Changing HomePage

Discussion in 'adware, spyware & hijack cleaning' started by AndyBinDuffield, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    My computer has begun changing my home to a site called "start:page Trusted Site". This site has no address in the web page bar but only says "start:page". I have run the most up to date versions of Spybot S & D, Ad-Aware 6 and AVG 6.0 (all free versions) but none can find a problem. However, although when i run the AVG test mannually, it finds no problem, it is producing pop-ups from thr resident shield saying that I have the trojan Downloader.Small.6.I in the following Files

    C:WINDOWS\system32\xdldr24.exe and
    C:\xdldr17.exe

    I have tried removing these (having backed them up first!) and they instantly reappear. Can you Help? Here is my HJT log


    Logfile of HijackThis v1.97.7
    Scan saved at 12:24:25 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZMPBIX6V\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.tiscali.co.uk/products/startup_code.html?PopSelected=0845-08456630221
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi AndyBinDuffield

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 213.159.117.235 auto.search.msn.com

    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe

    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe

    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe

    Then reboot into safe mode and delete:
    C:WINDOWS\system32\xdldr24.exe
    C:\xdldr17.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    Thanks for your help and for such a speedy reply, much appreciated!!

    I carried out all the tasks that you suggested and ran the on-line virus scan housecall. This did not find any virus. Whilist deleting the files xdldr24 and xdldr17 i also deleted a file called xcopy that was created at the same time and date as the other files. The AVG resident shield is no longer saying that my pc is infected with downloader.Samll.6.I. Thanks!

    However my homepage is still changing automatically from what i set it to (www.tiscali.com) to the same start:page as before.

    Here is the latest HJT scan.

    Thanks again

    AndyBinDuffied

    Logfile of HijackThis v1.97.7
    Scan saved at 1:50:08 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.tiscali.co.uk/products/startup_code.html?PopSelected=0845-08456630221
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    There is obviously something else going on.

    That Russian IP in your hosts file came back as well.

    In this post: https://www.wilderssecurity.com/showthread.php?t=12516 please download HijackThis 1.98.0
    It has a few bugs, but I would like to see a log made with that please.

    Regards,

    Pieter
     
  5. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    Pieter,

    As requested, here is the log made with V1.98.0

    Regards

    Andy

    Logfile of HijackThis v1.98.0
    Scan saved at 1:57:58 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\HijackThis\HijackThis.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Documents and Settings\HijackThis\HijackThis 1980\HijackThis1980.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/products/startup_code.html?PopSelected=0845-08456630221
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32AAAAAAAA.dll
    O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32AAAAAAAA.dll
    O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32AAAAAAAA.dll
     
  6. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    I am not sure if this would help but Ad-Aware is picking up 15 items that are infected. WOuld a log file from this help in anyway?

    Regards

    Andy
     
  7. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    sorry to keep bombarding you with posts before you reply but the AVG shield is now detecting the same Downloader.Small.6.I as before in the following files

    C;\WINDOWS\System32\xdldr24.exe
    C:\xdldr17
    C:\Recycler\S-1-5-21-515967899-1326574676-839522115-1003\DC49.exe

    I donlt know if the two problems are related so thought this may help?

    Regards

    Andy
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi AndyBinDuffield,

    This looks like we may get somthing out of it.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 213.159.117.235 auto.search.msn.com

    O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32AAAAAAAA.dll
    O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32AAAAAAAA.dll
    O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32AAAAAAAA.dll

    Then check if one of these files exist:
    C:\WINDOWS\System32AAAAAAAA.dll
    C:\WINDOWS\System32\AAAAAAAA.dll

    Let me know which one please.

    Then reboot, run AdAware again. Save the log in case this does not solve it.

    Keep us posted,

    Pieter
     
  9. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    fixed the problems you suggested in HijackThis.

    File System32AAAAAAAA.dll exsists in C:\Windows

    Below is the new HJT Log From V1.98.0 - Does this look clean now?

    Regards

    Andy

    Logfile of HijackThis v1.98.0
    Scan saved at 2:32:28 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\HijackThis\HijackThis.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Documents and Settings\HijackThis\HijackThis 1980\HijackThis1980.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/products/startup_code.html?PopSelected=0845-08456630221
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32AAAAAAAA.dll
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi AndyBinDuffield,

    The protocol-hijack seems to persist.

    Can you mail me a (preferably zipped) copy of System32AAAAAAAA.dll
    before you fix the O18 entry and then delete the file in safe mode.

    Regards,

    Pieter
     
  11. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    while deleting System32AAAAAAAA.dll in safe mode - is worth deleting

    C:\WINDOWS\System32\xdldr24.exe
    C:\xdldr17
    C:\Recycler\S-1-5-21-515967899-1326574676-839522115-1003\DC49.exe

    again as i mentioned AVG is reporting these as infected again or should i leave this till this problem is fixed?

    Also, to what address would you like the zip file sent to?

    Regards

    Andy
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Yeah, that would be handy to mention. :oops:

    pieterATwilderssecurity.org (replace AT with @)

    I am hoping AVG will be able to remove the files it finds, once we break the chain of re-infection, but feel free to do it manually.

    Regards,

    Pieter
     
  13. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    Have completed that - removed the files you suggested. I have now re-run hijackthis and the
    O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32AAAAAAAA.dll

    issus has appeared - should i now remove this and see if it comes back again?

    Regards

    Andy

    Logfile of HijackThis v1.98.0
    Scan saved at 3:08:28 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\HijackThis\HijackThis 1980\HijackThis1980.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/products/startup_code.html?PopSelected=0845-08456630221
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1629A6E8-8F9C-4F63-8344-B8316D85F54E}: NameServer = 80.225.253.50 80.225.251.58
    O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32AAAAAAAA.dll
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Yes please. If that doesn't work I'll have to take a long hard look at that file to see what makes it tick.

    Regards,

    Pieter
     
  15. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    i have re-booted a couple of time and keep opening new pages in IE and the homepage does not change :D! However the protocol is still occuring in HijackThis referring to the file i sent you but i have searched my PC and the file is no longer present.

    Is this a problem or can it just be left as it no longer appears to be effecting anything?

    Regards

    Andy
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    It bugs the cr@p out of me to leave it, but it is probably a bug in HijackThis.
    One of the reasons why it is no longer offered at the usual mirrors.

    If it is not bothering you, leave it alone.
    If I come up with a plan after looking at the file I'll certainly let you try it out. :D

    Regards,

    Pieter
     
  17. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    Your a legend - Thank you so much for all your help!

    Good to know that there are people trying to stop those bast***s that cause these problems in the first place!

    Keep up the good work

    Many thanks

    Andy
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  19. AndyBinDuffield

    AndyBinDuffield Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    16
    Thanks for the advice on the "Why did i get infected in the first Place?" article.

    However, i am unsure as to how to effectively apply the IE Hosts file that is recommended there. I downloaded the zip file and attempted to extract the HOSTS file to C:\WINDOWS\System32\Drivers\etc but there was already a HOSTS file there. I renamed the older one (just as HOSTS1) and extracted the new one. Since then I have been using the internet and have since run ad-aware 6 again which has come up with 79 redirected host file enteries of type "Host File". I am assuming this is to do with the change i made earlier?

    There appears to be no problems with IE or computer as a whole, just don't understand.

    Can you give me advice on this or should i be in a differebt forum?

    Regards

    Andy
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    If you could ask those questions here:

    https://www.wilderssecurity.com/forumdisplay.php?f=40

    I think more people could profit from that. Hardly anyone reads these threads, since they are mostly very specific for one spyware or even computer.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.