Help - Search - Members - Calendar
Full Version: Desktop Search
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
tatersalad1
Feb 14 2005, 04:33 PM
I've got a user's PC that's been hit with Desktop Search (and probably some other things as well). I clear whatever I find using Ad-Aware and Spybot S & D, but this keeps coming back. Any help that you can offer would be appreciated. I'll post the HijackThis and Find.bat logs below. Thank you.


Logfile of HijackThis v1.99.0
Scan saved at 11:16:21 AM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PCD32\client32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\SLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vrikok.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\efziabdg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {0858C36C-6C14-B051-B473-969D40BCA280} - C:\WINDOWS\System32\zaffyilu.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79F81E6A-9070-3F14-7A61-4377C3708640} - C:\WINDOWS\System32\mtomwrrh.dll
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\davisgr\n20050308.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitekpc32.exe
O4 - HKLM\..\Run: [efziabdg] C:\WINDOWS\System32\efziabdg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://hiringcenter.myflorida.com/java/smsx.cab
O16 - DPF: {2742ECD4-8666-11D5-8390-0008C7DF848D} (Enterprise Vault Web Shortcut) - http://awikvs/EnterpriseVault/ClientInstall/EVDesktop.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108397156758
O16 - DPF: {A0197873-25E0-11D4-852F-0050DA72ECA9} (HIRE.COM) - https://hiringcenter.myflorida.com/java/DP2Instal.cab
O16 - DPF: {A0197874-25E0-11D4-852F-0050DA72ECA9} (HIRE.COM) - https://hiringcenter.myflorida.com/java/TS2Instal.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Client32 - NetSupport Ltd - C:\PCD32\client32.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptLogic Service - Unknown - SLClient.exe (file missing)
O23 - Service: gnmjtfqeobub - Unknown - C:\WINDOWS\System32\duedtpkx5.exe (file missing)
O23 - Service: rjyivmjllbrq - Unknown - C:\WINDOWS\System32\duedtpkx6.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\FindIt\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D47B-40F5

Directory of C:\WINDOWS\System32

02/14/2005 11:13 AM 229,652 j84o0ih3e84.dll
02/14/2005 11:12 AM <DIR> dllcache
02/14/2005 10:57 AM 230,161 msg4541.cpy.dll
02/14/2005 09:31 AM 229,304 g6220gfoe62c0.dll
02/11/2005 03:30 PM 230,557 jtps0777e.dll
07/06/2004 07:44 AM <DIR> Microsoft
4 File(s) 919,674 bytes
2 Dir(s) 12,220,547,072 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D47B-40F5

Directory of C:\WINDOWS\System32

02/14/2005 11:12 AM <DIR> dllcache
02/11/2005 03:12 PM <DIR> vmss
07/07/2004 10:35 AM <DIR> GroupPolicy
07/06/2004 07:22 AM 488 WindowsLogon.manifest
07/06/2004 07:22 AM 488 logonui.exe.manifest
07/06/2004 07:22 AM 749 sapi.cpl.manifest
07/06/2004 07:22 AM 749 nwc.cpl.manifest
07/06/2004 07:22 AM 749 cdplayer.exe.manifest
07/06/2004 07:22 AM 749 wuaucpl.cpl.manifest
07/06/2004 07:22 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 12,220,542,976 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is D47B-40F5

Directory of C:\WINDOWS\System32

02/14/2005 11:14 AM 229,304 guard.tmp
1 File(s) 229,304 bytes
0 Dir(s) 12,220,542,976 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is D47B-40F5

Directory of C:\WINDOWS\System32

02/14/2005 11:14 AM 229,304 guard.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 231,881 bytes
0 Dir(s) 12,220,542,976 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5E8B780B-9556-4237-BEDF-18D29CF7BC59}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g6220gfoe62c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
g6220g~1.dll Mon Feb 14 2005 9:31:50a ..S.R 229,304 223.93 K
j84o0i~1.dll Mon Feb 14 2005 11:13:14a ..S.R 229,652 224.27 K
jtps07~1.dll Fri Feb 11 2005 3:30:58p ..S.R 230,557 225.15 K
msg454~1.dll Mon Feb 14 2005 10:57:02a ..S.R 230,161 224.77 K

4 items found: 4 files, 0 directories.
Total of file sizes: 919,674 bytes 898.12 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\iboaua.dll: updates.qoologic.com
C:\WINDOWS\system32\loypzp.dll: updates.qoologic.com
C:\WINDOWS\system32\lwzqmq.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\vrikok.exe: .aspack
C:\WINDOWS\system32\wbavyv.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ktunpn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC-Duo System Snapshot"="C:\\PCD32\\CLBOOT32.EXE"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"ntechin"="C:\\Documents and Settings\\davisgr\\n20050308.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"antiware"="C:\\windows\\system32\\elitekpc32.exe"
"efziabdg"="C:\\WINDOWS\\System32\\efziabdg.exe"
"Narrator"="C:\\WINDOWS\\system32\\vrikok.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



LoPhatPhuud
Feb 14 2005, 11:03 PM
You say "I've got users PC..."

Would you mind amplyfing that?

Are you being paid to repair/fix these PC's?

What is your relationship to the PC user?


