0

OK, here's the story. Today my laptop was infected with an extremely malicious strain of the CoolWebSearch spyware virus. It took me nearly two hours to remove it. The removal involved sifting through the Registry (run >> "regedit") and deleting the bugs responsible for the infection. Here's the key: I think that during that process, I accidentally deleted a file in the registry (something to do with browser helpers objects) that was vital to my internet functions.

The virus was eliminated. But now, as a result, my internet is working intermittently. In other words, I'll turn on the computer and my browser will be dead; then a few restarts later it will be perfectly fine...and so on.

I'm not sure if the alternations I made in the registry have anything to do with the failure. I might be a symptom of the virus, though I'm pretty sure it's been destroyed. Here's a site that has information on the C:\searchpage.html virus ("http://www.computing.net/security/wwwboard/forum/11198.html"), in case its useful.

I should also note that I did use HijackThis to help remove the virus; though that shouldn't be an issue since I've restored one essential file that I accidentally erased with it.

Again, in case the message got lost in all those words, here's my problem:

I deleted something in the registry and now my internet works on and off, but mostly off.

I'm wondering. Should I simply re-install internet explorer or is this a glitch that I can locate and fix? Is there some way that I can restore or repair deleted files without trashing the whole program? And If I do need to re-install internet explorer, can someone please give me instructions about how to do that?

I know I can't give much information, but I'm desperate for help.
Thanks a ton!!

4
Contributors
16
Replies
17
Views
13 Years
Discussion Span
Last Post by DMR
0

First of all, let's figure out if the problem might not be being caused by something malicious that didn't get removed. Could you run HijackThis again and post a copy of the log file here please? If you're system is clean, we can start looking at the possibility that you did indeed delete a necessary reg key.

0

OK, here's the story. Today my laptop was infected with an extremely malicious strain of the CoolWebSearch spyware virus. It took me nearly two hours to remove it. The removal involved sifting through the Registry (run >> "regedit") and deleting the bugs responsible for the infection. Here's the key: I think that during that process, I accidentally deleted a file in the registry (something to do with browser helpers objects) that was vital to my internet functions.

The virus was eliminated. But now, as a result, my internet is working intermittently. In other words, I'll turn on the computer and my browser will be dead; then a few restarts later it will be perfectly fine...and so on.

I'm not sure if the alternations I made in the registry have anything to do with the failure. I might be a symptom of the virus, though I'm pretty sure it's been destroyed. Here's a site that has information on the C:\searchpage.html virus ("http://www.computing.net/security/wwwboard/forum/11198.html"), in case its useful.

I should also note that I did use HijackThis to help remove the virus; though that shouldn't be an issue since I've restored one essential file that I accidentally erased with it.

Again, in case the message got lost in all those words, here's my problem:

I deleted something in the registry and now my internet works on and off, but mostly off.

I'm wondering. Should I simply re-install internet explorer or is this a glitch that I can locate and fix? Is there some way that I can restore or repair deleted files without trashing the whole program? And If I do need to re-install internet explorer, can someone please give me instructions about how to do that?

I know I can't give much information, but I'm desperate for help.
Thanks a ton!!

CWshredder run in safe mode would have fixed the C:\searchpage.html hijacker download in my signature for the next time ..post a new you hijackthis log ,and we'll have a look .there may be a problem that we can use ,LSPfix to repair you internet .

just for the record !!Coolwebsearch browser hijack variants are not viruses!!

0

just for the record !!Coolwebsearch browser hijack variants are not viruses!!

Picky, picky, picky....

:mrgreen:

0

First of all, let's figure out if the problem might not be being caused by something malicious that didn't get removed. Could you run HijackThis again and post a copy of the log file here please? If you're system is clean, we can start looking at the possibility that you did indeed delete a necessary reg key.

Sure thing. Here's the log.

Logfile of HijackThis v1.97.7
Scan saved at 6:45:51 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temporary Internet Files\Content.IE5\OHA78PIJ\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesLifestyleSigned.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35

Maybe there's something rotten hiding in there. The "alchem" file always seemed a bit suspicious to me, but it's all a bunch of jumble to me anyway. Glad you can help me out!
:cheesy:

P.S. After I got the infected with the spyware (OK, it's not a virus - sorry ;) ), I uninstalled my Google toolbar. When I tried to reinstall it, no matter what I did I couldn't get it to appear on my browser. It's a really trivial issue and it doesn't matter, but I wanted to mention it because maybe it has something to do with the virus.


Once again, THANKS!

0

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

0

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


O3 Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)

O4 - HKLM\..\Run: [winmain] winmain.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe

O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe

this one is a rescourec hogg and suggested fix .

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...styleSigned.cab

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab

Now reboot into safe mode and delete the following files or folders if found .

winmain.exe>>>>>>>> delete file

C:\Program Files\Common files\updater>>>delete folder

C:\documents and settings\penn bullock\local settings\temp\5Pd.exe>>>>>Delete file

C:\WINDOWS\g30xdnnm4i.exe >>>>>>>delete file

to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

0

Hey! I can't tell you how much I appreciate your help.
I'm following the procedure right now. I'll update you about how it worked out.

