Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1396
  • Last Modified:

MalWare - Know what is causing this or how to get rid of it?

A Win2K PC, all MS updates installed.  

It was infected with a lot of spyware/malware, I was able to get rid of most of it that I found.  There is one that is stuborn, but I'm not even sure what it is.  It could be a virus, too, but Norton is not picking it up either.  Have scanned with Ad-aware and Spybot to get rid of other spyware, but this one hasn't been detected.

Description:

In the HKEY_Local_machine\software\microsoft\windows\currentVersion\Run reg key there is a string that resembles this:

2J7LDZM2F9@NER     C:\WINNT\system32\<random characters>.exe

I delete the key from the registry and in about 2 seconds, a new string will appear in the RUN key.  The exe is named different things when I delete the key and run it agian.

Here are some of the names that I am getting now:

-2j7ldzm2f9@NER      C:\WINNT\system32\Ezq1p5.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Kfmj8u3.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Kfmj8u3.exe
-2j7ldqm2f9@NER      C:\WINNT\system32\Ezq1p5.exe
-2j7ldqm2f9@NER      c:\WINNT\system32\Fsm6By.exe

I'm pretty sure there were some other names not listed here that were showing up before, I will post them as I see them.  They have all been showing up with the same name, "2j7ldzm2f9", but I thought that was different before too, before I started logging them.  I could be wrong about that.


Can anyone tell me what is causing this?  
0
tebacher
Asked:
tebacher
  • 6
  • 3
  • 3
  • +2
3 Solutions
 
SheharyaarSaahilCommented:
Hello tebacher =)

Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 
jdeclueCommented:
The program is running in memory and when you delete it, it puts itself back. Hit CTRL-ALT-DEL, kill explorer.exe (the process is running as an explorer hook), From task manager go to file, New Task, Run "regedit", remove the file. Then run New Task, "explorer.exe"

Check the regestry and see if it is gone. If it is then run the adware again, and make sure it gets the Explorer hook, if it hasn't already.

J
0
 
jdeclueCommented:
Oopss... if it isn't gone, do the same thing and after you remove it, go to Task Run and then rund Ad remover, before starting explorer.

J
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
tebacherAuthor Commented:
It seems to be just cycling through these 3 exe file names in no particular order:

ezq1p5.exe
kfmj8u3.exe
fsm6by.exe

(sorry, I listed them multiple times above!)
0
 
tanelornCommented:
Hi,

you'll need to start your computer in safe mode and run your updated spyware cleaner dujour..

when your computer starts, hit the f8 key when it says to.  and arrow down to safemode.

running in  safemode will prevent the process from starting in the first place and respawning itself.

I suggest   AdAware, and hijackthis   and spybot search and destroy..  these 3 together in safemode will take out just about all the spyware that ails you

Tanelorn
0
 
NashvilleGuitarPickerCommented:
You probably need to boot to safe mode (with network support, to update spyware/virus patterns) and then remove the registry keys.  While you are in safe mode, run Spybot, AdAware, and Norton again.  Make sure you update the definitions for each product before running it.  Most likely, some program is running which repopulates the registry key.  Running in safe mode should prevent it from running.  You can run MSCONFIG to see what else is starting up.

- Will
0
 
tanelornCommented:
Hi again.  

what are the dates on your spyware cleaner definition lists?

thanks

Tanelorn
0
 
tebacherAuthor Commented:
I am unable to get on the computer in question at the moment, I will this evening.

Ad-aware and spybot's definitions are up to date.  

I'll try your suggestions and get back to you.

Thanks for everyone's help!
0
 
tebacherAuthor Commented:
Alright, I think I have the issue taken care of.  

I started the PC is safe mode w/ networking.  Deleted the Reg key I mentioned before and deleted Virtual Bouncer that had also re-infected the system since I cleaned it.  I deleted all traces of Virtual Bouncer too, so hopefully it won't come back.  I ran Spybot S&D twice, it found some things and deleted them.

I restarted in normal mode and the strange Reg key did NOT come back.  

I ran hijack this after that, here's the Log file (specific network info edited out in *Astericks*).  How does it look?  I have not worked with HijackThis much and don't know what some of the stuff is (like in the 02 03 04 section towards the bottom of the log)...

Logfile of HijackThis v1.98.2
Scan saved at 8:59:24 AM, on 8/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\ppRemoteService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
*NetworkLocation*\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by *COMPANY NAME*
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F1FD28-7122-49AF-B208-38F5B66D0F05}: NameServer = *MY DNS SERVER IPS*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*

------------------------------------------------------

BTW, I'm going to be doing a point split between a few of you who have already posted and whoever helps me with the log file.  I appreciate all the help already!

Thanks!
0
 
tanelornCommented:
hi,

I'd get rid of these lines

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

other than those,  it looks ok,

Tanelorn
0
 
tebacherAuthor Commented:
I'm not at the PC in question, but can access it through shared directies over my LAN right now, can I just delete the files that you listed that way?  Or does HijackThis remove more than just the files?


Also, could you explain what these are from my log?  Not what the files are, I know that, but why these things are listed here?  What's the significance of the 02 03 04 016 017 etc.... Are these categories?  Just so I know for future reference.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by *COMPANY NAME*
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F1FD28-7122-49AF-B208-38F5B66D0F05}: NameServer = *MY DNS SERVER IPS*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *DOMAIN.COMPANY.COM*



Thanks for your help!
0
 
tebacherAuthor Commented:
Increasing point value
0
 
jdeclueCommented:
OK... All of the numbers are GUID's. These are specific numbers that are granted to developers which ID there applications. The OS uses the GUID usually, as opposed to a name that might be attached to 20 different versions. You do not need to delete the actual file, typically you should remove the registry entry. The safest thing to do is go to FILE in regedit and export the key, and then delete the registry entries. If there are issues you can import the file back.

I will leave the rest for others.... ;)

J
0
 
tebacherAuthor Commented:
Ok, so really I should just wait until I can get back to the affected PC, run hijackThis again and have it remove these:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

It will remove the reg entries for me, I'm assuming.  I'll do that, & I beleive this issue is closed.  I'll hand out points soon.

Thanks to everyone who helped!
0
 
SheharyaarSaahilCommented:
O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1150040821/WrapperOuter.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
===============================================

Well u have to Put a check mark agisnt these lines in Hijakcthis, and have to click on Fix Checked !!!!

DONT REMOVE this LINE >> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

ITS A VALID FILE !!!!
And Its better if u fix them with Hijakchtis instead of manually removing !!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now