Unable to remove from safe zones hijacker ( http://*.63.219.181.7)

Discussion in 'news, general information and FAQs' started by dvk01, Nov 27, 2004.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This pest normally only shows this entry in a HJT log but causes pop ups and browser diverts and only affects W2K or XP as far as we know

    O15 - Trusted Zone: http://*.63.219.181.7

    this is the standard script for dealing with it
    This is a new one that we are still working out a complete automatic fix for so at the moment each fix is specially crafted for each individual hijack, because of that we need some information about your computer. That needs a special file run to get the info

    Because it is a delicate process and needs an expert interpretation to prevent problems please don't try this yourself unless you are absolutely sure you know what you are doing

    please download & Unzip Ms4Hd_look to a folder - double click on the runme.bat and it should produce a look.log file

    post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with

    http://www.thespykiller.co.uk/files/ms4hd.zip

    CURE:

    Download pocket killbox from http://download.broadbandmedic.com/KillBox.exe & put it on the desktop where you can find it easily

    Download this reg file please and save it to desktop. Do not run it yet

    http://www.thespykiller.co.uk/files/Removems4hd.reg

    run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot

    There will be a set of files listed in the look.log it will normally be either version 1 or version 2 set listed below but there is a 3rd version that we have heard about and will add to this list when we come across it. Not all the files actually exist despite the reg listing but killbox everything listed regardless and KillBox will tell you if it doesn't exist. In each set one of the dll's is a rootkit that masks the actual infection In V2 it's syspack.dll in V1 it's hdr.dll and one of the other .exes holds it in place

    (version 2)
    C:\WINDOWS\system32\taskrun.exe
    C:\WINDOWS\system32\trayinfo.exe
    C:\WINDOWS\system32\subsys.exe
    C:\WINDOWS\system32\spoolsvc.exe
    C:\WINDOWS\system32\smlogvcc.exe
    C:\WINDOWS\system32\sessngr.exe
    C:\WINDOWS\system32\smlogvcc.exe
    C:\WINDOWS\system32\rsvxp.exe
    C:\WINDOWS\system32\rsn.exe
    C:\WINDOWS\system32\rexecs.exe
    C:\WINDOWS\system32\resrvc32.exe
    C:\WINDOWS\system32\rcip.exe
    C:\WINDOWS\system32\proxyconf.exe
    C:\WINDOWS\system32\powerconf.exe
    C:\WINDOWS\system32\pingnet.exe]
    C:\WINDOWS\system32\dnsping.exe
    C:\WINDOWS\system32\odcfg.exe
    C:\WINDOWS\system32\netstart.exe
    C:\WINDOWS\system32\netdns.exe
    C:\WINDOWS\system32\getdns.exe
    C:\WINDOWS\system32\msswchxp.exe
    C:\WINDOWS\system32\msng.exe
    C:\WINDOWS\system32\msinfo.exe
    C:\WINDOWS\system32\netssl.exe
    C:\WINDOWS\system32\netdetect.exe
    C:\WINDOWS\system32\sfcver.exe
    C:\WINDOWS\system32\clfmon.exe
    C:\WINDOWS\system32\netssh.exe
    C:\WINDOWS\system32\syspack.dll
    C:\WINDOWS\system32\netcfg.dll
    C:\WINDOWS\system32\odbcfg32.dll
    C:\WINDOWS\system32\p2pserv.dll



    (version 1)
    C:\WINDOWS\system32\service.exe
    C:\WINDOWS\system32\ie4unit.exe
    C:\WINDOWS\system32\ipxroutex.exe
    C:\WINDOWS\system32\rdshost32.exe
    C:\WINDOWS\system32\rshe.exe
    C:\WINDOWS\system32\net2.exe
    C:\WINDOWS\system32\mqsvch.exe
    C:\WINDOWS\system32\dllhostxp.exe
    C:\WINDOWS\system32\extrac16.exe
    C:\WINDOWS\system32\mqbckup.exe
    C:\WINDOWS\system32\pxhping.exe
    C:\WINDOWS\system32\rdpnr.exe
    C:\WINDOWS\system32\slservc.exe
    C:\WINDOWS\system32\clfmon.exe
    C:\WINDOWS\system32\hdr.dll
    C:\WINDOWS\system32\msacmx.dll
    C:\WINDOWS\system32\d3dxov.dll
    C:\WINDOWS\system32\winsrv32.dll

    When it has rebooted

    Now please run the reg file you downloaded earlier make sure IE and OE and all other windows are closed before running it

    it will remove some reg values and keys that are causing the problem
    run it by double clicking it,

    You should get a warning that it will merge to the registry or similar say yes to the prompt
    you should then get a message saying file successfully merged with registry. Did you?

    then check your favorites folder as this pest puts a lot of unwanted links in there as well and they need manually deleting

    once it reboots post a fresh HJT log and run the Ms4Hd_look file you first downloaded and post a new log from that please


    after the files have been deleted you should see the O4 run entries in a HJT log and fix them as usual
    Version 2 has a BHO with the name of one of the DLL files, This also won't normally show until you have removed the rootkit dll

    If it's all clear then the look.log should look like

    An Ms4Hd_look by IMM (v0.001)
    ----------------------------------------
    Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
    Return code was 0XC0000034

    ----------------------------------------
    Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
    Return code was 0XC0000034

    ----------------------------------------
    Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
    Return code was 0XC0000034

    ----------------------------------------
    Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
    Return code was 0XC0000034

    ----------------------------------------
    Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
    Return code was 0XC0000034


    examples of logs

    http://forums.techguy.org/t301056.html
    http://forums.techguy.org/t300627.html
    http://forums.techguy.org/t301402.html
    http://forums.techguy.org/t300988.html

    If or when you run the Ms4Hd_look tool for finding the files it gives a list of other files that aren't listed above please substitute those files accordingly and send copies of the files to me zipped at the email adress in my signature

    Special credit to IMM & noahdfear for their Work in finding the cure for this one
     
    Last edited: Nov 28, 2004
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It seems that this hijacker has mutated and the above fix will no longer work

    the Ms4Hd_look isn't finding the registry keys as they have either moved to an different as of yet unknown location or a different rootkit is hiding them very well
    We will keep you informed when we know more
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
Loading...
Thread Status:
Not open for further replies.