This log will be help pending the information above.
tatersalad1
Feb 15 2005, 12:51 PM
Well actually it is one part of my job - one of many parts. And in this case, this is a user within our agency. Most of the time, I can get the machine relatively clean using just Ad-Aware SE and/or Spybot S & D, but sometimes an infection comes along that those just won't touch. Deleting the startup entries in the Windows - Run key in HKLM doesn't solve the problem either (they just come back). I am not familiar enough with all of the tools referenced (particularly Killbox) to feel comfortable using them without causing additional damage. For that matter, if you could point me to additional documentation on the various tools, I'd rather solve the problem on my own than have to come out here. I did find a brief tutorial to HijackThis, but that's just one of the tools.
LoPhatPhuud
Feb 15 2005, 08:26 PM
We have had people in the past who have been re-selling our services, thus the questions I asked. From your answer this log appears to be for a user within your organization. THe problem will arise if your company repairs for fee. Then you are reselling my services without my permission.

Now, on to this one. That user has three major infections and is going to take some time to clean. The first one, the Desktop search issue, most likely has infected explorer

First step is to remove the Isearch/isrvc/Desktop Search exploit. Then we can remove the VX2 and QooLogic exploits and finally, cleanup the remainder. The Deskrop search infects explorer.exe in many cases so we will need to fix that too.

You may want to print these instructions for reference. Disconnect the infected computer from the internet and keep it that way until we are done.


Step 1: (replace Explorer.exe)
Search your Windows folder (and all subfolders) for all copies of explorer.exe. Most likely there will be three, one in C:\Windows\, one in C:\Windows\System32\Dllcache\ and one in C:\Windows\ServicePackFiles\i386\) All have been infected.

Download ExplorerXP here: http://www.explorerxp.com/ or x2lite here: http://zabkat.com/x2lite.htm and install it.

Download the Windows XP SP2 version of explorer.exe here: http://ralphcaddell.com/Uploads/SP2/explorer.zip and unzip it to your desktop or somewhere you can easily find it. (You can identify the Windows XP version in the hjt log and direct them to the correct download location.)

Then right click your desktop and open taskmanager. Click on the processes tab and find explorer.exe. Highlight it and click the "End Process" button. Your desktop will dissapear.

Then click on the Applications tab the then the "New Task..." button. Browse to the location of explorerxp.exe or x2Lite and open it.

Then browse to the location of the explorer.exe you downloaded. Copy it and then browse to the locations that you identified in the search such as C:\Windows, C:\WINDOWS\ServicePackFiles\i386 and replace the copy of explorer.exe located in them.

Go back to task manager. Then click on the Applications tab the then the "New Task..." button. Browse to C:\Windows\explorer.exe and open it.


Step 2:
First:
If running, kill the follow processes in Task Manager:
desktop.exe
edmond.exe
ffisearch.exe

Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

CODE
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]



Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot your computer.

Third:
Execute the following commands:
Start -> Run -> regsvr32 /u C:\Windows\isrvs\msfiltis.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\msdbhk.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\sysupd.dll

Fourth:
Delete the following files/folders (if present) in C:\Windows\ or C:\Windows\Systme32\
delprot.ini
delprot.log
desktop.exe
isrvs (delete the entire folder)

Fifth:
Delete the following file:
C:\windows\system32\drivers\delprot.sys

Sixth:
Delete the following files/folder (if present) in C:\Documents and Settings\\Desktop\
anal exploits.url
big dick school for 2.95.url
evidence eraser.lnk
popup blocker stops popups.lnk
spyware avenger.lnk
virus hunter security.lnk
your platinum visa.lnk

Seventh:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. [color=red](note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: (no name) - {0858C36C-6C14-B051-B473-969D40BCA280} - C:\WINDOWS\System32\zaffyilu.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79F81E6A-9070-3F14-7A61-4377C3708640} - C:\WINDOWS\System32\mtomwrrh.dll

O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\davisgr\n20050308.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitekpc32.exe
O4 - HKLM\..\Run: [efziabdg] C:\WINDOWS\System32\efziabdg.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: gnmjtfqeobub - Unknown - C:\WINDOWS\System32\duedtpkx5.exe (file missing)
O23 - Service: rjyivmjllbrq - Unknown - C:\WINDOWS\System32\duedtpkx6.exe

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\System32\efziabdg.exe
C:\windows\system32\elitekpc32.exe
C:\WINDOWS\System32\efziabdg.exe
C:\WINDOWS\System32\duedtpkx6.exe
C:\WINDOWS\System32\duedtpkx5.exe
C:\Documents and Settings\davisgr\n20050308.exe

*How to Boot into Safe mode: »service1.symantec.com/SUPPORT/tsgeninf..
**Show Hidden and System files and folders: »www.xtra.co.nz/help/0,,4155-1916458,00..

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.


Last:
If the O15 entries persist....

Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.
tatersalad1
Feb 23 2005, 04:23 PM
Actually, after getting with my supervisor, we decided we may do just as well wiping the hard drive and reloading his PC. I was finally able to find time to do that yesterday afternoon. Generally, our folks are supposed to be saving important data to network drives, which are backed up on a regular basis, so loss of data usually isn't a major issue (or at least, it isn't supposed to be). I thank you very much for your help and your patience though.

I would be interested in learning more about how to read these logs and track down these problems, even if just for my own personal use. Do you have any suggestions for good places to go for this kind of information and training?

Once again, thank you very much.
LoPhatPhuud
Feb 24 2005, 02:13 AM
Spyware Info and Tom Cotoye both have programs for helping train log workers. At the least, they would point you in the correct direction.

http://www.spywareinfo.com

http://www.tomcoyote.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.