• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

Cannot remove some spyware

Tried everything on this client's laptop, Ad-aware, Spybot, clean temp and Internet temp folders, Norton AV, CWshredder, SP2 upgrade & hijackthis (also using the hijackthis.de analyzer), but they still keep re-appearing (see first few entries in log below). It's mainly affecting the browser.

All help welcomed.


HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 09:21:28, on 28/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\adddj32.exe
C:\WINDOWS\sysjj.exe
C:\test\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {80010426-C366-9F5D-EAF5-3372D821F450} - C:\WINDOWS\system32\d3rc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [adddj32.exe] C:\WINDOWS\adddj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/yregucfg/2004_10_11_1/yregucfg.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109067297865
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwa.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


0
gerlis
Asked:
gerlis
  • 6
  • 3
1 Solution
 
rossfingalCommented:
Hi!

Here's the procedure for removing this:
http://www.pchell.com/support/onlythebest.shtml

You can download "About:Buster" from here:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

The "bad" Service is this one:
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwa.exe (file missing)

Any problems - let us know.

RF
0
 
rossfingalCommented:
Bye the way -
These are the entries that you should fix in HijackThis:

C:\WINDOWS\adddj32.exe

C:\WINDOWS\sysjj.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imaak.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {80010426-C366-9F5D-EAF5-3372D821F450} - C:\WINDOWS\system32\d3rc.dll

O4 - HKLM\..\Run: [adddj32.exe] C:\WINDOWS\adddj32.exe

Also, with this particular infection -
often you'll have to go through the removal procedure listed on the PCHell page more then once.
Sometimes 2 or 3 times.
Let me know how it goes.

Good luck!
RF
0
 
gerlisAuthor Commented:
RF

Thanks for this. I removed the dodgy entries in Hijackthis and then used about:buster, without re-booting 1st, as it suggests  (I also read the info on the links, very very interesting)

Made an improvement, no more apparent browser hijack, but... unable to access the web. Al other network elements OK (firewall off, ip obtained from router OK, etc). I ran ad-aware again and it revealed some more CWS stuff. I think I will have to follow the full procedure specified in http://www.pchell.com/support/onlythebest.shtml. I had cheated a bit by just doing the Hijackthis and about:buster



0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
rossfingalCommented:
Hi!

Yes, do not skip any steps!

Download the "Hoster" (this will reset your hosts file to the default) -
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer

Make sure the Service that your disabling is Remote Procedure Call (RPC) Helper (Note the name!) -

NOT - Remote Procedure Call (RPC)
or
Remote Procedure Call (RPC) Locator

These last 2 are valid, vital services - Don't do anything with them!!

RF
0
 
rossfingalCommented:
This infection changes the names of the "bad" dll's and exe's when you reboot -
watch for that.
0
 
blue_zeeCommented:

And on your way out of trouble (you will succeed), fix this too:

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
(Description: Hotbar/WeatherOnTray: spyware/adware that monitors every site you visit and pops-up ads based on those sites.)

and delete the C:\Program Files\Hotbar\ folder.

Zee
0
 
gerlisAuthor Commented:
Success!

Thanks all. We are dealing with so much spyware with our clients, but this was a new one on us!

Interestingly in following the procedure in http://www.pchell.com/support/onlythebest.shtml we did not find any of the elements in the Services, or the Registry that is asks to look for, and there was no Hosts file. But I did run the about:buster, as mentioned, then Ad-aware (all in safe mode) again checked Hijackthis and when re-booted all was fine, web access no problem.

I am adding the links to the useful resources and the utilies you gave me in my "toolkit"!

Points to rossfingal...
0
 
rossfingalCommented:
Hi!

It's very strange that you did not find that bad Service listed.
The Service listed on the PCHell removal page is only one of several
names that this uses - presently, there's 4 that we know of:
 Workstation NetLogon Service
 Network Security Service
 Remote Procedure Call (RPC) Helper
 Remote Access Service

HijackThis doesn't "usually" make a mistake with this one.

From the run box, type "services.msc" (without quotes)
and see if it's listed.
It might be prefixed with "Legacy"

Also, you could run Getservices just to make sure - from:
http://www.bleepingcomputer.com/files/spyware/getservice.zip

It might not be a bad idea to run DllCompare - just to make sure no unwanted DLL's are left:
http://download.broadbandmedic.com/DllCompare.exe

Let me know if you have any problems.
RF
0
 
rossfingalCommented:
One other thing I just remembered.
This infection can hook files using ADS - "Alternate Data Streams".
If their file system is NTFS that's something to take into consideration.

RF
0
 
gerlisAuthor Commented:
Remote Procedure Call (RPC) Helper does appear, but none of the other three you mention, nor is there one prefixed with "legacy"

Nonetheless we managed to sort it out.

Thanks again for all your help

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now