Help with what I believe to be a RapidBlaster. [Archive]

View Full Version : Help with what I believe to be a RapidBlaster.

Celiciuser

November 5th, 2003, 07:14 PM

I believe i have the rapidblaster bug. Whenever I open up my browser it directs me to my homepage through a wabu.com page and opens up a toolbar everytime. Whenever I turn my computer off my homepage is reset to some page of wabu.com. I think it has its roots in my Internet Explorer file, but I did not want to manually delete anything until I got advice from people who were more learned in the area than I.

I ran the hijackthis application and these are my results:

Logfile of HijackThis v1.97.3
Scan saved at 4:58:33 PM, on 11/5/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\TVTMD.exe
C:\Program Files\ToPicks\Bin\Idhost.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\DOCUME~1\DAMLOS~1\APPLIC~1\eauaouzg.exe
C:\Program Files\Common files\Updater\wupdater.exe
C:\WINDOWS\ystck32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SIERRA\Planner\PLNRnote.exe
C:\Program Files\Encompass\EncMontr.exe
C:\DOCUME~1\DAMLOS~1\LOCALS~1\Temp\Fkz1.exe
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wabu.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wabu.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wabu.com/passthrough/index.html?http://msnmember.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wabu.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cool-xxx.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wabu.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Gr03.dll
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v2\scbar.dll (file missing)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - C:\Program Files\Topicks\Bin\HtCheck2.dll
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE7 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2a - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab2 - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E0189 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E01898 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9 - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {a8bbd48a-fdb9-428d-a9c2-8d6e97129bfc} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwz.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e029 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e0291 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM32\cpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: oouzzstbprw - {9d56a1cd-ef90-4cac-b8c6-8124c0d14267} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwz.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Yahoo! Monitor.lnk = C:\Program Files\Encompass\EncMontr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: HP Updates.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe
O4 - Global Startup: Update Grokster.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37601.8519675926
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thank you for any help you can provide.

Unzy

November 5th, 2003, 07:37 PM

Hi Celiciuser,

I don't immediately see any sign of a worm or viral code.

However there is quite some spy- and foistware on your PC.

May I suggest the following, so we can get you cleaned out? :

Download SpyBot S&D (http://tomcoyote.org/SPYBOT/index1.php)

Install -> do a search for updates and download as well -> do a 'check for problems' and have it fix all items in RED

or if you should prefer Adaware (http://www.lavasoftusa.com/support/download/)

Make sure you have the latest reference file.

Whichever you choose, make sure you let it scan your system and have it fix the suggested problems.

reboot after doing so and repost another log please, so we can have a look if there are still any remnants left.

Thanks for your time and effort :)

Cheers,

Celicusier

November 6th, 2003, 02:55 PM

As far as I can tell there are no remnants left of the bug.

Logfile of HijackThis v1.97.3
Scan saved at 12:53:41 PM, on 11/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common files\Updater\wupdater.exe
C:\WINDOWS\ystck32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SIERRA\Planner\PLNRnote.exe
C:\Program Files\Encompass\EncMontr.exe
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE7 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2a - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab2 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E0189 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E01898 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9 - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e029 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e0291 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e - (no file)
O2 - BHO: (no name) - {e5c9e596-4e26-4921-b130-5516fc0328a6} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwc.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM32\cpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: oouzzstbprw - {e9da1ffd-88b5-410d-9ebe-9a69dc4a4ff4} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwc.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\ystck32.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\DOCUME~1\DAMLOS~1\LOCALS~1\Temp\IdSeUpdate\dp-b23011805.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Yahoo! Monitor.lnk = C:\Program Files\Encompass\EncMontr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: HP Updates.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe
O4 - Global Startup: Update Grokster.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37601.8519675926
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks of many.

spy1

November 6th, 2003, 03:09 PM

You may want to keep a copy of RapidBlaster Killer on hand, too - just in case you get re-infected: http://www.wilderssecurity.net/specialinfo/rapidblaster.html . Pete

Pieter_Arntz

November 6th, 2003, 03:17 PM

Hi Celicusier,

There are some leftovers of other infections.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296D - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE7 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70 - (no file)
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2a - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab2 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E0189 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E01898 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981 - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9 - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e029 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e0291 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e - (no file)
O2 - BHO: (no name) - {e5c9e596-4e26-4921-b130-5516fc0328a6} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwc.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM32\cpr.dll

O3 - Toolbar: oouzzstbprw - {e9da1ffd-88b5-410d-9ebe-9a69dc4a4ff4} - C:\DOCUME~1\DAMLOS~1\APPLIC~1\kstckcrdwc.dll

O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\ystck32.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\DOCUME~1\DAMLOS~1\LOCALS~1\Temp\IdSeUpdate\dp-b23011805.exe

O4 - Global Startup: HP Updates.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe

O4 - Global Startup: Update Grokster.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab

Then reboot and check if the following files/folders are present, if so, delete them:
C:\Program Files\Srng <= entire folder
C:\Program Files\Window Active <= entire folder
C:\Program Files\Common files\Updater\wupdater.exe
C:\PROGRAM FILES\INCREDIFIND <= entire folder

Regards,

Pieter