Re: Help w/ Sandboxer virus.

From: Lawrence Abrams (grinler-AT=bleepingcomputer.com)
Date: 07/07/04 

Date: Wed, 7 Jul 2004 10:02:50 -0400

"Doksa" <Doksa@discussions.microsoft.com> wrote in message
news:B679F7D7-5F8C-4EEB-B87B-C41FAEC1FF45@microsoft.com...
> OK. I did all that and here's the log:
>

You may want to print these instructions out as I wll be be having you do
steps while not having internet access.

First,

You are currently using hijackthis from a temp directory. This can cause
problems. Please create a directory on your c: drive called c:\hijackthis
and download and unzip hijackthis into that directory. Run the program from
that directory from now on.

Next,

Hi, you have a Peper infection

Download the removal tool :

http://computercops.us/downloads-file-330.html

or

http://downloads.subratam.org/PeperFix.exe

! NOTE: YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass
the firewall.

!!! Please run this twice with a reboot in between.

Then,

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to
do this can be found here:

How to see hidden files in Windows
http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

Run Hijackthis again, click scan, and Put a checkmark next to each of these.
Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no
file)
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program
Files\SEP\sep.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} -
C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\WINDOWS\system32\WINBOOT\turbo\brunz.bat
O4 - HKLM\..\Run: [yearofl] c:\program files\mirc.exe
O4 - HKLM\..\Run: [System Tray] SysTray32.exe
O4 - HKLM\..\Run: [Version Information] C:\WINDOWS\system\ist2.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [Macafee] CRDZ.EXE
O4 - HKLM\..\Run: [4ndEe] C:\docume~1\dustin\locals~1\temp\4ndEe.exe
O4 - HKLM\..\Run: [GJ5] C:\docume~1\dustin\locals~1\temp\GJ5.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Ouc7j0i.exe
O4 - HKLM\..\Run: [jkinkwoezeuu] C:\WINDOWS\System32\vdfztg.exe
O4 - HKLM\..\Run: [AutoLoaderqs551JJLIKXX] "C:\WINDOWS\System32\sampack.exe"
/PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qFmf37U] sampack.exe
O4 - HKLM\..\RunServices: [System Tray] SysTray32.exe
O4 - HKCU\..\Run: [bo5pRXYFT] dnsrtp.exe
O4 - HKCU\..\RunOnce: [Macafee] CRDZ.EXE
O8 - Extra context menu item: &iSearch The Web -
res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program
Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -
C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed -
{120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} -
http://toolbar.isearch.com/general/drm.cab

Reboot your computer into Safe Mode (instructions below)

http://www.bleepingcomputer.com/forums/index.php?showtutorial=61

and delete the following files:

Then delete these files or directories (Do not be concerned if they do not
exist)
C:\WINDOWS\System32\SearchBar.htm
C:\Program Files\SEP\
C:\WINDOWS\system32\WINBOOT\
c:\windows\system32\SysTray32.exe
C:\WINDOWS\system\ist2.exe
c:\program files\mirc.exe
C:\docume~1\dustin\locals~1\temp\4ndEe.exe
C:\docume~1\dustin\locals~1\temp\GJ5.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\Ouc7j0i.exe
C:\WINDOWS\System32\vdfztg.exe
C:\WINDOWS\System32\sampack.exe
c:\Windows\Inf\Catalog\su\explore.exe
C:\WINDOWS\System32\dnsrtp.exe
c:\windows\crdz.exe or c:\windows\system32\crdz.exe
c:\windows\aim1.exe or c:\windows\system32\aim1.exe

Disable System Restore. You can find instructions on how to enable and
reenable system restore here:

Managing Windows Millenium System Restore
http://www.bleepingcomputer.com/forums/index.php?showtutorial=63

or

Windows XP System Restore Guide
http://www.bleepingcomputer.com/forums/index.php?showtutorial=56

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.