nsdhouston
asked on
Malware - can't find originating source
Pop ups -
Have executables running in processes window. Remove one and another returns in it's place.
- Zlou4r.exe
- Llq0.exe
- Kxino.exe
- Nnu5Dv7.exe
- LixY2.exe
- QfkM07.exe
I have shown hidden files and extensions and searched for these. Results are 0. If I search for all *.exe files, I can see all others, just not these.
I can not remove them because I can't find them or the root that is generating them.
I have already run Spybot, Ad-Aware, Trojan Remover, and HijackThis and they find nothing. Shows system clean.
HijackThis did find 2 others Wvs4.exe and Tpws.exe. When I remove one the other returns.
I also found a suspicious executable in WINNT
- crazykatie.exe
Please Advise for next step. Have you seen any of these process? I have searched various search engines on all of the above processes and found nothing.
Please Help - Thank You
Have executables running in processes window. Remove one and another returns in it's place.
- Zlou4r.exe
- Llq0.exe
- Kxino.exe
- Nnu5Dv7.exe
- LixY2.exe
- QfkM07.exe
I have shown hidden files and extensions and searched for these. Results are 0. If I search for all *.exe files, I can see all others, just not these.
I can not remove them because I can't find them or the root that is generating them.
I have already run Spybot, Ad-Aware, Trojan Remover, and HijackThis and they find nothing. Shows system clean.
HijackThis did find 2 others Wvs4.exe and Tpws.exe. When I remove one the other returns.
I also found a suspicious executable in WINNT
- crazykatie.exe
Please Advise for next step. Have you seen any of these process? I have searched various search engines on all of the above processes and found nothing.
Please Help - Thank You
ASKER
Logfile of HijackThis v1.97.7
Scan saved at 4:22:45 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\regsvc.e xe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\stisvc.e xe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\System32\mspmspsv .exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra y.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12 .exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\Zlou4R.e xe
C:\WINNT\System32\Zlou4R.e xe
C:\WINNT\System32\cisvc.ex e
C:\WINNT\System32\cidaemon .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Deskt op\Spyware Kit\HijackThis\HijackThis. exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra y.exe
O4 - HKLM\..\Run: [3FRY64C568#SJF] C:\WINNT\system32\Tpws.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38169.3600347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CCS\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS1\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS2\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
Scan saved at 4:22:45 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.
C:\WINNT\system32\regsvc.e
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\WINNT\system32\HPZipm12
C:\Program Files\Hewlett-Packard\Digi
C:\WINNT\System32\Zlou4R.e
C:\WINNT\System32\Zlou4R.e
C:\WINNT\System32\cisvc.ex
C:\WINNT\System32\cidaemon
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Deskt
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra
O4 - HKLM\..\Run: [3FRY64C568#SJF] C:\WINNT\system32\Tpws.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digi
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
>> O4 - HKLM\..\Run: [3FRY64C568#SJF] C:\WINNT\system32\Tpws.exe
u are having a peper trojan..... so download this fix and run it in safemode >> http://downloads.subratam.org/PeperFix.exe
Also....
Peper Trojan Removal Instructions:
http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml
u are having a peper trojan..... so download this fix and run it in safemode >> http://downloads.subratam.org/PeperFix.exe
Also....
Peper Trojan Removal Instructions:
http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml
ASKER
Thanks - I'll give it a try.
ASKER
O.K. - That did seem to find some things, but now there are new ones that I hav'nt seen yet. Here's my log.
Logfile of HijackThis v1.97.7
Scan saved at 4:43:22 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\cisvc.ex e
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\regsvc.e xe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\stisvc.e xe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\System32\mspmspsv .exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra y.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12 .exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\cidaemon .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Deskt op\Spyware Kit\HijackThis\HijackThis. exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra y.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38169.3600347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CCS\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS1\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS2\Services\T cpip\..\{0 428003F-34 83-4395-9A 9A-0099FF8 C733C}: NameServer = 192.168.100.20,65.163.16.1 30,65.163. 16.138
Logfile of HijackThis v1.97.7
Scan saved at 4:43:22 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\cisvc.ex
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.
C:\WINNT\system32\regsvc.e
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\WINNT\system32\HPZipm12
C:\Program Files\Hewlett-Packard\Digi
C:\WINNT\System32\cidaemon
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Deskt
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digi
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
nah.... ur LOG is perfectly OK now.... not any Junk item or process.... all are Legit and Known processes :)
are u facing any type of problem ??
are u facing any type of problem ??
ASKER
Hav'nt experienced any pop ups yet. When I opened HijackThis after running the pepper fix and rebooting, the Tpws.exe had started again. I removed it and did not regenerate. I was just curious if it is going to start again at next boot up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. Just rebooted. Everything looks good now. Nothing returned.
Thanks for your help. This one really had me stumped.
Thanks for your help. This one really had me stumped.
Great :)
Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe