Skip to main content

Texruss

3.4K Posts

June 15th, 2004 01:00

Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

Next...Run Hijackthis, scan and check the box left of these numbered line items if present:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [qF3T3pW] ftslegih.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa1 screensavers.com/download/ screload-mamma.exe

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders  (VERY IMPORTANT!)

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders: (some may not be present)

Folders and/or folder contents:

C:\Program Files\AWS
C:\Program Files\TV Media

Files:

C:\WINDOWS\System32\li01f948.dll
C:\WINDOWS\System32\iel2cde8.dll
C:\Windows\System32\ftslegih.exe

Exit Explorer and reboot to normal mode. Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

I also like to run Windows Disk Cleaner after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Reboot and browse a bit and post a new Hijackthis log.

Special comments:


All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

ashak

10 Posts

June 15th, 2004 17:00

My Personal Firewall Plus just stopped an "edow.exe" from accessing the internet. What is this new thing?????? :(:(

Thanks

ashak

10 Posts

June 15th, 2004 17:00

Thank you for your response. I followed all the steps suggested by you. My system looks a lot better now.

On last running of Spybot, Ad-aware and McAfee,
1) Spybot repeatedly finds and fixes DSO Exploit.
2) Ad-Aware finds nothing
3) McAfee repeatedly finds and deletes Ezula adware (c:\windows\system32\ez052404.exe)

A strange behaviour that I am noticing is that applications/windows (For example, notepad, IE) lose and gain focus often.

Add/Remove programs still shows TV Media although it doesn't show up in spybot/adaware/mcafee

*******************************************************************************************************

Here's my latest HikachThis log file:-
Logfile of HijackThis v1.97.7
Scan saved at 2:41:11 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\usbdivv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

127.0.0.1;*.ne1.attbb.net;
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\usbdivv.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -

http://www.te-ao.co.nz/wfplayer/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -

http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) -

http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37846.7974305556
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 4.0.1) -

http://download.eonreality.com/eonx/4_1_0/eonx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -

http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -


Thanks in advance.

 

 

Texruss

3.4K Posts

June 16th, 2004 03:00

>1) Spybot repeatedly finds and fixes DSO Exploit.

Explained in previous post...flaw in 1.3 version.

>3) McAfee repeatedly finds and deletes Ezula adware (c:\windows\system32\ez052404.exe)

Look for that file in Safe Mode and delete...it isn't autoloading now.

Sorry I missed an ActiveX in first post fix:

Fix check these in Hijackthis:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

The TV Media entry in Add Remove is a harmless orphan...and would need a registry cleaning to edit out that value. I don't trust their uninstall which is why we kill it with brute force.

Looks very good now...you did a nice cleanup job. Any special issues?

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

ashak

10 Posts

June 16th, 2004 13:00

Thank you for your help and patience.

I deleted the Ezula exe file in Safe mode from the Systems folder but on running McAfee, it's back again in c:\windows\system32\ez052404.exe  !!!

While deleting the Ezula exe file from the Systems folder , I saw some other suspicious exe files which were created recently and which were all blocked from accessing the internet by the McAfee Firewall.
Please tell me whether I should delete the following files too or I should just ignore them.

mamma-ai-ss.exe
mamma-bi-ss.exe
mamma-dmk-ss.exe
mamma-dummy.exe
mamma-ez-ss.exe
mamma-ibis-ss.exe
mamma-ikw-ss.exe
mamma-ss.exe
mamma-tvm-ss.exe
newnetbs.exe
TVM_B5.EXE
edow.exe


I am having a problem with applications losing and gaining focus. For example, I would be having only Notepad open and I would be typing something in it. The titlebar flashes and loses focus and I would have to click to get back focus. In IE, it happens often (losing and gaining focus). The cursor turns to hourglass and comes back to normal and again goes to hourglass...weird behaviour. I didn't have this problem before. What could be causing it?

On last run of Spybot/Ad-aware - nothing found.

********************************************************

Here's my latest HijackThis log....
Logfile of HijackThis v1.97.7
Scan saved at 10:17:37 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\usbdivv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1;*.ne1.attbb.net;
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe]

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\usbdivv.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony

Handheld\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control)

- http://www.te-ao.co.nz/wfplayer/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}

(PPSDKActiveXScanner.MainScreen) -

http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter

Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.c

ab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-

94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}

(QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com

Operating System Class) -

http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.

cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}

(CWDL_DownLoadControl Class) -

http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37846

.7974305556
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 4.0.1) -

http://download.eonreality.com/eonx/4_1_0/eonx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX

Control) -

http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector

Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator

1.1.8.24) -


Thanks.

 

Texruss

3.4K Posts

June 17th, 2004 01:00

Yes...trojans all...delete them in Safe Mode and immediately empty the Recycle Bin. also see if you have an Ezula folder in C:\Program Files\Ezula. If so delete it.

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

ashak

10 Posts

June 17th, 2004 02:00

I don't have a Ezula folder under C;\Program Files. However, In the system32 folder, there are 2 files which on mouseover says  "Description: Ezula" and "Description: exe in dll mode" respectively

KVIF_11.exe
KVIF_11.DLL

Should I delete these too?

Thanks.

Texruss

3.4K Posts

June 17th, 2004 02:00

Not legitimate Windows files...purge them and empty Recycle Bin immediately.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

ashak

10 Posts

June 21st, 2004 14:00

Pls help with this persistent Ezula problem. I am not able to get rid of it at all. Ad-aware/Spybot/McAfee all find and delete it but I don't think a clean removal is done because it keeps coming back again. I have shift-deleted the following ezula files many times from the System32 folder in Safe mode:-

edow.exe 
ezStub061704
ezsys
ibissys
mamma-ez-ss
mamma-ibis-ss

After removal and after reboot, Ad-aware/Spybot/McAfee, find nothing. But whenever I open IE, the title bar keeps flashing and when I look into the History sidebar, I find the following sites listed:-

newupdates.lzio.com (shows ezsys.exe in URL)
updates.lzio.com (shows ibissys.exe in URL)

And the same Ezula files are back in the System32 folder. My guess is that I have ezula TopText running in my IE and it keeps downloading the ezula exe files. I do not have TopText listed in my Add/Remove programs, so I cannot uninstall it. Also, I do not the ezula folder in the program files, so I cannot delete it. How do I atleast block these 2 sites from auto-downloading these files. It's so frustrating.

------------------------------------------------------

Another problem that I am facing now is that I am not able to login to my yahoo mail account. While trying to remove ezula/toptext, I had done various things like

1)changing browser security settings
2)Installing spyblaster, spyguard
3) adding newupdates.lzio.com, updates.lzio.com to list of blocked entries in the hosts file and rstricted sites list in IE 

I have undone everything I could remember but am not sure and don't know if I've messed up any settings/entries

After I click on Sign-in, it's very slow ( I have broadband) and finally a "Page cannot be displayed" error comes. The first time, I logged in, I got a "Your browser settings do not allow to be automatically redirected to the new URL. Click here to continue". When I clicked on continue, I got the "Page cannot be displayed" error page. Now, it directly goes to this error page on clicking Sign-in.

But I am able to login to other Yahoo mail accounts on this system. Also I am able to login to this account from a different system. So I am not able to understand what's the problem. .
Pls help.

---------------------

Logfile of HijackThis v1.97.7
Scan saved at 10:59:01 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\usbdivv.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.ne1.attbb.net;
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\usbdivv.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.te-ao.co.nz/wfplayer/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37846.7974305556
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 4.0.1) - http://download.eonreality.com/eonx/4_1_0/eonx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -

 

Thanks.

 

 

Texruss

3.4K Posts

June 21st, 2004 19:00

Ezula requires more finesse to remove, and you've also now picked up another nasty little hitchhiker...Huntbar (aka Wintools). In my opinion it is about three times as hard to get all evidence of Huntbar off a PC as Ezula. But we'll do our best. I have special procedures for this situation. Please follow the steps closely and print out this page before beginning your repair.

First...try looking in Control Panel/Add Remove Programs and see if a TopText entry (Ezula) exists. I'm not a big fan of uninstall routines by the folks who wrote the offending software, but in this case it could be helpful. If you see TopText run the Remove routine.

Next...regardless of whether you found anything there or not...

Reboot to Safe Mode.

Hit Control-Shift-Escape keys at the same time and in Task Manager if you see these files running stop the processes for Huntbar and any you see that might appear for Ezula:   Huntbar will have these running files:

WToolsA.exe
WSup.exe

Also stop this hostile process if present usbdivv.exe  

Comments: (very tricky little name...and has a Registry name value that also sounds equally convincing:  [hpsysconf1]   But it's a baddie

Exit Task Manager.

Run Hijackthis while still in Safe Mode, scan and check the box left of these numbered line items:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\usbdivv.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders: (some may not be present):   (Make sure Hidden Files option is enabled in Windows).

C:\WINDOWS\System32\usbdivv.exe          file
C:\Program Files\Common files\WinTools     folder

If you know of other hostile files like you mentioned as being in System32 folder...seek out and destroy.

Exit Explorer and immediately empty the Recycle Bin.

Still in Safe Mode....Run Adaware, get today's updated definitions, and then run with the custom scanning options: (won't work well unless you do this): Print out this setup guide and follow it to the letter:

http://www.cjwd.demon.co.uk/spybot-adaware.html 

After running Adaware and fixing everything it finds, exit Adaware.

Next run Spybot...no new definitions out, but it's worth 10 minutes to see if it pegs something.

Still in Safe Mode...run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)

ashak

10 Posts

June 22nd, 2004 20:00

1) In the Add/Remove programs, I did not find TopText but I found a new entry..Win-Tools Easy Installer 2.1. I am not sure whether I should remove it since you had not mentioned it, so I thought I'll check with you first before trying to uninstall it.

2) On rebooting to Safe Mode and checking in Task Manager, I see only the following processes running..
taskmgr.exe
explorer.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

But in the Normal mode, all the Huntbar files that you mentioned are running. The task manager shows the following processes....

explorer.exe
wuauclt.exe
taskmgr.exe
OSA.EXE
FINDFAST.EXE
HOTSYNC.EXE
wcescomm.exe
WToolsA.exe 
usbdivv.exe 
wo.exe      
MpfTray.exe
McVSEscn.exe
mcagent.exe
mcvsshld.exe
Directcd.exe
hkcmd.exe
wanmpsvc.exe
svchost.exe
spoolsv.exe
MpfService.exe
svchost.exe
svchost.exe
acsd.exe
mcvsrte.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
WSup.exe
McShield.exe
MpfAgent.exe
System
System Idle Process


Program files has the following Wintools folders:-

C:\Program Files\Web Offer 
(Folder shows many files including 2 exe files...apev.exe and wo.exe and 2 dll files..sepng.dll and eapbh.dll)

C:\Program Files\Common Files\WinTools


I ran a search for all files created within the last 2 weeks and came up with the following suspected files....

C:\windows\woinstall.exe
C:\WINDOWS\System32\wpa.dll
C:\WINDOWS\Prefetch\EDOW.EXE-1797B8AC.pf
C:\WINDOWS\Prefetch\EZSTUB061704.EXE-0D19824
C:\WINDOWS\Prefetch\EZSYS.EXE-09873D23.pf
C:\WINDOWS\Prefetch\IBISSYS.EXE-20DCC2FDD.pf
C:\WINDOWS\Prefetch\MAMMA-EZ-SS.EXE-108D9DA.pf
C:\WINDOWS\Prefetch\MAMMA-IBIS-SS.EXE-07E916.pf
C:\WINDOWS\Prefetch\USBDIVV.EXE-00B69F89.pf
C:\WINDOWS\Prefetch\WSUP.EXE-25F50497.pf
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D4498B2.pf
C:\WINDOWS\Prefetch\WTOOLSA.EXE-193FCC46.pf
C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf


The suspect exe files in the system32 folder are (as usual):-
mamma-ez-ss.exe
edow.exe
mamma-ibis-ss.exe
ezStub061704.exe
usbdivv.exe
ezsys.exe
ibissys.exe


Before I proceed with your instructions, pls tell me
1)whether I should uninstall Wintools in Add/Remove programs
2)whether I should stop the hostile processes running in normal mode and proceed further in Safe mode.


I recently found that my spouse had put the security level in IE to low and forgot to turn it back to medium.....that explains all these problems.


Thanks a lot for your patience.

Texruss

3.4K Posts

June 23rd, 2004 01:00

>1)whether I should uninstall Wintools in Add/Remove programs

They are the dregs of humanity in my opinion...I detest the Huntbar infectors and creators. I doubt it will work. You can try it, but it is dubious. I cleaned one yesterday at work manually by deleting all folders, then in the Registry looking for all wintools and btein entries and deleted scores of values and keys. It is a pig.

2)whether I should stop the hostile processes running in normal mode and proceed further in Safe mode.

Ten-four. Proceed and terminate and destroy all without prejudice.

Texruss


Was this post helpful?

View All

No Events found!

Top