Solved

MalWare - Know what is causing this or how to get rid of it?

Posted on 2004-08-23
15
1,384 Views
Last Modified: 2010-04-14
A Win2K PC, all MS updates installed.  

It was infected with a lot of spyware/malware, I was able to get rid of most of it that I found.  There is one that is stuborn, but I'm not even sure what it is.  It could be a virus, too, but Norton is not picking it up either.  Have scanned with Ad-aware and Spybot to get rid of other spyware, but this one hasn't been detected.

Description:

In the HKEY_Local_machine\software\microsoft\windows\currentVersion\Run reg key there is a string that resembles this:

2J7LDZM2F9@NER     C:\WINNT\system32\<random characters>.exe

I delete the key from the registry and in about 2 seconds, a new string will appear in the RUN key.  The exe is named different things when I delete the key and run it agian.

Here are some of the names that I am getting now:

-2j7ldzm2f9@NER      C:\WINNT\system32\Ezq1p5.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Kfmj8u3.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Kfmj8u3.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Ezq1p5.exe
-2j7ldqm2f9@NER      c:\WINNT\system32\Fsm6By.exe

I'm pretty sure there were some other names not listed here that were showing up before, I will post them as I see them.  They have all been showing up with the same name, "2j7ldzm2f9", but I thought that was different before too, before I started logging them.  I could be wrong about that.


Can anyone tell me what is causing this?  
0
Comment
Question by:tebacher
  • 6
  • 3
  • 3
  • +2
15 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello tebacher =)

Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
The program is running in memory and when you delete it, it puts itself back. Hit CTRL-ALT-DEL, kill explorer.exe (the process is running as an explorer hook), From task manager go to file, New Task, Run "regedit", remove the file. Then run New Task, "explorer.exe"

Check the regestry and see if it is gone. If it is then run the adware again, and make sure it gets the Explorer hook, if it hasn't already.

J
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Oopss... if it isn't gone, do the same thing and after you remove it, go to Task Run and then rund Ad remover, before starting explorer.

J
0
 
LVL 5

Author Comment

by:tebacher
Comment Utility
It seems to be just cycling through these 3 exe file names in no particular order:

ezq1p5.exe
kfmj8u3.exe
fsm6by.exe

(sorry, I listed them multiple times above!)
0
 
LVL 6

Accepted Solution

by:
tanelorn earned 350 total points
Comment Utility
Hi,

you'll need to start your computer in safe mode and run your updated spyware cleaner dujour..

when your computer starts, hit the f8 key when it says to.  and arrow down to safemode.

running in  safemode will prevent the process from starting in the first place and respawning itself.

I suggest   AdAware, and hijackthis   and spybot search and destroy..  these 3 together in safemode will take out just about all the spyware that ails you

Tanelorn
0
 
LVL 5

Expert Comment

by:NashvilleGuitarPicker
Comment Utility
You probably need to boot to safe mode (with network support, to update spyware/virus patterns) and then remove the registry keys.  While you are in safe mode, run Spybot, AdAware, and Norton again.  Make sure you update the definitions for each product before running it.  Most likely, some program is running which repopulates the registry key.  Running in safe mode should prevent it from running.  You can run MSCONFIG to see what else is starting up.

- Will
0
 
LVL 6

Expert Comment

by:tanelorn
Comment Utility
Hi again.  

what are the dates on your spyware cleaner definition lists?

thanks

Tanelorn
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Author Comment

by:tebacher
Comment Utility
I am unable to get on the computer in question at the moment, I will this evening.

Ad-aware and spybot's definitions are up to date.  

I'll try your suggestions and get back to you.

Thanks for everyone's help!
0
 
LVL 5

Author Comment

by:tebacher
Comment Utility
Alright, I think I have the issue taken care of.  

I started the PC is safe mode w/ networking.  Deleted the Reg key I mentioned before and deleted Virtual Bouncer that had also re-infected the system since I cleaned it.  I deleted all traces of Virtual Bouncer too, so hopefully it won't come back.  I ran Spybot S&D twice, it found some things and deleted them.

I restarted in normal mode and the strange Reg key did NOT come back.  

I ran hijack this after that, here's the Log file (specific network info edited out in *Astericks*).  How does it look?  I have not worked with HijackThis much and don't know what some of the stuff is (like in the 02 03 04 section towards the bottom of the log)...

Logfile of HijackThis v1.98.2
Scan saved at 8:59:24 AM, on 8/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\ppRemoteService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
*NetworkLocation*\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by *COMPANY NAME*
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F1FD28-7122-49AF-B208-38F5B66D0F05}: NameServer = *MY DNS SERVER IPS*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*

------------------------------------------------------

BTW, I'm going to be doing a point split between a few of you who have already posted and whoever helps me with the log file.  I appreciate all the help already!

Thanks!
0
 
LVL 6

Assisted Solution

by:tanelorn
tanelorn earned 350 total points
Comment Utility
hi,

I'd get rid of these lines

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

other than those,  it looks ok,

Tanelorn
0
 
LVL 5

Author Comment

by:tebacher
Comment Utility
I'm not at the PC in question, but can access it through shared directies over my LAN right now, can I just delete the files that you listed that way?  Or does HijackThis remove more than just the files?


Also, could you explain what these are from my log?  Not what the files are, I know that, but why these things are listed here?  What's the significance of the 02 03 04 016 017 etc.... Are these categories?  Just so I know for future reference.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by *COMPANY NAME*
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F1FD28-7122-49AF-B208-38F5B66D0F05}: NameServer = *MY DNS SERVER IPS*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*



Thanks for your help!
0
 
LVL 5

Author Comment

by:tebacher
Comment Utility
Increasing point value
0
 
LVL 9

Assisted Solution

by:jdeclue
jdeclue earned 150 total points
Comment Utility
OK... All of the numbers are GUID's. These are specific numbers that are granted to developers which ID there applications. The OS uses the GUID usually, as opposed to a name that might be attached to 20 different versions. You do not need to delete the actual file, typically you should remove the registry entry. The safest thing to do is go to FILE in regedit and export the key, and then delete the registry entries. If there are issues you can import the file back.

I will leave the rest for others.... ;)

J
0
 
LVL 5

Author Comment

by:tebacher
Comment Utility
Ok, so really I should just wait until I can get back to the affected PC, run hijackThis again and have it remove these:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

It will remove the reg entries for me, I'm assuming.  I'll do that, & I beleive this issue is closed.  I'll hand out points soon.

Thanks to everyone who helped!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
===============================================

Well u have to Put a check mark agisnt these lines in Hijakcthis, and have to click on Fix Checked !!!!

DONT REMOVE this LINE >> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

ITS A VALID FILE !!!!
And Its better if u fix them with Hijakchtis instead of manually removing !!!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now