dvk01
November 27th, 2004, 04:37 PM
This pest normally only shows this entry in a HJT log but causes pop ups and browser diverts and only affects W2K or XP as far as we know
O15 - Trusted Zone: http://*.63.219.181.7
this is the standard script for dealing with it
This is a new one that we are still working out a complete automatic fix for so at the moment each fix is specially crafted for each individual hijack, because of that we need some information about your computer. That needs a special file run to get the info
Because it is a delicate process and needs an expert interpretation to prevent problems please don't try this yourself unless you are absolutely sure you know what you are doing
please download & Unzip Ms4Hd_look to a folder - double click on the runme.bat and it should produce a look.log file
post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with
http://www.thespykiller.co.uk/files/ms4hd.zip
CURE:
Download pocket killbox from http://download.broadbandmedic.com/KillBox.exe & put it on the desktop where you can find it easily
Download this reg file please and save it to desktop. Do not run it yet
http://www.thespykiller.co.uk/files/Removems4hd.reg
run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot
There will be a set of files listed in the look.log it will normally be either version 1 or version 2 set listed below but there is a 3rd version that we have heard about and will add to this list when we come across it. Not all the files actually exist despite the reg listing but killbox everything listed regardless and KillBox will tell you if it doesn't exist. In each set one of the dll's is a rootkit that masks the actual infection In V2 it's syspack.dll in V1 it's hdr.dll and one of the other .exes holds it in place
(version 2)
C:\WINDOWS\system32\taskrun.exe
C:\WINDOWS\system32\trayinfo.exe
C:\WINDOWS\system32\subsys.exe
C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\sessngr.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\rsvxp.exe
C:\WINDOWS\system32\rsn.exe
C:\WINDOWS\system32\rexecs.exe
C:\WINDOWS\system32\resrvc32.exe
C:\WINDOWS\system32\rcip.exe
C:\WINDOWS\system32\proxyconf.exe
C:\WINDOWS\system32\powerconf.exe
C:\WINDOWS\system32\pingnet.exe]
C:\WINDOWS\system32\dnsping.exe
C:\WINDOWS\system32\odcfg.exe
C:\WINDOWS\system32\netstart.exe
C:\WINDOWS\system32\netdns.exe
C:\WINDOWS\system32\getdns.exe
C:\WINDOWS\system32\msswchxp.exe
C:\WINDOWS\system32\msng.exe
C:\WINDOWS\system32\msinfo.exe
C:\WINDOWS\system32\netssl.exe
C:\WINDOWS\system32\netdetect.exe
C:\WINDOWS\system32\sfcver.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\netssh.exe
C:\WINDOWS\system32\syspack.dll
C:\WINDOWS\system32\netcfg.dll
C:\WINDOWS\system32\odbcfg32.dll
C:\WINDOWS\system32\p2pserv.dll
(version 1)
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\ie4unit.exe
C:\WINDOWS\system32\ipxroutex.exe
C:\WINDOWS\system32\rdshost32.exe
C:\WINDOWS\system32\rshe.exe
C:\WINDOWS\system32\net2.exe
C:\WINDOWS\system32\mqsvch.exe
C:\WINDOWS\system32\dllhostxp.exe
C:\WINDOWS\system32\extrac16.exe
C:\WINDOWS\system32\mqbckup.exe
C:\WINDOWS\system32\pxhping.exe
C:\WINDOWS\system32\rdpnr.exe
C:\WINDOWS\system32\slservc.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\hdr.dll
C:\WINDOWS\system32\msacmx.dll
C:\WINDOWS\system32\d3dxov.dll
C:\WINDOWS\system32\winsrv32.dll
When it has rebooted
Now please run the reg file you downloaded earlier make sure IE and OE and all other windows are closed before running it
it will remove some reg values and keys that are causing the problem
run it by double clicking it,
You should get a warning that it will merge to the registry or similar say yes to the prompt
you should then get a message saying file successfully merged with registry. Did you?
