Solved

Having trouble removing some threats

Posted on 2007-11-19
22
463 Views
Last Modified: 2016-08-29
Hello Experts.

I am having trouble removing some viruses & Adware.  I will upload a HJT log to ee-stuff.com.

Any help would be greatly appreciated!  Thanks!

oceanbeach
0
Comment
Question by:oceanbeach
  • 8
  • 8
  • 3
  • +2
22 Comments
 
LVL 32

Accepted Solution

by:
and235100 earned 200 total points
ID: 20312158
Download, install and update SuperAntispyware, before running a full system scan:
http://www.superantispyware.com/download.html

Also - run a full online scan at HouseCall:
http://housecall.trendmicro.com/
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20312172
0
 
LVL 32

Expert Comment

by:and235100
ID: 20312196
For other people's ease of use:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:33 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: {8c9ebd99-203b-a2c8-a174-529753800e8e} - {e8e00835-7925-471a-8c2a-b30299dbe9c8} - C:\WINDOWS\system32\ojdgcnqi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1457c86f] rundll32.exe "C:\WINDOWS\system32\ehgulspw.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: iifcbbc - C:\WINDOWS\SYSTEM32\iifcbbc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7441 bytes
0
 
LVL 32

Expert Comment

by:and235100
ID: 20312221
O4 - HKLM\..\Run: [1457c86f] rundll32.exe "C:\WINDOWS\system32\ehgulspw.dll",b
This may be suspicious. Other than that - apart from a lot of unnecessary HP services - I can't see anything else that is really harmful - someone else might though.

What problems are you experiencing?
0
 
LVL 32

Expert Comment

by:and235100
ID: 20312241
Apologies -

O20 - Winlogon Notify: iifcbbc - C:\WINDOWS\SYSTEM32\iifcbbc.dll

may be suspect too.
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20312392
0
 
LVL 32

Expert Comment

by:and235100
ID: 20312937
Online scanners sometimes just make you aware of the malware located in certain files.
The suspect browser objects need to be deleted - SuperAntiSpyware will do this for you.
The skipped files look like logs and txt files in use by the system - rather than suspected malware.

What did the SuperAntiSpyware scan come back with?
0
 
LVL 10

Expert Comment

by:dragonjim
ID: 20312978
infected: Trojan.Win32.BHO.re
Infected: Trojan.Win32.BHO.rg

HP and Compaq files infected as well.

BHO: (very little on symantec) -- http://www.symantec.com/security_response/writeup.jsp?docid=2007-082301-4219-99&tabid=2
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20313236
Hi Experts,

Sorry, I missed this..."What problems are you experiencing?"
-mostly popups

I have removed many threats already, but these last ones are being difficult.  The kaspersky scan is from yesterday.

I have ran  SuperAntispyware and uploaded the log...

https://filedb.experts-exchange.com/incoming/ee-stuff/5728-kaspersky_111907-1130.ziphttps://filedb.experts-exchange.com/incoming/ee-stuff/5729-ewido-report_112007-0740.zip
https://filedb.experts-exchange.com/incoming/ee-stuff/5730-hijackthis_112007-0756.zip
https://filedb.experts-exchange.com/incoming/ee-stuff/5715-SUPERAntiSpyware.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5708-hijackthis.zip
https://filedb.experts-exchange.com/incoming/ee-stuff/5709-kaspersky.zip


After rebooting, I received this error:
-"Error loading C:\Windows\system32\ehgulspw.dll"

I removed the following registry value (and the error message did not reappear):
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\1457c86f
Value: rundll32.exe "C:\WINDOWS\system32\ehgulspw.dll",b

I will run a full online scan at HouseCall right now.

Thanks!

oceanbeach
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20313515
What about
O2 - BHO: {8c9ebd99-203b-a2c8-a174-529753800e8e} - {e8e00835-7925-471a-8c2a-b30299dbe9c8} - C:\WINDOWS\system32\ojdgcnqi.dll
?
0
 
LVL 10

Assisted Solution

by:dragonjim
dragonjim earned 150 total points
ID: 20313619
Sounds like you are the right track. Orangutang -- I'd suspect that entry as well. Kaspersky scan showed several trojans and some Ad-ware.

