?
Solved

Cannot remove some spyware

Posted on 2005-04-28
10
Medium Priority
?
500 Views
Last Modified: 2010-04-12
Tried everything on this client's laptop, Ad-aware, Spybot, clean temp and Internet temp folders, Norton AV, CWshredder, SP2 upgrade & hijackthis (also using the hijackthis.de analyzer), but they still keep re-appearing (see first few entries in log below). It's mainly affecting the browser.

All help welcomed.


HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 09:21:28, on 28/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\adddj32.exe
C:\WINDOWS\sysjj.exe
C:\test\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {80010426-C366-9F5D-EAF5-3372D821F450} - C:\WINDOWS\system32\d3rc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [adddj32.exe] C:\WINDOWS\adddj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/yregucfg/2004_10_11_1/yregucfg.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109067297865
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwa.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


0
Comment
Question by:gerlis
  • 6
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
rossfingal earned 2000 total points
ID: 13884961
Hi!

Here's the procedure for removing this:
http://www.pchell.com/support/onlythebest.shtml

You can download "About:Buster" from here:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

The "bad" Service is this one:
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwa.exe (file missing)

Any problems - let us know.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13885386
Bye the way -
These are the entries that you should fix in HijackThis:

C:\WINDOWS\adddj32.exe

C:\WINDOWS\sysjj.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {80010426-C366-9F5D-EAF5-3372D821F450} - C:\WINDOWS\system32\d3rc.dll

O4 - HKLM\..\Run: [adddj32.exe] C:\WINDOWS\adddj32.exe

Also, with this particular infection -
often you'll have to go through the removal procedure listed on the PCHell page more then once.
Sometimes 2 or 3 times.
Let me know how it goes.

Good luck!
RF
0
 
LVL 1

Author Comment

by:gerlis
ID: 13886543
RF

Thanks for this. I removed the dodgy entries in Hijackthis and then used about:buster, without re-booting 1st, as it suggests  (I also read the info on the links, very very interesting)

Made an improvement, no more apparent browser hijack, but... unable to access the web. Al other network elements OK (firewall off, ip obtained from router OK, etc). I ran ad-aware again and it revealed some more CWS stuff. I think I will have to follow the full procedure specified in http://www.pchell.com/support/onlythebest.shtml. I had cheated a bit by just doing the Hijackthis and about:buster



0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 12

Expert Comment

by:rossfingal
ID: 13886878
Hi!

Yes, do not skip any steps!

Download the "Hoster" (this will reset your hosts file to the default) -
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer

Make sure the Service that your disabling is Remote Procedure Call (RPC) Helper (Note the name!) -

NOT - Remote Procedure Call (RPC)
or
Remote Procedure Call (RPC) Locator

These last 2 are valid, vital services - Don't do anything with them!!

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13886944
This infection changes the names of the "bad" dll's and exe's when you reboot -
watch for that.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13887535

And on your way out of trouble (you will succeed), fix this too:

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
(Description: Hotbar/WeatherOnTray: spyware/adware that monitors every site you visit and pops-up ads based on those sites.)

and delete the C:\Program Files\Hotbar\ folder.

Zee
0
 
LVL 1

Author Comment

by:gerlis
ID: 13889035
Success!

Thanks all. We are dealing with so much spyware with our clients, but this was a new one on us!

Interestingly in following the procedure in http://www.pchell.com/support/onlythebest.shtml we did not find any of the elements in the Services, or the Registry that is asks to look for, and there was no Hosts file. But I did run the about:buster, as mentioned, then Ad-aware (all in safe mode) again checked Hijackthis and when re-booted all was fine, web access no problem.

I am adding the links to the useful resources and the utilies you gave me in my "toolkit"!

Points to rossfingal...
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13889310
Hi!

It's very strange that you did not find that bad Service listed.
The Service listed on the PCHell removal page is only one of several
names that this uses - presently, there's 4 that we know of:
 Workstation NetLogon Service
 Network Security Service
 Remote Procedure Call (RPC) Helper
 Remote Access Service

HijackThis doesn't "usually" make a mistake with this one.

From the run box, type "services.msc" (without quotes)
and see if it's listed.
It might be prefixed with "Legacy"

Also, you could run Getservices just to make sure - from:
http://www.bleepingcomputer.com/files/spyware/getservice.zip

It might not be a bad idea to run DllCompare - just to make sure no unwanted DLL's are left:
http://download.broadbandmedic.com/DllCompare.exe

Let me know if you have any problems.
RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13889447
One other thing I just remembered.
This infection can hook files using ADS - "Alternate Data Streams".
If their file system is NTFS that's something to take into consideration.

RF
0
 
LVL 1

Author Comment

by:gerlis
ID: 13915836
Remote Procedure Call (RPC) Helper does appear, but none of the other three you mention, nor is there one prefixed with "legacy"

Nonetheless we managed to sort it out.

Thanks again for all your help

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question