Solved

Malware - can't find originating source

Posted on 2004-08-26
10
485 Views
Last Modified: 2010-04-12
Pop ups -

Have executables running in processes window. Remove one and another returns in it's place.
- Zlou4r.exe
- Llq0.exe
- Kxino.exe
- Nnu5Dv7.exe
- LixY2.exe
- QfkM07.exe

I have shown hidden files and extensions and searched for these. Results are 0. If I search for all *.exe files, I can see all others, just not these.

I can not remove them because I can't find them or the root that is generating them.

I have already run Spybot, Ad-Aware, Trojan Remover, and HijackThis and they find nothing. Shows system clean.

HijackThis did find 2 others Wvs4.exe and Tpws.exe. When I remove one the other returns.

I also found a suspicious executable in WINNT
- crazykatie.exe

Please Advise for next step. Have you seen any of these process? I have searched various search engines on all of the above processes and found nothing.

Please Help - Thank You
0
Comment
Question by:nsdhouston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11907621
Hello nsdhouston =)

Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 

Author Comment

by:nsdhouston
ID: 11907649
Logfile of HijackThis v1.97.7
Scan saved at 4:22:45 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\Zlou4R.exe
C:\WINNT\System32\Zlou4R.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Desktop\Spyware Kit\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [3FRY64C568#SJF] C:\WINNT\system32\Tpws.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38169.3600347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11907678
>> O4 - HKLM\..\Run: [3FRY64C568#SJF] C:\WINNT\system32\Tpws.exe

u are having a peper trojan..... so download this fix and run it in safemode >> http://downloads.subratam.org/PeperFix.exe
Also....

Peper Trojan Removal Instructions:
http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:nsdhouston
ID: 11907696
Thanks -  I'll give it a try.
0
 

Author Comment

by:nsdhouston
ID: 11907820
O.K. - That did seem to find some things, but now there are new ones that I hav'nt seen yet. Here's my log.


Logfile of HijackThis v1.97.7
Scan saved at 4:43:22 PM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nsd.LEANDER\Desktop\Spyware Kit\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\STMS.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38169.3600347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ci.leander.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{0428003F-3483-4395-9A9A-0099FF8C733C}: NameServer = 192.168.100.20,65.163.16.130,65.163.16.138

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11907842
nah.... ur LOG is perfectly OK now.... not any Junk item or process.... all are Legit and Known processes :)
are u facing any type of problem ??
0
 

Author Comment

by:nsdhouston
ID: 11907881
Hav'nt experienced any pop ups yet. When I opened HijackThis after running the pepper fix and rebooting, the Tpws.exe had started again. I removed it and did not regenerate. I was just curious if it is going to start again at next boot up.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 125 total points
ID: 11907906
did u run peperfix in safemode.... it was necessary !!!!
0
 

Author Comment

by:nsdhouston
ID: 11907935
Yes. Just rebooted. Everything looks good now. Nothing returned.

Thanks for your help. This one really had me stumped.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11907951
Great :)
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Read about achieving the basic levels of HRIS security in the workplace.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question