junkyardking
11-17-2003, 10:38 PM
Somewhere along the line i have downloaded some particulary nasty spywear which trys to connect to 216.127.94.107 Everyones Internet, Inc <_< , it's particuly hard to track down as it uses windows files - windows exploer and Run dll as an App to connect, now i have currently blocked it using kerio firewall but would like to remove it, i have ran both adaware pro and spybot with the latest updates but to no avail. :(
I have tracked down at least one file in C:\Documents and Settings\GuessWho\Local Settings\Temp the file name being "osfhiqf" which i cant seem to delete it as it hooked itself to windows exploer,
Now how do i delete this file?
I have also used a program called startuplist to list files in use if thats any help
here's the list
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GuessWho\LOCALS~1\Temp\Rar$EX00.897\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\WINDOWS\System32\qttask.exe" -atboottime
CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProxyCap = C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
Steam = C:\Program Files\Steam\Steam.exe -silent
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\iDonate.dll - {397D7D63-816E-4ECF-8761-775C932C5CF1}
(no name) - C:\Program Files\NetLeech\IEExt.dll - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2}
--------------------------------------------------
Enumerating Download Program Files:
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7863.7639467593 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7639467593)
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
--------------------------------------------------
Enumerating Winsock LSP files:
Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #6: w2pxdrv.dll (file MISSING)
Protocol #7: w2pxdrv.dll (file MISSING)
Protocol #8: w2pxdrv.dll (file MISSING)
Protocol #9: w2pxdrv.dll (file MISSING)
Protocol #10: w2pxdrv.dll (file MISSING)
Protocol #16: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #36: w2pxdrv.dll (file MISSING)
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 5,630 bytes
Report generated in 0.090 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
:swear: :swear: :angry: :( :(
I have tracked down at least one file in C:\Documents and Settings\GuessWho\Local Settings\Temp the file name being "osfhiqf" which i cant seem to delete it as it hooked itself to windows exploer,
Now how do i delete this file?
I have also used a program called startuplist to list files in use if thats any help
here's the list
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GuessWho\LOCALS~1\Temp\Rar$EX00.897\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\WINDOWS\System32\qttask.exe" -atboottime
CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProxyCap = C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
Steam = C:\Program Files\Steam\Steam.exe -silent
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\iDonate.dll - {397D7D63-816E-4ECF-8761-775C932C5CF1}
(no name) - C:\Program Files\NetLeech\IEExt.dll - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2}
--------------------------------------------------
Enumerating Download Program Files:
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7863.7639467593 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7639467593)
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
--------------------------------------------------
Enumerating Winsock LSP files:
Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #6: w2pxdrv.dll (file MISSING)
Protocol #7: w2pxdrv.dll (file MISSING)
Protocol #8: w2pxdrv.dll (file MISSING)
Protocol #9: w2pxdrv.dll (file MISSING)
Protocol #10: w2pxdrv.dll (file MISSING)
Protocol #16: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #36: w2pxdrv.dll (file MISSING)
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 5,630 bytes
Report generated in 0.090 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
:swear: :swear: :angry: :( :(