Help, anyone?

[garbageman]

I ran a scan with MAS Beta and it found an internet start
page; http://rl.webtracer.cc/-/?bayzm, which I then had
it remove. For whatever reason it didn't and can't
remove it. I even used the "hijack this" program someone
had mentioned in a post, but it still remains. Can
anyone tell me how to remove/fix this or at least point
me in the right direction? It's slowing computer
terribly. Thanx.

 

[AndyManchesta]

There is another part of this running which is preventing
you deleting it.

This file will be in the Windows system 32/drivers folder
but its going to take a few small programs to try show
this malicious file.

Download these and post back the results.



Download Startdreck



http://andymanchesta.com/Downloads/startdreck.zip


Once Downloaded,Unzip and Extract All Files!

Now Double Click the StartDreck.exe to Open it and Select
Run!

Click Config

Click Unmark All

Place a Check By NT Kernal- and FS Driver
and
Save Account Info to log

Click OK!

It wont take long to complete!

Once Complete,Click Save and Save that log to the New
Folder and Copy&Paste the Entire Contents of the log into
the next Post!



Download Locate.bat


http://andymanchesta.com/Downloads/locate.zip

Unzip and Extract All Files.

Now go to the Locate Folder,Double Click locate.bat

Takes no time to complete,look back in the locate folder
and double click the report.txt

Copy&Paste those results in the Next Post





Download Find.bat



http://andymanchesta.com/Downloads/find.zip

Download to a folder
Unzip! Extract All Files!

Double Click Find.bat and let it scan the PC,takes only
seconds!!
Look back in the Folder you downloaded to and locate
Report.txt

Double Click Report.txt and Copy&Paste the entire
contents in the next post



Run Hijack This and Post the log file



Regards Andy

 

[garbageman1171]

As requested:

StartDreck:

StartDreck (build 2.1.7 public stable) - 2005-05-29 @
13:50:57 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as The Average Schmoe at SHORTY

