downloads.subratam.org/DllCompare.exe. Copy DLLCompare.exe to the infected computer. It should be the latest version and does not need to be updated.


Step 4: Download Killbox from http://www.downloads.subratam.org/KillBox.zip . Unzip it it and copy Killbox.exe to the infected computer.

How to unzip a downloaded zip file.
Place the zip file in the folder where you want the unzipped program to be.
If you are running Windows XP you simply right click the zip file and select extract here.
For the other versions of Windows you will need a program like 7-Zip. Open 7-Zip. Navigate to to the downloaded zipfile and highlight it. Right click and select "Extract Here".


Step 5: Please download About:Buster from here:http://www.malwarebytes.biz/AboutBuster5.zip Do Not Use It Yet
unzip it to c:\aboutbuster. Update About Buster. Copy the folder About Buster to the infected computer. It is now updated.

Except for the changes neccessay because you can not get to the internet pleace follow the instructions in the fix exactly as given.



The Fix -

(the reason Wordpad was chosen is that Notepad is often deleted by this variant)

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available. You must disconnect from the internet totally, as staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening them will reinstall the infection. Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Close Outlook Express and Internet Explorer for the duration of this fix

Please continue with the next steps and if you run into any problems with the current one, just keep going through the list step by step. Just be sure to let us know what the problem was when you finally reply.



Step#1:Make Sure Hidden Files Are Visible
  • Please make sure you can view all Hidden Files by choosing the instructions for your Windows OS.


Step#2:Download and Update CWShredder
  • Download CWShredder.Do Not Use It Yet
  • Save CWShredder.exe to a convenient location.
  • make sure it is up to date.


Step#3:Download DllCompare


Step#4:Download Killbox
  • Download the Killbox.Do Not Use It Yet
  • Unzip the contents of KillBox.zip to a convenient location.

Step#5:Download About Buster
  • Please download About:Buster from here: Do Not Use It Yet
  • About Buster.
  • extract it to c:\aboutbuster.
  • update. to latest definitions



Please disconnect from the Internet and unplug your modem for the duration of this fix



Step#6:Reboot To Safe Mode

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE



Step#7: Use CWShredder
  • Open CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
  • REBOOT back into Safe Mode by tapping F8 while booting up.l



Step#8:Use DllCompare
  • Open DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
    Files in the upper window have now been verified to "exist", Files in the lower window were not able to be accessed. Very few files should be listed in the lower window when the Compare scan is complete.
  • Once it has finished comparing click " Make a Log of what was found".
  • Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)
  • Click "Yes" at the ‘View Log file’ prompt to view the log.
  • Copy and paste the entire log into your next reply after completing all steps.(saved as log.txt in the DllCompare folder)
  • Click "Exit".


Step#9:Delete Running Processes
  • In Safe Mode delete the Running Processes that have been Identified as being part of the infection. If unable to delete them, see below to use Killbox.
    C:\WINDOWS\SYSTEM\APIUC.EXE
    C:\WINDOWS\SYSTEM\WINQA.EXE
    C:\WINDOWS\MFCQJ32.EXE
    C:\WINDOWS\SYSTEM\ADDDH32.EXE
    C:\WINDOWS\MFCQJ32.EXE
    C:\WINDOWS\SYSTEM\APIUC.EXE
    C:\WINDOWS\MFCQJ32.EXE



Step#10:Delete Infected Files

    Please boot into Safe Mode and delete the following files:
    C:\WINDOWS\ADDIH32.EXE
    C:\WINDOWS\MFCQJ32.EXE
    C:\WINDOWS\SYSTEM\ADDDH32.EXE
    C:\WINDOWS\SYSTEM\APIUC.EXE
    C:\WINDOWS\SYSTEM\MSXE32.EXE /s
    C:\WINDOWS\SYSTEM\NETUA32.DLL
    C:\WINDOWS\system\vuzfy.dll
    C:\WINDOWS\SYSTEM\WINQA.EXE



Step#11:Use Killbox(may not be necessary)
    If unable to delete files above in safe mode please use KillBox that you downloaded earlier:
  • Open KillBox
  • Highlight the list of names to delete then CTRL-C to copy and then Paste all files into the box "Full Path of File to Delete" . C:\WINDOWS\ADDIH32.EXE
    C:\WINDOWS\MFCQJ32.EXE
    C:\WINDOWS\SYSTEM\ADDDH32.EXE
    C:\WINDOWS\SYSTEM\APIUC.EXE
    C:\WINDOWS\SYSTEM\MSXE32.EXE /s
    C:\WINDOWS\SYSTEM\NETUA32.DLL
    C:\WINDOWS\system\vuzfy.dll
    C:\WINDOWS\SYSTEM\WINQA.EXE
  • Choose Delete on Reboot.
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.