Thanks again!!
:cheesy:

0

OK, I followed all your instructions and unfortunately it hasn't worked. In fact, there's a new problem. Today, while I was on the internet, the start menu, my desktop items, and all my browsers suddenly disappeared, as if the computer was about to shut down. When they came back, the browser windows were gone and the internet connection was bust. The same thing happened just a few minutes ago, only this time it caused the connection to be revived. My suspicion is that this is the work of some lingering spyware bug. But I doubt it can be weeded out by HijackThis. When I was first infected, neither Ad-Aware nor Hijackthis nor Spybot did the trick; so I was forced to delve into the registry.

Oh, and here's the new log you asked for. There may be some new things in there, since I've installed several new toolbars and seach programs (all of them are safe).


Logfile of HijackThis v1.97.7
Scan saved at 12:28:33 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\GGSearchTool\ggsearch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\System32\GrooweToolbar.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Girafa (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35

0

Close all browser windows and fix these .

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

reboot to safe mode and delete

C:\WINDOWS\alchem.exe>>>> delete file


C:\Program Files\Common files\updater>>> Delete folder


Reboot and run hijackthis and post new log .thanks


Do you know what this is ,its suspisous because its running from a temp folder ???
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe

0

Sure thing. Here's the log.

Logfile of HijackThis v1.97.7
Scan saved at 6:45:51 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temporary Internet Files\Content.IE5\OHA78PIJ\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesLifestyleSigned.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35

Maybe there's something rotten hiding in there. The "alchem" file always seemed a bit suspicious to me, but it's all a bunch of jumble to me anyway. Glad you can help me out!
:cheesy:

P.S. After I got the infected with the spyware (OK, it's not a virus - sorry ;) ), I uninstalled my Google toolbar. When I tried to reinstall it, no matter what I did I couldn't get it to appear on my browser. It's a really trivial issue and it doesn't matter, but I wanted to mention it because maybe it has something to do with the virus.


Once again, THANKS!

The System32 file C:\WINDOWS\system32\lsass.exe indicates that you have the sasser worm :sad: i recommend you take this hyperlink, http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.f.worm.html#removalinstructions, download the saaser removal tool, close all windows and run it. :p this should clear up your system from now on I recommened having an anti-virus program running when online, and especially when downloading files. If this doesn't work check on any other sasser worm types a-e.Hope you won't have any more problems.

0

Do you know what this is ,its suspisous because its running from a temp folder ???
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe

Whack it.

A) It isn't a legit Windows program AFAICT.
B) It is running from a temp folder, which in of of itself should raise an eyebrow or two.

0

Hello again. It's been a long time since my last reply. I've done a lot of de-weeding over the past few weeks. I bought a new spyware program, which exposed a burgeoning nest of bugs that I had no idea existed. Since my first post, however, the condition of my internet has worsened. Not only does it work on and off, but not it seems to have contracted a new, more malicious infection.

The only way to describe this new spyware is that it rotates. It consists of only one (visible) file. Everytime I delete one particular version of the bastard with HijackThis, another one pops out of the woodwork to take its place - withing minutes or hours. When it does, an error message usually arrives informing me that "internet explorer has encountered a problem and must be shut down" etc. etc. Then all my windows close.

Here's an ever-growing list of the files I've deleted so far.

msjr
apppt
appnj
ntuk
appql
addqp32
d3hr
ntfz
netv32
windc32
mfcpe
ieew
sdkta
sdkfg32
netvz32
netzl32
ntxv32
netwo
applf
atltf
mfcnp32

I've unleashed a full barrage of anti-spyware programs against the bastard - Ad-aware, SpyBot, HijackThis, etc. - and none of them have been successful. I've scoured the internet for similar experiences but no one seems familiar with my particular species of bug. Can you guys help me out?

Anyway, here's my logfile. The bug, you see, is a file by the name of ieaj.dll. Also, I've been struggling endlessly to delete the msyf32 one - to no avail. This spyware is maddeningly persistent!

Logfile of HijackThis v1.97.7
Scan saved at 2:10:39 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ipla.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\WINDOWS\System32\dhwbsiw.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\msyf32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {538EEB8F-48F3-4823-CA19-09ED9EFBD83E} - C:\WINDOWS\ieaj.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKLM\..\Run: [rcqzxl] C:\WINDOWS\System32\dhwbsiw.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [msyf32.exe] C:\WINDOWS\system32\msyf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35

0

The System32 file C:\WINDOWS\system32\lsass.exe indicates that you have the sasser worm :sad: i recommend you take this hyperlink, http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.f.worm.html#removalinstructions, download the saaser removal tool, close all windows and run it. :p this should clear up your system from now on I recommened having an anti-virus program running when online, and especially when downloading files. If this doesn't work check on any other sasser worm types a-e.Hope you won't have any more problems.

Oh my God! I was reading through the replies again and I noticed this! Well, the Sasser worm probably explains all the recent problems. However, from what I hear, Sasser causes your computer to shut down. My computer, though, has shown no Sasser-like behavior. Could this be a variation of Sasser, or perhaps the worm hasn't had any effect on my computer?

Anyway, I can't tell you how much I appreciate you notifying me of that worm!
THANKS!

0

Moving this to the Security forum, as we're definitely dealing with malware issues here.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.