then check your favorites folder as this pest puts a lot of unwanted links in there as well and they need manually deleting
once it reboots post a fresh HJT log and run the Ms4Hd_look file you first downloaded and post a new log from that please
after the files have been deleted you should see the O4 run entries in a HJT log and fix them as usual
Version 2 has a BHO with the name of one of the DLL files, This also won't normally show until you have removed the rootkit dll
If it's all clear then the look.log should look like
An Ms4Hd_look by IMM (v0.001)
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Return code was 0XC0000034
examples of logs
http://forums.techguy.org/t301056.html
http://forums.techguy.org/t300627.html
http://forums.techguy.org/t301402.html
http://forums.techguy.org/t300988.html
If or when you run the Ms4Hd_look tool for finding the files it gives a list of other files that aren't listed above please substitute those files accordingly and send copies of the files to me zipped at the email adress in my signature
Special credit to IMM & noahdfear for their Work in finding the cure for this one
O15 - Trusted Zone: http://*.63.219.181.7
this is the standard script for dealing with it
This is a new one that we are still working out a complete automatic fix for so at the moment each fix is specially crafted for each individual hijack, because of that we need some information about your computer. That needs a special file run to get the info
Because it is a delicate process and needs an expert interpretation to prevent problems please don't try this yourself unless you are absolutely sure you know what you are doing
please download & Unzip Ms4Hd_look to a folder - double click on the runme.bat and it should produce a look.log file
post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with
http://www.thespykiller.co.uk/files/ms4hd.zip
CURE:
Download pocket killbox from http://download.broadbandmedic.com/KillBox.exe & put it on the desktop where you can find it easily
Download this reg file please and save it to desktop. Do not run it yet
http://www.thespykiller.co.uk/files/Removems4hd.reg
run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot
There will be a set of files listed in the look.log it will normally be either version 1 or version 2 set listed below but there is a 3rd version that we have heard about and will add to this list when we come across it. Not all the files actually exist despite the reg listing but killbox everything listed regardless and KillBox will tell you if it doesn't exist. In each set one of the dll's is a rootkit that masks the actual infection In V2 it's syspack.dll in V1 it's hdr.dll and one of the other .exes holds it in place
(version 2)
C:\WINDOWS\system32\taskrun.exe
C:\WINDOWS\system32\trayinfo.exe
C:\WINDOWS\system32\subsys.exe
C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\sessngr.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\rsvxp.exe
C:\WINDOWS\system32\rsn.exe
C:\WINDOWS\system32\rexecs.exe
C:\WINDOWS\system32\resrvc32.exe
C:\WINDOWS\system32\rcip.exe
C:\WINDOWS\system32\proxyconf.exe
C:\WINDOWS\system32\powerconf.exe
C:\WINDOWS\system32\pingnet.exe]
C:\WINDOWS\system32\dnsping.exe
C:\WINDOWS\system32\odcfg.exe
C:\WINDOWS\system32\netstart.exe
C:\WINDOWS\system32\netdns.exe
C:\WINDOWS\system32\getdns.exe
C:\WINDOWS\system32\msswchxp.exe
C:\WINDOWS\system32\msng.exe
C:\WINDOWS\system32\msinfo.exe
C:\WINDOWS\system32\netssl.exe
C:\WINDOWS\system32\netdetect.exe
C:\WINDOWS\system32\sfcver.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\netssh.exe
C:\WINDOWS\system32\syspack.dll
C:\WINDOWS\system32\netcfg.dll
C:\WINDOWS\system32\odbcfg32.dll
C:\WINDOWS\system32\p2pserv.dll
(version 1)
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\ie4unit.exe
C:\WINDOWS\system32\ipxroutex.exe
C:\WINDOWS\system32\rdshost32.exe
C:\WINDOWS\system32\rshe.exe
C:\WINDOWS\system32\net2.exe
C:\WINDOWS\system32\mqsvch.exe
C:\WINDOWS\system32\dllhostxp.exe
C:\WINDOWS\system32\extrac16.exe
C:\WINDOWS\system32\mqbckup.exe
C:\WINDOWS\system32\pxhping.exe
C:\WINDOWS\system32\rdpnr.exe
C:\WINDOWS\system32\slservc.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\hdr.dll
C:\WINDOWS\system32\msacmx.dll
C:\WINDOWS\system32\d3dxov.dll
C:\WINDOWS\system32\winsrv32.dll
When it has rebooted
Now please run the reg file you downloaded earlier make sure IE and OE and all other windows are closed before running it
it will remove some reg values and keys that are causing the problem
run it by double clicking it,
You should get a warning that it will merge to the registry or similar say yes to the prompt
you should then get a message saying file successfully merged with registry. Did you?
then check your favorites folder as this pest puts a lot of unwanted links in there as well and they need manually deleting
once it reboots post a fresh HJT log and run the Ms4Hd_look file you first downloaded and post a new log from that please
after the files have been deleted you should see the O4 run entries in a HJT log and fix them as usual
Version 2 has a BHO with the name of one of the DLL files, This also won't normally show until you have removed the rootkit dll
If it's all clear then the look.log should look like
An Ms4Hd_look by IMM (v0.001)
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Return code was 0XC0000034
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Return code was 0XC0000034
examples of logs
http://forums.techguy.org/t301056.html
http://forums.techguy.org/t300627.html
http://forums.techguy.org/t301402.html
http://forums.techguy.org/t300988.html
If or when you run the Ms4Hd_look tool for finding the files it gives a list of other files that aren't listed above please substitute those files accordingly and send copies of the files to me zipped at the email adress in my signature
Special credit to IMM & noahdfear for their Work in finding the cure for this one