Step#12:Use HijackThis

    Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vuzfy.dll/sp.html#93256
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {3C4FB260-BBD6-49C3-2E0D-3398A55D8E8A} - C:\WINDOWS\SYSTEM\NETUA32.DLL
    O4 - HKLM\..\Run: [ADDDH32.EXE] C:\WINDOWS\SYSTEM\ADDDH32.EXE
    O4 - HKLM\..\RunServices: [APIUC.EXE] C:\WINDOWS\SYSTEM\APIUC.EXE /s
    O4 - HKLM\..\RunServices: [MSXE32.EXE] C:\WINDOWS\SYSTEM\MSXE32.EXE /s
    O4 - HKLM\..\RunServices: [WINQA.EXE] C:\WINDOWS\SYSTEM\WINQA.EXE /s
    O4 - HKLM\..\RunServices: [MFCQJ32.EXE] C:\WINDOWS\MFCQJ32.EXE /s
    O4 - HKLM\..\RunServices: [ADDIH32.EXE] C:\WINDOWS\ADDIH32.EXE /s




Step#13:Use About Buster


This is the step where we will use About:Buster that you had downloaded previously.
  • Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe
  • When the tool is open press the OK button,
  • then the Start button, then the OK button, and then finally the Yes button.
  • It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.
  • Post the log file in your next reply




Step#14:Use Registry File
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

  • Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.



Reboot your computer back to normal mode



Reconnect To The Internet




Step#15:Use HijackThis and Post To Thread In Forum

1. Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

2. Post your logs from About Buster, DllCompare and your HijackThis log here in this thread with any questions or problems that you have run into. There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!



E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Log files

Unread postby steved99 » August 6th, 2005, 4:05 am

Hi Elrond,
Thanks for the clear instructions. No major issues but a few uncertainties listed below, but first a side issue. I’m posting this on a different computer and twice when I’ve been typing my reply it has just turned itself off and restarted losing my input. Is it possible this computer is also infected and detecting that I’m using a website which will remove the infection? Have you heard of this before? If so, I’ll open a new post.

Re. the uncertainties I had:-
Step 2:
Page not found. I’m uncertain if I’ve got the latest version of CWShredder but no messages displayed.

Step 8:
No files were listed in the lower window.

Step 9:
Wasn’t sure how to delete processes using Windows ME so tried to use Killbox (see below).

Step 10:
3 of the listed entries were not found :-
C:\WINDOWS\ADDIH32.EXE
C:\WINDOWS\SYSTEM\MSX32.EXE /s
C:\WINDOWS\SYSTEM\VUZFY.DLL

Step 11:
No entries found so unable to delete anything.

Step 12:
7 entries already gone. One of those I did delete had “(file missing)â€
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Unread postby Elrond » August 6th, 2005, 9:28 pm

Good steve.

Everything seems to have worked as it should.


We are ready for the next part. It is not simple either. :( This is among the worst infections to get rid of on a Windows ME computer.
:twisted:

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32

Step#1:Check For Deleted Files

Now we need to see if we need to restore some deleted files:
    Please check for the following files using the Windows Search Engine:

    • control.exe

    • rundll32.exe
    • wmplayer.exe
    • msconfig.exe
    • notepad.exe
    • shell.dll
    • SDHelper.dll
    If any are missing or not working properly then you can download new copies from
    Merijn's Files and following the instructions at that site to have them where they belong for your OS.


