Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broken Internet Access


  • Please log in to reply
3 replies to this topic

#1 BC-Hosed

BC-Hosed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 23 August 2008 - 11:14 PM

On May 4, 2008, the second user on this Windows XP machine installed a video player and some highly suspect movies from a site that says, "you just won an iPod" every time you visit the site. (Unfortunately the player and site have been forgotten.) Then a ridiculous number of IE windows would just popup whether or not you use Firefox or IE.

I logged into my account and IE windows would popup while I used FF. I ran AVG antivirus and it quarantined several files:
Trojan horse BackDoor.Generic9.AHXS C:\WINDOWS\system32\drivers\clbdriver.sys
Trojan horse Generic10.TDQ C:\WINDOWS\system32\jkklCrpg.dll
Trojan horse Downloader.Purityscan.Y C:\WINDOWS\system32\000090.exe
Trojan horse Downloader.Agent.15.A C:\WINDOWS\system32\000080.exe
Trojan horse SHeur.BIQY C:\WINDOWS\lfn.exe
Trojan horse SHeur.BFTV C:\Documents and Settings\SecondUser\Local Settings\Application Data\Mozila\Firefox\Profiles\default.0es\Cache\272CEDF4d01
Trojan horse SHeur.BIGJ C:\p5zyxt.exe
Trojan horse Generic10.SKI C:\mrs.exe

I rebooted and the OS complained with swagent.exe and swsoc.exe Application Error. Now I could not browse the internet or ping sites although ipconfig /all reported my IP and Network Connections | Local Area Connection Status reported Sent and Received Bytes.

A few days later, using a USB key drive, I installed and ran Ad-Aware 2008 and I think it removed some different files, so I unquarantied some of the files AVG found, but still no internet and sw* still complained. I only play Halo on this Windows machine, so I just let it gather dust until now when I installed HijackThis. I got a log but didn't see anything suspicious (although winself.exe was in the log) at the time.

I found this site and http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ and while creating an account, I let AVG run and re-quarantine the files. While on step 3, I decided to close down apps in Task Manager that I wasn't using. Then I noticed winself.exe in both the Task Manager and HT log. I saw this http://www.greatis.com/appdata/d/w/winself.exe_Removal.htm but killed winself.exe and manually removed 2 files that came up in a file search for winself as well as winself.exe. There are 3 registry keys that I did not touch.

1) Can I just delete the 3 keys starting at MsSecurity1.20.4?
HKLM\System\ControlSet001, ControlSet002, and CurrentControlSet\Services\MsSecurity1.209.4


Today Ad-Aware finds 2 MRU objects and I let it delete them per step 3. A 4.5 hour scan, so I reboot and only repeat with a Smart Scan over in less than 30 minutes -- nothing found.

I had spybot at one point, but I must have uninstalled it as well as zone alarm (unless a virus did?). Trying to copy spybot 1.6 via the USB key drive today, I learned that although they have an exe for updates spybotsd_includes.exe, apparently I need an internet connection to do the initial install.

I assume step 5 is to be done with an internet connection, so I skipped that step.

I didn't see Auto Clean for step 6, but checked boot sectors.

From the HiJackThis log, I see now that sw* is for 023 Service Cold Fusion, which I'll just remove and maybe reinstall.
010 Broken Internet seems to be from webhancer adware I removed a long time ago I suppose (maybe even through an old install of spybot sd?).

2) I can't connect to the internet via static IP nor DHCP. IE windows do not popup now, but it may just be because I do not have an internet connection.

Thanks for your assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:10 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\HAUPPA~1\MVPStart.exe
C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
K:\stinger.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 195.85.134.17 www.solidsteel.nl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = C:\Program Files\Folding@Home\FAH504-Console.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Z800 3DVisor Software Utility.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Add to MVP Favorite Radio Stations - C:\Program Files\Hauppauge MediaMVP\mvp.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1741622B-F88E-4E60-8FB5-466A56E916B3}: Domain = myhost.westell.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1741622B-F88E-4E60-8FB5-466A56E916B3}: NameServer = 192.168.1.1
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: MVPMedia - Hauppauge Computer Works - C:\PROGRA~1\HAUPPA~1\MVPStart.exe
O23 - Service: MVPMediaSvc - Hauppauge Computer Works, Inc. - C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8286 bytes

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 PM

Posted 09 September 2008 - 02:48 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#3 BC-Hosed

BC-Hosed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 13 September 2008 - 03:48 PM

Thank you for taking my case Grinler.

I was reading the information you posted and linked to when I became concerned about how I can install the Windows XP Recovery Console since I use XP (being that my problem is that I have no internet connection) and reading through the instructions, it seems to want to use the internet. Then I remembered that the Spybot team told me how to install Spybot without an internet connection, but I had not had the opportunity to try that yet. So I decided to try to install Spybot again before trying your instructions to see if I became stuck due to having no internet connection.

I don't know if it will help anyone, but on step 4 at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ when it mentions

Download SpyBot - Search and Destroy and install the program. After installing the program...

, if one of the problems a BC user has is no internet connection, then they need to unselect the

Download updates immediately

checkbox from the Full Install for Spybot. Then run the spybotsd_includes.exe to get the update without using the internet.

Now I was able to install Spybot, and it found smdat32a.sys. And either this or some other file had an icon like internet connection pipes as a problem (within Spybot), and after it fixed these items, I have internet again, and I don't get the popups.

So at this point, I'm running AVG again and maybe just need a link on general defensive practices. One step I will now include is to remove some files from my machine and definitely turn on System Restore. This has saved the other user here on their machine (the one who causes the problem on my machine) but they didn't have the issues I had.

What would you advise at this point? ComboFix looks like it will find and remove any malware the others missed. Should I continue with your steps? At this point I believe I'm okay, but definitely want to add some defense/proactive measures against threats.

Regards.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 PM

Posted 16 September 2008 - 09:12 AM

Yes, I suggest that you continue with the combofix instructions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users