Solved

Unable to Remove adware/spyware app

Posted on 2004-04-21
7
586 Views
Last Modified: 2010-04-11
I think I have a culprit, but Ad-Aware nor Spychecker are able to detect it. I get the occasional pop ad. But I also noticed two programs running in memory (Rtu49Q5.exe, Xdj7ALq.exe) that I just can't kill. They keep coming back right after I end the task.  Here's my Hijackthis log. Any Ideas?

Logfile of HijackThis v1.97.7
Scan saved at 9:51:15 PM, on 4/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rtu49Q5.exe
C:\WINDOWS\System32\Xdj7ALq.exe
Y:\Setup Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [563XKS#4WF2RKC] C:\WINDOWS\System32\JqvGne.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.goferboy.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

0
Comment
Question by:Thirt
7 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10884884
To start with try these tools as well

Use spybot ,ad-ware ,CWshredder and post the log from Hijackthis here

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.safer-networking.org/

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Then check for virus using these and remove if you find any


http://housecall.trendmicro.com/

http://security.symantec.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.pcpitstop.com/antivirus/default.asp

Check if those files are removed.. post back

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10884891
Have you tried doing to windows/system32 folder and removed those 2 files ?

remove them if you have not and then  reboot the machine and check if they would come back again..

post back
0
 
LVL 12

Expert Comment

by:aindelicato
ID: 10885102
Thirt,

Try removing them from SAFEMODE.

Remove them from the registry.  If they comeback after a restart, then something is reinstalling them.

Als, this looks suspicious:

O4 - HKLM\..\Run: [563XKS#4WF2RKC] C:\WINDOWS\System32\JqvGne.exe

0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 2

Expert Comment

by:Slym
ID: 10885795
I just dealt with this today - only there were about 20 of those files.  

Use both Sunray's and aindelicato's suggestions together.  Safemode and remove the files manually.

What worked for me:
Run AdAware In safemode to clean up what it can.  Save the log before you quarentine and delete in Adaware

Remove the files manually, as AdAware did not seem to be able to get it all.  Use that log AdAware made to make sure they were really deleted.

Remove any references to these files in the registry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Hope that helps.
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 250 total points
ID: 10887024
Hi!

Took a look at your HJT log.
The following entry probably points to a peper virus:
O4 - HKLM\..\Run: [563XKS#4WF2RKC] C:\WINDOWS\System32\JqvGne.exe
The following is a link to a tool to remove it:
http://www.mjc1.com/files/peperpage/uninst.exe
I would run it in safe mode.

Good luck!
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 10890261
This is a VERY cool tool, with it you can display all programs that start up automatically and optionally remove'em
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Regards
Peter
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10966143
Could you post back on the status of this question ? Have you checked our suggestions yet ?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now