Internet Explorer Fails After Registry Removal

Reply
1 2

Join Date: Aug 2003
Posts: 9,798
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 512
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: Internet Explorer Fails After Registry Removal

 
0
  #11
May 6th, 2004
Close all browser windows and fix these .

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

reboot to safe mode and delete

C:\WINDOWS\alchem.exe>>>> delete file


C:\Program Files\Common files\updater>>> Delete folder


Reboot and run hijackthis and post new log .thanks


Do you know what this is ,its suspisous because its running from a temp folder ???
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
Win7 whats it all about .
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
Reply With Quote Quick reply to this message  
Join Date: Jun 2004
Posts: 14
Reputation: nic_m_moon is an unknown quantity at this point 
Solved Threads: 1
nic_m_moon's Avatar
nic_m_moon nic_m_moon is offline Offline
Newbie Poster

Re: Internet Explorer Fails After Registry Removal

 
0
  #12
Jun 1st, 2004
Originally Posted by Pseudonym
Sure thing. Here's the log.

Logfile of HijackThis v1.97.7
Scan saved at 6:45:51 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temporary Internet Files\Content.IE5\OHA78PIJ\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tri...tyleSigned.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35

Maybe there's something rotten hiding in there. The "alchem" file always seemed a bit suspicious to me, but it's all a bunch of jumble to me anyway. Glad you can help me out!
:cheesy:

P.S. After I got the infected with the spyware (OK, it's not a virus - sorry ), I uninstalled my Google toolbar. When I tried to reinstall it, no matter what I did I couldn't get it to appear on my browser. It's a really trivial issue and it doesn't matter, but I wanted to mention it because maybe it has something to do with the virus.


Once again, THANKS!
The System32 file C:\WINDOWS\system32\lsass.exe indicates that you have the sasser worm i recommend you take this hyperlink, http://securityresponse.symantec.com...alinstructions, download the saaser removal tool, close all windows and run it. :p this should clear up your system from now on I recommened having an anti-virus program running when online, and especially when downloading files. If this doesn't work check on any other sasser worm types a-e.Hope you won't have any more problems.
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 362
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Internet Explorer Fails After Registry Removal

 
0
  #13
Jun 1st, 2004
Originally Posted by caperjack
Do you know what this is ,its suspisous because its running from a temp folder ???
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
Whack it.

A) It isn't a legit Windows program AFAICT.
B) It is running from a temp folder, which in of of itself should raise an eyebrow or two.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Join Date: May 2004
Posts: 6
Reputation: Pseudonym is an unknown quantity at this point 
Solved Threads: 0
Pseudonym Pseudonym is offline Offline
Newbie Poster

Re: Internet Explorer Fails After Registry Removal

 
0
  #14
Jun 17th, 2004
Hello again. It's been a long time since my last reply. I've done a lot of de-weeding over the past few weeks. I bought a new spyware program, which exposed a burgeoning nest of bugs that I had no idea existed. Since my first post, however, the condition of my internet has worsened. Not only does it work on and off, but not it seems to have contracted a new, more malicious infection.

The only way to describe this new spyware is that it rotates. It consists of only one (visible) file. Everytime I delete one particular version of the ******* with HijackThis, another one pops out of the woodwork to take its place - withing minutes or hours. When it does, an error message usually arrives informing me that "internet explorer has encountered a problem and must be shut down" etc. etc. Then all my windows close.

Here's an ever-growing list of the files I've deleted so far.

msjr
apppt
appnj
ntuk
appql
addqp32
d3hr
ntfz
netv32
windc32
mfcpe
ieew
sdkta
sdkfg32
netvz32
netzl32
ntxv32
netwo
applf
atltf
mfcnp32

I've unleashed a full barrage of anti-spyware programs against the ******* - Ad-aware, SpyBot, HijackThis, etc. - and none of them have been successful. I've scoured the internet for similar experiences but no one seems familiar with my particular species of bug. Can you guys help me out?

Anyway, here's my logfile. The bug, you see, is a file by the name of ieaj.dll. Also, I've been struggling endlessly to delete the msyf32 one - to no avail. This spyware is maddeningly persistent!

Logfile of HijackThis v1.97.7
Scan saved at 2:10:39 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ipla.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\WINDOWS\System32\dhwbsiw.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\msyf32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {538EEB8F-48F3-4823-CA19-09ED9EFBD83E} - C:\WINDOWS\ieaj.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKLM\..\Run: [rcqzxl] C:\WINDOWS\System32\dhwbsiw.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [msyf32.exe] C:\WINDOWS\system32\msyf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35
Reply With Quote Quick reply to this message  
Join Date: May 2004
Posts: 6
Reputation: Pseudonym is an unknown quantity at this point 
Solved Threads: 0
Pseudonym Pseudonym is offline Offline
Newbie Poster

Re: Internet Explorer Fails After Registry Removal

 
0
  #15
Jun 17th, 2004
Originally Posted by nic_m_moon
The System32 file C:\WINDOWS\system32\lsass.exe indicates that you have the sasser worm i recommend you take this hyperlink, http://securityresponse.symantec.com...alinstructions, download the saaser removal tool, close all windows and run it. :p this should clear up your system from now on I recommened having an anti-virus program running when online, and especially when downloading files. If this doesn't work check on any other sasser worm types a-e.Hope you won't have any more problems.
Oh my God! I was reading through the replies again and I noticed this! Well, the Sasser worm probably explains all the recent problems. However, from what I hear, Sasser causes your computer to shut down. My computer, though, has shown no Sasser-like behavior. Could this be a variation of Sasser, or perhaps the worm hasn't had any effect on my computer?

Anyway, I can't tell you how much I appreciate you notifying me of that worm!
THANKS!
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 362
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Internet Explorer Fails After Registry Removal

 
0
  #16
Jun 17th, 2004
Moving this to the Security forum, as we're definitely dealing with malware issues here.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 362
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Internet Explorer Fails After Registry Removal

 
0
  #17
Jun 17th, 2004
Everytime I delete one particular version of the ***** with HijackThis...
HJT doesn't delete the actual files; it only removes the registry reference to the files. You need to manually delete the files/folders in question after HJT does its job.

You might want to read up on Sasser a bit:

http://securityresponse.symantec.com...oval.tool.html

There's a link to Symantec's Sasser removal tool in there as well.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 9752 | Replies: 16
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware antivirus apple audio avg botnet botnets censorship combofix commercial commercials conficker crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit explorer facebook fancheckvirus firefox gaming gtaiv gumblar halloween herss.exe hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news norton obama onlinethreats paedophile panel patch pc pdf phishing police policeprovirusmba-mblockedinternetaccess privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista volume vulnerability war warning web windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC