Not exactly sure what this is!

Unknown · September 2004

I'm a technician for Gravitys Edge Computers, and most of my job is removing SVTs. I've run across just about every single type of Spyware you can imagine, but this one I have never seen or heard of.

When I open internet explorer, it closes immediately, and tries to download a file from whatever address is set as the homepage (I.E www,google.com is the homepage, it tries to download google.htm). I've tried Ad-Aware SE, SpyBot, HJT, CWShredder (why not), HSRemove, Kill2Me, McAfee Stinger, About:Buster, and anything else I could think of, none of them helped.

Here is my HJT Log. Almost nothing in this log is "legit", it's all spyware related. I see no suspicious files anymore, I've removed them while doing the HSA Removal Guide on this website.

NOTE: URLs have been edited so nobody clicks them

Logfile of HijackThis v1.98.2
Scan saved at 1:17:27 PM, on 9/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\8-16-04\HiJackThis\blah.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://www,mycrasoft.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = h**p://www,your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = h**p://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: auto.search.msn.com 127.0.0.1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Click me !!! - {6234f700-cba3-4071-b251-47cb894244cd} - h**p://www,mycrasoft.biz/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Click me !!! - {6234f700-cba3-4071-b251-47cb894244cd} - h**p://www,mycrasoft.biz/ (file missing) (HKCU)
O13 - DefaultPrefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - WWW Prefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - Home Prefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - Mosaic Prefix: h**p://www,worldnetsearch.org/search.php?url=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)

Any help is greatly appreciated!

SpywareShooter · September 2004

Welcome to Short Media.

Is this a full log? I don't see any running processes.

Before doing the following, please Set your computer to show hidden files and folders, Disable System Restore, and Reboot in Safe Mode.

Once you have done that, Run HijackThis and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://www,mycrasoft.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www,mycrasoft.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = h**p://www,your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www,mycrasoft.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h**p://www,mycrasoft.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = h**p://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
O1 - Hosts: auto.search.msn.com 127.0.0.1
O9 - Extra button: Click me !!! - {6234f700-cba3-4071-b251-47cb894244cd} - h**p://www,mycrasoft.biz/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Click me !!! - {6234f700-cba3-4071-b251-47cb894244cd} - h**p://www,mycrasoft.biz/ (file missing) (HKCU)
O13 - DefaultPrefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - WWW Prefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - Home Prefix: h**p://www,worldnetsearch.org/search.php?url=
O13 - Mosaic Prefix: h**p://www,worldnetsearch.org/search.php?url=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing

Then find and locate the files listed above and Quarentine Them.

Once you have done that, reboot, scan with HiijackThis again, and post a new log.

phobes · September 2004

This is the full log, I will post the Running Processes again:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\8-16-04\HiJackThis\blah.exe.exe

I have restarted in Safe Mode, and done all of the techniques for removing SVTs I listed above, and a few more. I've disabled System Restore, and all computers that I work on, I show all hidden files and folders/system files.

After fixing the problems you listed, whether I did a hard-reboot or not, all of the entries came back.

I am truely dumbfounded :banghead:

primesuspect · September 2004

MAybe this be a new one. Oy.

Can we get a startup log from HJT?

phobes · September 2004

This computer recently had Windows XP SP2 installed. I can't help but think that nobody did a Spyware or Virus scan -before- installing it. I'm attempting to remove it, then scan for Spyware and Viruses using the usual methods.

I will post my results when I am finished.

Straight_Man · September 2004

Try getting a trial pack of F-Prot and running it on this box. F-Prot's heurisitics and def sets have saved my bacon here lots of times, and it runs on both SP2 and SP1 of XP, runs on 98 and up also. It knows one heck of a lot more trojans and spyware and javascript malwares than McAfee does, much less Stinger which is typically top 20 virals. It let me clean a Me box, among other things, just before Frances reached my coast of Florida, and its heuristics proved key to cleaning that box. In point of fact, and this is something XP has in common, the stuff it detected by heuristics included malware in the restore points. I had to wipe and let Me rebuild the restore point structure almost from scratch. Me was protecting the malware in restore poinjts and had once restored it from them before I wiped them and left only the _restore subtree FOLDERS. XP can also rebuild from this, but removal of restore points is harder on XP than in Me (in Me, I used a 98 SE Windows Startup Disk floppy boot, wiped the files in DOS after resetting thier attrributes).

With XP, you might try this from a recovery console boot, and if not able from there then use a Linux Rescue CD followed by a reboot to Recovery Console and an immediate chkdsk /R after reboot to get the journal resynced to actuality. Any chance your removals are being restored by XP itself due to registered processes or service hooks in registry??? XP can also rebuild its restore points subtree with a new start point of a restore point as it reboots if the _restore subtree directories are present but empty.... (That is why I used the Me example, both are similar and have that one property in common so it was a good illustration). Try wiping restore points (actually, you could COPY the whole subtree then empty old original tree driectories if you want a backup, but in this case I think I would trash them and start over with a new restore point set once things were killed) and then killing as admin in safe mode, see if things stay gone then.

phobes · September 2004

I'm starting to think that there is alot more wrong with this computer than just Spyware and Viruses. Trying to reach the Display applet, via Right-Clicking the Desktop, and going to Properties, brings up only the initial Tab, and none of the others show up.

I cannot view the Users applet from the Control Panel, it does nothing when Double-Clicked. Internet Explorer tries to download google.htm when I attempt to run it, yet Mozilla FireFox works perfectly fine (Not Surprising).

I think my attempts at fixing this system's issues have been in vain. Unless someone here has any clue on what might be wrong, I'm going to contact the customer tommorrow and suggest a Format and Reinstallation of Windows.

Thanks for all of your help!

Not exactly sure what this is!

Comments