»Registry
»Files
»System/Drivers
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
*abp480n5 abp480n5 - disabled
*Microsoft ACPI Driver ACPI running boot
*ACPIEC ACPIEC - disabled
*adpu160m adpu160m - disabled
*Microsoft Kernel Acoustic Echo Canceller aec -
on demand
*AFD Networking Support Environment AFD running
system
*Aha154x Aha154x - disabled
*aic78u2 aic78u2 - disabled
*aic78xx aic78xx - disabled
*AliIde AliIde - disabled
*AMD K7 Processor Driver AmdK7 running system
*amsint amsint - disabled
*asc asc - disabled
*asc3350p asc3350p - disabled
*asc3550 asc3550 - disabled
*RAS Asynchronous Media Driver AsyncMac
running on demand
*Standard IDE/ESDI Hard Disk Controller atapi
running boot
*Atdisk Atdisk - disabled
*ATM ARP Client Protocol Atmarpc - on demand
*Audio Stub Driver audstub running on demand
*Beep Beep running system
*cbidf2k cbidf2k - disabled
*cd20xrnt cd20xrnt - disabled
*Cdaudio Cdaudio - system
*Cdfs Cdfs running disabled
*CD-ROM Driver Cdrom running system
*Changer Changer - system
*CmdIde CmdIde - disabled
*Cpqarray Cpqarray - disabled
*dac960nt dac960nt - disabled
*Disk Driver Disk running boot
*dmboot dmboot - disabled
*dmio dmio - disabled
*dmload dmload - disabled
*Microsoft Kernel DLS Syntheiszer DMusic -
on demand
*dpti2o dpti2o - disabled
*Microsoft Kernel DRM Audio Descrambler drmkaud -
on demand
*Fastfat Fastfat running disabled
*Floppy Disk Controller Driver Fdc running
on demand
*Fips Fips running system
*Floppy Disk Driver Flpydisk running on demand
*FltMgr FltMgr running boot
*Volume Manager Driver Ftdisk running boot
*Game Port Enumerator gameenum running on demand
*Generic Packet Classifier Gpc running on demand
*hpn hpn - disabled
*hpt3xx hpt3xx - disabled
*HTTP HTTP running on demand
*i2omgmt i2omgmt - system
*i2omp i2omp - disabled
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt
running system
*Imapi Imapi running system
*ini910u ini910u - disabled
*IntelIde IntelIde - disabled
*IPv6 Windows Firewall Driver ip6fw - on demand
*IP Traffic Filter Driver IpFilterDriver -
on demand
*IP in IP Tunnel Driver IpInIp - on demand
*IP Network Address Translator IpNat running
on demand
*IPSEC driver IPSec running system
*IR Enumerator Service IRENUM - on demand
*PnP ISA/EISA Bus Driver isapnp running boot
*Keyboard Class Driver Kbdclass running
system
*Microsoft Kernel Wave Audio Mixer kmixer running
on demand
*KSecDD KSecDD running boot
*lbrtfdc lbrtfdc - system
*mnmdd mnmdd running system
*Modem Modem running on demand
*Unimodem Streaming Filter Device MODEMCSA
running on demand
*Mouse Class Driver Mouclass running system
*Mount Point Manager MountMgr running boot
*mraid35x mraid35x - disabled
*WebDav Client Redirector MRxDAV running on demand
*MRxSmb MRxSmb running system
*Msfs Msfs running system
*Microsoft Streaming Service Proxy MSKSSRV -
on demand
*Microsoft Streaming Clock Proxy MSPCLOCK -
on demand
*Microsoft Streaming Quality Manager Proxy MSPQM -
on demand
*Microsoft System Management BIOS Driver mssmbios
running on demand
*Microsoft MPU-401 MIDI UART Driver ms_mpu401
running on demand
*Mup Mup running boot
*NDIS System Driver NDIS running boot
*Remote Access NDIS TAPI Driver NdisTapi
running on demand
*NDIS Usermode I/O Protocol Ndisuio running on demand
*Remote Access NDIS WAN Driver NdisWan running
on demand
*NDIS Proxy NDProxy running on demand
*NetBIOS Interface NetBIOS running system
*NetBios over Tcpip NetBT running system
*Npfs Npfs running system
*Ntfs Ntfs - disabled
*Null Null running system
*IPX Traffic Filter Driver NwlnkFlt -
on demand
*IPX Traffic Forwarder Driver NwlnkFwd -
on demand
*Parallel port driver Parport running on demand
*Partition Manager PartMgr running boot
*ParVdm ParVdm running auto
*PCI Bus Driver PCI running boot
*PCIDump PCIDump - system
*PCIIde PCIIde running boot
*pciidexq pciidexq running auto
*Pcmcia Pcmcia - disabled
*PDCOMP PDCOMP - on demand
*PDFRAME PDFRAME - on demand
*PDRELI PDRELI - on demand
*PDRFRAME PDRFRAME - on demand
*perc2 perc2 - disabled
*perc2hib perc2hib - disabled
*WAN Miniport (PPTP) PptpMiniport running on demand
*Processor Driver Processor - system
*QoS Packet Scheduler PSched running on demand
*Direct Parallel Link Driver Ptilink running on demand
*W2K Pctel Serial Device Driver Ptserial
running on demand
*ql1080 ql1080 - disabled
*Ql10wnt Ql10wnt - disabled
*ql12160 ql12160 - disabled
*ql1240 ql1240 - disabled
*ql1280 ql1280 - disabled
*Remote Access Auto Connection Driver RasAcd running
system
*WAN Miniport (L2TP) Rasl2tp running on demand
*Remote Access PPPOE Driver RasPppoe running
on demand
*Direct Parallel Raspti running on demand
*Rdbss Rdbss running system
*RDPCDD RDPCDD running system
*RDPWD RDPWD - on demand
*Digital CD Audio Playback Filter Driver redbook
running system
*Microsoft Legacy Modem Driver ROOTMODEM
running on demand
*Realtek RTL8139(A/B/C)-based PCI Fast Ethernet
rtl8139 running on demand
`Adapter NT Driver
*Secdrv Secdrv - on demand
*Serenum Filter Driver serenum running on demand
*Serial port driver Serial running system
*Sfloppy Sfloppy - system
*Simbad Simbad - disabled
*SiS300i SiS300i running on demand
*Service for AC'97 Sample Driver (WDM) SiS7018
running on demand
*SIS AGP Bus Filter sisagp running boot
*Sparrow Sparrow - disabled
*Microsoft Kernel Audio Splitter splitter -
on demand
*System Restore Filter Driver sr running boot
*Srv Srv running on demand
*Software Bus Driver swenum running on demand
*Microsoft Kernel GS Wavetable Synthesizer swmidi -
on demand
*symc810 symc810 - disabled
*symc8xx symc8xx - disabled
*sym_hi sym_hi - disabled
*sym_u3 sym_u3 - disabled
*Microsoft Kernel System Audio Device sysaudio
running on demand
*TCP/IP Protocol Driver Tcpip running system
*TDPIPE TDPIPE - on demand
*TDTCP TDTCP - on demand
*Terminal Device Driver TermDD running system
*TosIde TosIde - disabled
*Udfs Udfs - disabled
*ultra ultra - disabled
*Microcode Update Driver Update running on demand
*Microsoft USB Standard Hub Driver usbhub running
on demand
*Microsoft USB Open Host Controller Miniport Dri
usbohci running on demand
`ver
*USB Mass Storage Driver USBSTOR - on demand
*VGA Display Controller. VgaSave running system
*ViaIde ViaIde - disabled
*W2k Vmodem Vmodem running boot
*VolSnap VolSnap running boot
*W2k Vpctcom Vpctcom running boot
*W2k Vvoice Vvoice running boot
*Remote Access IP ARP Driver Wanarp running on demand
*WDICA WDICA - on demand
*Microsoft WINMM WDM Audio Compatibility Driver
wdmaud running on demand
»Application specific


