Hi all!

My configuration:

OS: Microsoft Windows XP Professional Version 2002, Service Pack 1
Firewall: now turned to Sygate Personal Firewall (I used ZoneAlarm, previously)
Periodically scan with: Ad-Aware, SpyBot; updated every day.
Antivirus: Norton Antivirus (periodically updated).

Since a few days, the home page of Internet Explorer (ver.6.0) is changed to:
res://ABCDE.dll/index.html#96676
where ABCDE is a 5 characters variable (random, I suppose):
the first time was:
res://ftndn.dll/index.html#96676
now, after some AdAware cleaning, is still:
res://esrnr.dll/index.html#96676

At every PC startup, I scan with SpyBot then AdAware but their cleaning is useless: they seems to clean everithing, but the next scan I make shows again similar malware.
________
Each time I attempt to start IE, Sygate Firewall block it.
IE attempts to connect to www.v61.com .
Thi is the header of the resulting Sygate log:

File Version : 6.00.2800.1106 (xpsp1.020828-1920)
File Description : Internet Explorer (iexplore.exe)
File Path : C:\Programmi\Internet Explorer\iexplore.exe
Process ID : 0xA94 (Heximal) 2708 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 1.255.161.189
Local Port : 1106
Remote Name : www.v61.com
Remote Address : 209.66.122.49
Remote Port : 80 (HTTP - World Wide Web)
________
Attached is the scan log of HiJackThis and AdAware.
Please, suggest me what to clean: I am not able to identify all items.

THANKS![/code]

AD_AWARE_LOGFILE_20040710H1030.TXT
Description:	AdAware log file	Download
Filename:	AD_AWARE_LOGFILE_20040710H1030.TXT
Filesize:	23.97 KB
Downloaded:	45 Time(s)

HIJACKTHIS_startuplist_20040710H1050.txt
Description:	HijackThis log file	Download
Filename:	HIJACKTHIS_startuplist_20040710H1050.txt
Filesize:	14.04 KB
Downloaded:	62 Time(s)

Please just post a hijackthis log. That should provide enough information to do the fix.

Hi!

My configuration:
OS: Microsoft Windows XP Professional Version 2002, Service Pack 1

As suggested by site http://ralphcaddell.com/pchelp/spyware.htm, I installed the following:
- IE-SpyAd
- SpyWare Blaster
- Trojan Hunter
- Norton Antivirus
- Sygate Personal Firewall

In addition:
- Administrator user has a non-easy password
- Currently used user profiles are not Administrators

Almost daily I scan deeply (and clean) with AdAware (always after an update), then with SpyBot.

At every startup I get the following warning by Sygate Firewall:

07/21/2004 08:40:25 Executable File Change
Denied Major
Outgoing TCP 38.117.144.162 00-09-44-3B-60-38 1.255.161.189 00-0C-6E-A2-7F-6E
C:\WINDOWS\d3xq.exe Pap� TAKOMPUTER Normal 1 07/21/2004 08:40:25 07/21/2004 08:40:25

This is my last HijackThis log scan:

You did not attach the hijackthis log. I need to see it in order to be able to help. In addition please download the attached file. Unzip it and run it. You may have to disable script blocking in Norton Antivirus temporarily in order for the script to run. The program will generate a list of active services. Please copy and paste the contents or upload the txt file.

get_active_services_179.zip
Description:		Download
Filename:	get_active_services_179.zip
Filesize:	678 Bytes
Downloaded:	158 Time(s)

Hello!

This is the log of your script:

Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip Unzip it to your desktop. Do not run it yet.

**Important** Make sure you can view hidden and system files: Instructions here.

Please do not open Internet Explorer during any portion of this process.

Boot to safe mode: Instructions here.

Click on start, the control panel, then administrative programs, then services. Look for a service called REMOTE PROCEDURE CALL (RPC) HELPER. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

netrt.exe
d3xq.exe

Step 3:

Run hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\esrnr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://esrnr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://esrnr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\esrnr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://esrnr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\esrnr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: (no name) - {8EF1A389-7342-F785-A50A-A3C78BA42012} - C:\WINDOWS\system32\apibq32.dll

O4 - HKLM\..\Run: [d3xq.exe] C:\WINDOWS\d3xq.exe
O4 - HKLM\..\RunOnce: [sdkfr32.exe] C:\WINDOWS\sdkfr32.exe
O4 - HKLM\..\RunOnce: [mfcyp.exe] C:\WINDOWS\mfcyp.exe
O4 - HKLM\..\RunOnce: [netrt.exe] C:\WINDOWS\netrt.exe
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\ntww.exe
O4 - HKLM\..\RunOnce: [ntdf32.exe] C:\WINDOWS\system32\ntdf32.exe
O4 - HKLM\..\RunOnce: [ntbw32.exe] C:\WINDOWS\ntbw32.exe
O4 - HKLM\..\RunOnce: [crbn32.exe] C:\WINDOWS\system32\crbn32.exe
O4 - HKLM\..\RunOnce: [sdkpn32.exe] C:\WINDOWS\sdkpn32.exe
O4 - HKLM\..\RunOnce: [d3dl.exe] C:\WINDOWS\d3dl.exe
O4 - HKLM\..\RunOnce: [mfcod.exe] C:\WINDOWS\mfcod.exe
O4 - HKLM\..\RunOnce: [apiel.exe] C:\WINDOWS\system32\apiel.exe
O4 - HKLM\..\RunOnce: [ntxo32.exe] C:\WINDOWS\ntxo32.exe
O4 - HKLM\..\RunOnce: [atlag.exe] C:\WINDOWS\atlag.exe
O4 - HKLM\..\RunOnce: [mszo32.exe] C:\WINDOWS\system32\mszo32.exe
O4 - HKLM\..\RunOnce: [d3qk.exe] C:\WINDOWS\d3qk.exe
O4 - HKLM\..\RunOnce: [javahd32.exe] C:\WINDOWS\system32\javahd32.exe
O4 - HKLM\..\RunOnce: [appds32.exe] C:\WINDOWS\appds32.exe
O4 - HKLM\..\RunOnce: [apipp.exe] C:\WINDOWS\system32\apipp.exe
O4 - HKLM\..\RunOnce: [mfcnn.exe] C:\WINDOWS\mfcnn.exe
O4 - HKLM\..\RunOnce: [mfckl.exe] C:\WINDOWS\system32\mfckl.exe
O4 - HKLM\..\RunOnce: [netlc.exe] C:\WINDOWS\system32\netlc.exe
O4 - HKLM\..\RunOnce: [atlyi32.exe] C:\WINDOWS\system32\atlyi32.exe
O4 - HKLM\..\RunOnce: [addtm32.exe] C:\WINDOWS\system32\addtm32.exe
O4 - HKLM\..\RunOnce: [crad.exe] C:\WINDOWS\crad.exe
O4 - HKLM\..\RunOnce: [javapt.exe] C:\WINDOWS\system32\javapt.exe
O4 - HKLM\..\RunOnce: [javauu32.exe] C:\WINDOWS\javauu32.exe
O4 - HKLM\..\RunOnce: [d3yp.exe] C:\WINDOWS\system32\d3yp.exe
O4 - HKLM\..\RunOnce: [crwo32.exe] C:\WINDOWS\crwo32.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\system32\ieim32.exe
O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\sysyu.exe
O4 - HKLM\..\RunOnce: [mfcrr.exe] C:\WINDOWS\system32\mfcrr.exe
O4 - HKLM\..\RunOnce: [atlfg.exe] C:\WINDOWS\system32\atlfg.exe
O4 - HKLM\..\RunOnce: [winvr32.exe] C:\WINDOWS\winvr32.exe
O4 - HKLM\..\RunOnce: [iebp.exe] C:\WINDOWS\system32\iebp.exe
O4 - HKLM\..\RunOnce: [ipyn.exe] C:\WINDOWS\ipyn.exe
O4 - HKLM\..\RunOnce: [mspm.exe] C:\WINDOWS\mspm.exe
O4 - HKLM\..\RunOnce: [javaee.exe] C:\WINDOWS\system32\javaee.exe
O4 - HKLM\..\RunOnce: [addfm32.exe] C:\WINDOWS\addfm32.exe
O4 - HKLM\..\RunOnce: [addrs.exe] C:\WINDOWS\addrs.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\system32\crfy.exe
O4 - HKLM\..\RunOnce: [crrd.exe] C:\WINDOWS\crrd.exe
O4 - HKLM\..\RunOnce: [apptr32.exe] C:\WINDOWS\system32\apptr32.exe
O4 - HKLM\..\RunOnce: [d3wk.exe] C:\WINDOWS\d3wk.exe
O4 - HKLM\..\RunOnce: [apilk32.exe] C:\WINDOWS\apilk32.exe
O4 - HKLM\..\RunOnce: [iedm.exe] C:\WINDOWS\system32\iedm.exe
O4 - HKLM\..\RunOnce: [javagm.exe] C:\WINDOWS\system32\javagm.exe
O4 - HKLM\..\RunOnce: [ntjw32.exe] C:\WINDOWS\ntjw32.exe
O4 - HKLM\..\RunOnce: [netdo32.exe] C:\WINDOWS\netdo32.exe
O4 - HKLM\..\RunOnce: [sysuc32.exe] C:\WINDOWS\system32\sysuc32.exe
O4 - HKLM\..\RunOnce: [sdknd32.exe] C:\WINDOWS\system32\sdknd32.exe
O4 - HKLM\..\RunOnce: [addko.exe] C:\WINDOWS\addko.exe
O4 - HKLM\..\RunOnce: [mfcdh32.exe] C:\WINDOWS\system32\mfcdh32.exe
O4 - HKLM\..\RunOnce: [sdkij32.exe] C:\WINDOWS\system32\sdkij32.exe
O4 - HKLM\..\RunOnce: [msen.exe] C:\WINDOWS\system32\msen.exe
O4 - HKLM\..\RunOnce: [msug.exe] C:\WINDOWS\msug.exe
O4 - HKLM\..\RunOnce: [crkf32.exe] C:\WINDOWS\crkf32.exe
O4 - HKLM\..\RunOnce: [winqj.exe] C:\WINDOWS\system32\winqj.exe
O4 - HKLM\..\RunOnce: [sysgh32.exe] C:\WINDOWS\sysgh32.exe
O4 - HKLM\..\RunOnce: [d3ud32.exe] C:\WINDOWS\d3ud32.exe
O4 - HKLM\..\RunOnce: [netnm.exe] C:\WINDOWS\system32\netnm.exe
O4 - HKLM\..\RunOnce: [apihs32.exe] C:\WINDOWS\system32\apihs32.exe
O4 - HKLM\..\RunOnce: [addfp.exe] C:\WINDOWS\addfp.exe
O4 - HKLM\..\RunOnce: [sdkqf32.exe] C:\WINDOWS\sdkqf32.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [netae.exe] C:\WINDOWS\netae.exe
O4 - HKLM\..\RunOnce: [iewb.exe] C:\WINDOWS\system32\iewb.exe
O4 - HKLM\..\RunOnce: [addkz32.exe] C:\WINDOWS\system32\addkz32.exe
O4 - HKLM\..\RunOnce: [ipdv.exe] C:\WINDOWS\ipdv.exe
O4 - HKLM\..\RunOnce: [ntqs32.exe] C:\WINDOWS\system32\ntqs32.exe
O4 - HKLM\..\RunOnce: [winoo.exe] C:\WINDOWS\system32\winoo.exe
O4 - HKLM\..\RunOnce: [ipwi.exe] C:\WINDOWS\system32\ipwi.exe
O4 - HKLM\..\RunOnce: [atlzb.exe] C:\WINDOWS\atlzb.exe
O4 - HKLM\..\RunOnce: [sysss.exe] C:\WINDOWS\sysss.exe
O4 - HKLM\..\RunOnce: [appfh32.exe] C:\WINDOWS\appfh32.exe
O4 - HKLM\..\RunOnce: [sysyh.exe] C:\WINDOWS\sysyh.exe
O4 - HKLM\..\RunOnce: [msge.exe] C:\WINDOWS\system32\msge.exe



Step 4:

Delete the following files:

C:\WINDOWS\system32\esrnr.dll
C:\WINDOWS\system32\apibq32.dll
C:\WINDOWS\netrt.exe
C:\WINDOWS\d3xq.exe
C:\WINDOWS\sdkfr32.exe
C:\WINDOWS\mfcyp.exe
C:\WINDOWS\ntww.exe
C:\WINDOWS\system32\ntdf32.exe
C:\WINDOWS\ntbw32.exe
C:\WINDOWS\system32\crbn32.exe
C:\WINDOWS\sdkpn32.exe
C:\WINDOWS\d3dl.exe
C:\WINDOWS\mfcod.exe
C:\WINDOWS\system32\apiel.exe
C:\WINDOWS\ntxo32.exe
C:\WINDOWS\atlag.exe
C:\WINDOWS\system32\mszo32.exe
C:\WINDOWS\d3qk.exe
C:\WINDOWS\system32\javahd32.exe
C:\WINDOWS\appds32.exe
C:\WINDOWS\system32\apipp.exe
C:\WINDOWS\mfcnn.exe
C:\WINDOWS\system32\mfckl.exe
C:\WINDOWS\system32\netlc.exe
C:\WINDOWS\system32\atlyi32.exe
C:\WINDOWS\system32\addtm32.exe
C:\WINDOWS\crad.exe
C:\WINDOWS\system32\javapt.exe
C:\WINDOWS\javauu32.exe
C:\WINDOWS\system32\d3yp.exe
C:\WINDOWS\crwo32.exe
C:\WINDOWS\system32\ieim32.exe
C:\WINDOWS\sysyu.exe
C:\WINDOWS\system32\mfcrr.exe
C:\WINDOWS\system32\atlfg.exe
C:\WINDOWS\winvr32.exe
C:\WINDOWS\system32\iebp.exe
C:\WINDOWS\ipyn.exe
C:\WINDOWS\mspm.exe
C:\WINDOWS\system32\javaee.exe
C:\WINDOWS\addfm32.exe
C:\WINDOWS\addrs.exe
C:\WINDOWS\system32\crfy.exe
C:\WINDOWS\crrd.exe
C:\WINDOWS\system32\apptr32.exe
C:\WINDOWS\d3wk.exe
C:\WINDOWS\apilk32.exe
C:\WINDOWS\system32\iedm.exe
C:\WINDOWS\system32\javagm.exe
C:\WINDOWS\ntjw32.exe
C:\WINDOWS\netdo32.exe
C:\WINDOWS\system32\sysuc32.exe
C:\WINDOWS\system32\sdknd32.exe
C:\WINDOWS\addko.exe
C:\WINDOWS\system32\mfcdh32.exe
C:\WINDOWS\system32\sdkij32.exe
C:\WINDOWS\system32\msen.exe
C:\WINDOWS\msug.exe
C:\WINDOWS\crkf32.exe
C:\WINDOWS\system32\winqj.exe
C:\WINDOWS\sysgh32.exe
C:\WINDOWS\d3ud32.exe
C:\WINDOWS\system32\netnm.exe
C:\WINDOWS\system32\apihs32.exe
C:\WINDOWS\addfp.exe
C:\WINDOWS\sdkqf32.exe
C:\WINDOWS\system32\crpn32.exe
C:\WINDOWS\netae.exe
C:\WINDOWS\system32\iewb.exe
C:\WINDOWS\system32\addkz32.exe
C:\WINDOWS\ipdv.exe
C:\WINDOWS\system32\ntqs32.exe
C:\WINDOWS\system32\winoo.exe
C:\WINDOWS\system32\ipwi.exe
C:\WINDOWS\atlzb.exe
C:\WINDOWS\sysss.exe
C:\WINDOWS\appfh32.exe
C:\WINDOWS\sysyh.exe
C:\WINDOWS\system32\msge.exe

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 5:

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Step 6:

Then browse to the C:\documents and settings\Maximum Mortgage (Repeat for all user names)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Empty the Recycle bin.

Reboot to Normal Mode.


Step 7:

Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or word pad and save as a .txt file) and post a copy back here when you are done with all the steps.

Step 8:

Restore files deleted by this malware.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

If you are having any problems opening the control panel go here, and download control.exe per the instructions at the site.

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

Look in your system32 folder for shell.dll

If it is not there, Go into System32\dllcache

Find shell.dll

Right click on shell.dll and choose copy from the menu.

Go back into the System32 Folder and right click on an empty space in the folder. Choose paste fom the menu. this will replace the missing shell.dll
for you.

Step 9:

Do an online scan using Trend Micros Housecall. It is available here.


Step 10:

Then Disable system restore: Instructions here.

Reboot

Enable system restore.

Scan and post another hijackthis log.

Hi,

The above description is identical to a problem I have and I have zero'd in on a process running as "crad.exe" as the culprit. Do you have a fix file for it or do I need to follow the procedure listed above??

Thanks
MoparGuy

moparguy,

Post a hijackthis log in a new topic and I will be glad to look at it. Each fix is different. After you post, send me a pm and I will look at it.