Since you're tackling the removal, let us know if you need help with any specific infections.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 12

Author Comment

by:oceanbeach
ID: 20313727
Hello Experts,

Somehow, the online scan at HouseCall failed.  I will run an additional scan.

Should I remove the infected dll files & the associated registry entries?  Is there any place to find out if a dll file is legitimate or not?

-OB

0
 
LVL 32

Expert Comment

by:and235100
ID: 20313837
Just post the ones you don;t know about - and someone can assist...
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20315539
Hi Experts,

I received an indication from HouseCall that 'Bifrose' was detected.  This does not seem to be reported by any other scan I have ran.  I was not able to determine what file(s) may have been infected.  Any ideas on how I can confirm this infection?  Is it a false positive?

The online scan at HouseCall has been problematic.  I would try to run another scan if I thought it would help, but I keep having trouble with it.

Thanks!

oceanbeach
0
 
LVL 32

Expert Comment

by:and235100
ID: 20315857
Try this online scan if you are having trouble with HouseCall:
http://www.ewido.net/en/onlinescan/

Bifrose - http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99

0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 20317239
Did SUPERAntispyware removed all vundof files detected?

You can try running another Kaspersky scan, and then we'll remove the bad files that it detects using another tool like killbox etc.

Does housecall gives you a log?

Can you show us a fresh hijackthis log, let's see if vundo/conhook still show up the scan.
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20320850
Hello EE,

Sorry for the delay.  This has taken a little longer than I had hoped, and I just had to get some other work done yesterday.

I have uploaded:
-kaspersky log (from yesterday)
-ewido log
-HJT log

"Did SUPERAntispyware removed all vundof files detected?"
-I am not sure.  It did remove many infected files, but I Spybot found another infection today.  Also, a Spyware Doctor scan after SuperAntiSpyware seemed to come up with several of the same items that SuperAntiSpyware indicated were removed.  An additional AntiSpyware scan after the Spyware Doctor scan gave a clean result.

"You can try running another Kaspersky scan..."
-I have not done this yet, but the most recent scan looks OK, do you agree?  I could rerun another one.

"Does housecall gives you a log?"
-I was not able to obtain one.  The first 2 scans I did locked up the browser.  The third one completed and I was able to see the results), but frooze the browser again shortly there after.  I did run a Biut Defender scan yesterday that came back clean.

Thanks again for everyones help!

-OB
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 20333583
Let's run Combofix and we'll see if it comes up with any bad files.

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you, pleaSe upload the log for  us to look at.
0
 
LVL 12

Author Comment

by:oceanbeach
ID: 20341330
Hello Experts,

I apologize for not posting sooner.  I have solved my problem.  I wish I could say exactly what I did, but I had to do quite a bit to clean this machine, too much to say in detail.

Thanks!

-OB
0
 
LVL 12

Author Closing Comment

by:oceanbeach
ID: 31409926
Experts,

This was tough.  I actually fixed the problem on my own.  However, the most helpful suggestion was to run SuperAntiSpyware.  All other efforts were helpful as well, but I had to do a lot of other work to clean this machine.

Thanks to all that helped out.  I hope everyone agrees to the point split (it was the best I could do).  Let me know if anyone thinks this seems unfair.  I will be more than happy to rereview anything here.

Thanks again!

-OB
0
 
LVL 32

Expert Comment

by:and235100
ID: 20412133
No problem - apologies that the assistance wasn't spot on - malware-related problems are sometimes exceptionally hard to clean off permanently (after all that is what they are designed for!)
Thanks in any case.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20417182
Glad to know you've resolved it, sorry you had to do a lot more on your own.
In similar cases like this, you also have the option to ask for a refund of your points.

Thank you for awarding the points! very generous of you.

Good luck, :)

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now