Locate:


C:\WINDOWS\SYSTEM32\DRIVERS\
tcpip.sys Sun Mar 13 2005 5:55:08p
A.... 359,808 351.38 K

1 item found: 1 file, 0 directories.
Total of file sizes: 359,808 bytes 351.38 K


Find:


C:\WINDOWS\SYSTEM32\DRIVERS\
atinxbxx.sys Tue Aug 3 2004
10:29:32p ..... 31,744 31.00 K
pciidexq.sys Sat Aug 18 2001 12:00:00p
A.... 31,744 31.00 K

C:\WINDOWS\SERVIC~1\I386\
atinxbxx.sys Tue Aug 3 2004
10:29:32p ..... 31,744 31.00 K
wceusbsh.sys Tue Aug 3 2004
11:08:46p ..... 31,744 31.00 K

C:\WINDOWS\SOFTWA~1\DOWNLOAD\6CA7B3~1\
wceusbsh.sys Tue Aug 3 2004 11:08:46p
A.... 31,744 31.00 K
atinxbxx.sys Tue Aug 3 2004 10:29:32p
A.... 31,744 31.00 K


HiJack This:

Logfile of HijackThis v1.99.1
Scan saved at 1:57:24 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\The Average Schmoe\My
Documents\startdreck\StartDreck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\The Average Schmoe\My
Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://rl.webtracer.cc/-/?

bayzm
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://rl.webtracer.cc/-/?

bayzm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = www.hotmail.com
O1 - Hosts: 1159680172 auto.search.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{292CABE0-758E-
4EA5-8274-E322C3A00CBB}: NameServer =

64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{292CABE0-758E-
4EA5-8274-E322C3A00CBB}: NameServer =

64.136.28.120 64.136.20.120
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

I appreciate your time.

 

[AndyManchesta]

Now for the fix

Download Hoster to your desktop

http://andymanchesta.com/Downloads/hoster.zip

Download Deldomains

http://www.mvps.org/winhelp2002/DelDomains.inf

Download Ccleaner

http://download.ccleaner.com/download119bin.asp


Please Print this out or save these instructions to a
Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

You can do this by tapping the F8 key as the system is
restarting,then choosing safe mode from the list

Enable Hidden Files and folders :

Go to Search then press Tools on the top bar then Folder
Options and go onto the View tab

make sure that 'Show hidden files and folders' is
enabled. Also make sure that 'Display the contents of
system folders' is checked.

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane, click on the 'More advanced options' at the
bottom. Make sure that Search system folders, Search
hidden files and folders, and Search subfolders are
checked.


in safe mode

Navigate to this Folder:

C:\WINDOWS1\SYSTEM32\DRIVERS

Locate this File:

PCIIDEXQ.SYS

Right Click the File and select Rename!

Rename the file PCIIDEXQ.SYS to PCIIDEXQ.OLD


Restart Normal!


Do another scan with Hijackthis and put a check next to
these entries:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://rl.webtracer.cc/-/?bayzm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

close all open windows except hijack this and then
press ' Fix Checked '


find and delete these files :

C:\WINDOWS\SYSTEM32\DRIVERS\PCIIDEXQ.OLD <-file
C:\WINDOWS\stsheets.dat <-file (If Found)


Run Hoster and press ' Restore Original Hosts '

Exit Hoster


Right click the deldomains file and choose install(all
you will notice is the desktop icons flash then thats
finished)



Reboot and make sure its gone

let me know if you have any problems you shouldnt need to
enable everything in Msconfig like i said in my last
post,im not sure its needed now i can see the malicious
file,see how you get on and repost a new log if its not
killed


Good Luck


Andy Manc

 

[AndyManc]

Slight mistake there i put a 1 after windows :

I Put Navigate to this Folder:

C:\WINDOWS1\SYSTEM32\DRIVERS

But The folder is called :

C:\WINDOWS\SYSTEM32\DRIVERS

just read it and thought i better let you know its a
mistake(You can copy the line then goto start and run and
paste the line in then press enter to go to the drivers
folder)



Regards Andy

 

[Guest]

Hey it worked, you're the man!!! Much thanx...

I went into MSCONFIG like you told me and everything was
enabled on the startup page. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:23 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\The Average Schmoe\My
Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = www.hotmail.com
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program
Files\NetZero\exec.exe regrun
O17 - HKLM\System\CCS\Services\Tcpip\..\{292CABE0-758E-
4EA5-8274-E322C3A00CBB}: NameServer =

64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{292CABE0-758E-
4EA5-8274-E322C3A00CBB}: NameServer =

64.136.28.120 64.136.20.120



Hey, thanks again for the help!
MC

 

[AndyManchesta]

Well Done That was a tricky one to remove and you did
well to get it clean in one try .Im glad i was able to
see the problem file as it made it alot easier to fix
after that, The other entries are all genuine so think
its solved but let me know anytime if you need any
help


All the best

Andy