Solved

Cleaning Trojans, worms, etc.

Posted on 2004-09-03
8
1,164 Views
Last Modified: 2013-12-04
I have tried many of the aforementioned solutions and still can't seem to get rid of the browser hijacker that I've been infested with.

My browser alternates between going to ads234.com or netspry.com

Here is a log of my hijackthis run:

Logfile of HijackThis v1.97.7
Scan saved at 1:09:40 PM, on 9/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\documents and settings\oliver karp\local settings\temp\as.exe
C:\documents and settings\oliver karp\local settings\temp\FkNaP0.exe
C:\documents and settings\oliver karp\local settings\temp\zlrI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\Oliver Karp\Desktop\Software Installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Oliver Karp\Local Settings\Temp\g7R0b6v.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [gxvkefhtpqdu] C:\WINDOWS\System32\sehnuzcv.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [3SSGWNH5HX6WZJ] C:\WINDOWS\System32\Jhnh4p.exe
O4 - HKLM\..\Run: [s7EU32h] paqmg32.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [as] C:\documents and settings\oliver karp\local settings\temp\as.exe
O4 - HKLM\..\Run: [FkNaP0] C:\documents and settings\oliver karp\local settings\temp\FkNaP0.exe
O4 - HKLM\..\Run: [zlrI] C:\documents and settings\oliver karp\local settings\temp\zlrI.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [3.exe] C:\windows\temp\3.exe
O4 - HKLM\..\Run: [3] C:\windows\temp\3.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Documents and Settings\All Users\Documents\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [dwx8RSNtl] pcdrxy.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://chatsite.securewebs.com:8163/Java/cs4ms090.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://ecommerce.ama.org/CFIDE/classes/CFJava.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/176c6f5dd8deee6dc006/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

0
Comment
Question by:okarp
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
Hello okarp =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
PeperFix ==> http://downloads.subratam.org/PeperFix.exe
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then turn off ur system restore and check these lines and click on Fix Checked !!

========================================================
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Oliver Karp\Local Settings\Temp\g7R0b6v.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [gxvkefhtpqdu] C:\WINDOWS\System32\sehnuzcv.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [3SSGWNH5HX6WZJ] C:\WINDOWS\System32\Jhnh4p.exe
O4 - HKLM\..\Run: [s7EU32h] paqmg32.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [as] C:\documents and settings\oliver karp\local settings\temp\as.exe
O4 - HKLM\..\Run: [FkNaP0] C:\documents and settings\oliver karp\local settings\temp\FkNaP0.exe
O4 - HKLM\..\Run: [zlrI] C:\documents and settings\oliver karp\local settings\temp\zlrI.exe
O4 - HKLM\..\Run: [3.exe] C:\windows\temp\3.exe
O4 - HKLM\..\Run: [3] C:\windows\temp\3.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Documents and Settings\All Users\Documents\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [dwx8RSNtl] pcdrxy.exe
==========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.


!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
and yes i forgot to add to Goto C:\Windows\Temp and delete all files present there also in Safemode :)
0
 
LVL 4

Expert Comment

by:sconnell
Comment Utility
I'll emphasize that you should do all of your cleaning in safemode!  (Hold the F8 key down just as Windows starts - or slightly before that moment), a menu will appear asking you if you want to start up in safe mode.  

- Look in your add/remove programs for odd looking programs such as iopeiwtos, eeowasrrt (anything that looks like it doesn't belong)
  If when removing a program, you are asked to enter a CODE before removal - you hit the "jackpot" as that is likely malware!  Enter the code and allow it to delete;
- Run Adaware;
- Run Spybot search and destroy;

A note for adaware and spybot: These programs will require some knowledge of what is bad and good.  Usually it is safe to go with the software's suggestions for what is bad.

You're not done yet!

As per the above suggestions, clean out all the temporary directories such as (if available): \temp; \winnt\temp; \documents and settings\user\ - the temp directories are hidden (unhide by selecting in explorer tools/folder options/... uncheck three parameters).

I know it's a pain and I am seeing this problem on a weekly basis now with my clients.

Possibly the best solution to prevent this from happening again is to stop using Internet Explorer (replace it with Mozilla's Firefox) and purchase Spybot Search and Destroy (you need to subscribe in order to have always-on protection).

I wish you good luck!

Any more questions?
0
 
LVL 4

Expert Comment

by:sconnell
Comment Utility
I should also mention another program to run (in addition to Adaware and Spybot)

Step changes:
- Run Adaware;  - http://www.lavasoftusa.com/
- Run Spybot search and destroy;     http://www.safer-networking.org/en/index.html
- Run HijackThis   - http://www.spywareinfo.com/~merijn/    OR  http://www.spychecker.com/program/hijackthis.html
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
but as mentioned- with XP turn off system restore first- then scan with Ad-Aware (or other) then if you like, turn system restore backon after reboot (I never do)
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
-rich
0
 

Author Comment

by:okarp
Comment Utility
Wow - I'm glad I signed up for this group now.  I appear to have finally ditched all these problems (and this after a really long time of trying).  Thanks so much!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
glad u got it resolved okarp..... thanx for the appreciation ^_^
0
 
LVL 4

Expert Comment

by:sconnell
Comment Utility
Next step, get rid of IE!
Seriously, take a look at Mozilla's Firefox (http://www.mozilla.org/).  It's not perfect but in terms of protecting yourself from Malware, it is a significant improvement.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now