    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
    • This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
    • The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button



    Step#2:Use Cleanmgr
    • go to Start > All Programs > Accessories > Cleanmgr
    • Select each Hard Drive in order and Click OK
    • Let it calculate the amount of space that it can clean
    • Make sure Temporary Internet Files, Temporary Files and Recycle Bin are selected
    • Click OK and allow it to Clean



Step#3:Scan With Online AV Scanner

Run an online antivirus scan at:

Trend Micro Online AV

Reboot


Step#4:Scan With HijackThis and Post In Forum

1. Scan again with HijackThis

2. POST your log file to see if there is anything left to fix


E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Latest update

Unread postby steved99 » August 8th, 2005, 5:42 pm

Hi Elrond,
I've completed steps 1 and 2. Although the computer appears to have connected to the internet OK, unfortunately, the antivirus web site gave "page could not be displayed" error message initially. Subsequent attempts to access this and other sites resulted in a windows style error box saying the Internet Explorer could not connect to the internet. The title bar of IE also changed from the home page title to "about:blank" rather ominously.

I've replaced the missing control.exe and notepad now works OK. It can also run other programs in normal mode OK which it couldn't before so a lot of progress has been achieved.

Please can you advise how to get round the internet issue?

Many thanks.

Steve
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Unread postby Elrond » August 8th, 2005, 6:16 pm

Can you post a new HijackThis log?
That the title bar says that it goes to About Blank does not necessarely mean trouble. I have it on my computer. All it means is that you have no set startup page.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Hijackthis log

Unread postby steved99 » August 10th, 2005, 1:38 am

Log below :-

Logfile of HijackThis v1.99.1
Scan saved at 9:10:57 PM, on 8/8/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\LSSAS.EXE
C:\POINTSOFT\LANCEUR.EXE
C:\MY DOCUMENTS\PROGRAMS\ALARM.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.1.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\STEVE\HIJACKTHIS.EXE

F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: Lanceur Pointsoft.lnk = C:\pointsoft\lanceur.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\My Documents\programs\alarm.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/

Look forward to hearing from you.
Steve
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm

Unread postby Elrond » August 10th, 2005, 8:18 am

Hi Steve.

Part of the infection that we got rid in the first round is back. Not the About Balnk infection but the fast search one.


  1. Open HiJackThis, click "Open the Misc Tools Section", and click "Open process manager". Highlight C:\WINDOWS\lssas.exe if it is there and click "kill Process". Do not kill any other process


  2. Open HijackThis and click "Do a System Scan Only" or "Scan". Put a check mark by the items that are listed below.
    O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
    O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
    O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
    O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
    O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
    O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
    O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
    O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe


    This is optional but you could also have HijackThis fix these entries as they are not needed and they can slow down your PC when starting up
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    This program places an icon in the system tray for quick access to Apple QuickTime. It is not necessary since QuickTime may be run manually even without the tray icon. If you choose to remove it, you will also have to disable it from within QuickTime, in the following manner:

      1) Run QuickTime from the Start -> Programs menu
      2) Click on the Edit menu, then Preferences
      3) Select QuickTime Preferences from the right-hand side menu
      4) Uncheck the box next to "QuickTime System Tray Icon", and click OK.


    Close all open windows except HijackThis and then click the "Fix checked" button.


  3. Download Pocket Killbox http://www.bleepingcomputer.com/files/killbox.php and unzip it; save it to your Desktop.

    Run it, and click the radio button that says Delete a file on reboot. For each of the following files copy the path

    C:\WINDOWS\iau.exe
    C:\WINDOWS\stisvsq.exe
    C:\WINDOWS\svshost.exe
    C:\WINDOWS\msqdevl.exe
    C:\WINDOWS\lssas.exe
    C:\WINDOWS\mservice.exe


    and paste them one at a time into the "Full path of file to delete" box and click the red circle with a white cross in it.

    The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

    Let the system reboot.


  4. Run a new HijackThis scan and post the log.




E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Updated HJT file

Unread postby steved99 » August 12th, 2005, 5:25 pm

Hi Elrond,
I followed the instruction. At step 3 only one of the files was found (lssas.exe) and I've deleted that.

I haven't been able to run the online AV scanner from your previous note as still can't display internet pages. E-mails are being received OK but whatever site I try to get onto produces a windows error message "Internet Explorer could not open the search page".

New HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:39 PM, on 8/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\POINTSOFT\LANCEUR.EXE
C:\MY DOCUMENTS\PROGRAMS\ALARM.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.1.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\STEVE\HIJACKTHIS.EXE

F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - Startup: Lanceur Pointsoft.lnk = C:\pointsoft\lanceur.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\My Documents\programs\alarm.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/

Look forward to hearing from you.

Steve
steved99
Regular Member
 
Posts: 21
Joined: August 2nd, 2005, 4:28 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 313 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware