Log File help - can't fix O15

BigEv · 03-20-2005, 08:38 PM

I was definetely hijacked in IE. Start page went to about-blank and unwanted popups happened. I have fixed a number of items via HijackThis but I can't get rid of *.frame.crazywinnings.com in the trusted zone (O15). I tried to delete this URL in the IE6 tools menu and via HijackThis with no success. CWS items were also found and deleted by Ad-Aware and CounterSpy Among other problems ADDHB.EXE and SYSBH.EXE were found and deleted. In addition, R0, R1 and R3 itmes initially showed on the HijackThis log. Normally I use Netscapte 7.2 but sometimes IE6 is necessary for compatibilaty reasons. My system(Win98SE) is working OK right now but I am afraid to use IE6 again until I am entirely clean.

I have done the following steps:

-Ad-aware in in safe mode
-Spybot S&D (Tea Timer is now inactive)
-TrendMicro Online Scan
- Symantic antivirus (corporate version)
- CounterSpy (active protection is now disabled is now disabled)
- Removed MS Java VM
- CWSchredder

Than for considering this problem,

BigEv

Here is the log using KRC HijackThis Analyzer.
H====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 8:21:47 PM, on 3/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\WINDOWS\SYSTEM\MSCONFIG.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\evan\prefs.js)
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-20-2005, 09:01 PM

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O15 - Trusted Zone: *.frame.crazywinnings.com

Restart. You should be ok now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

Any problems now? If not, you should be set to go.

BigEv · 03-23-2005, 08:15 PM

Thanks,

I believe that fixed it.

Regards,

BigEv

03-20-2005, 08:38 PM	#1 (permalink)
BigEv Registered User Join Date: Mar 2005 Posts: 2 OS: Win98	Log File help - can't fix O15 I was definetely hijacked in IE. Start page went to about-blank and unwanted popups happened. I have fixed a number of items via HijackThis but I can't get rid of .frame.crazywinnings.com in the trusted zone (O15). I tried to delete this URL in the IE6 tools menu and via HijackThis with no success. CWS items were also found and deleted by Ad-Aware and CounterSpy Among other problems ADDHB.EXE and SYSBH.EXE were found and deleted. In addition, R0, R1 and R3 itmes initially showed on the HijackThis log. Normally I use Netscapte 7.2 but sometimes IE6 is necessary for compatibilaty reasons. My system(Win98SE) is working OK right now but I am afraid to use IE6 again until I am entirely clean. I have done the following steps: -Ad-aware in in safe mode -Spybot S&D (Tea Timer is now inactive) -TrendMicro Online Scan - Symantic antivirus (corporate version) - CounterSpy (active protection is now disabled is now disabled) - Removed MS Java VM - CWSchredder Than for considering this problem, BigEv Here is the log using KRC HijackThis Analyzer. H==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected* C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 8:21:47 PM, on 3/20/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE C:\WINDOWS\SYSTEM\MSCONFIG.EXE N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\evan\prefs.js) O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O15 - Trusted Zone: *.frame.crazywinnings.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab End of KRC HijackThis Analyzer Log. ====================================================================

03-20-2005, 09:01 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): *O15 - Trusted Zone: .frame.crazywinnings.com** Restart. You should be ok now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. Any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-23-2005, 08:15 PM	#3 (permalink)
BigEv Registered User Join Date: Mar 2005 Posts: 2 OS: Win98	OK Now Thanks, I believe that fixed it. Regards, BigEv