Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It's Not AVGold...But It's Similar


  • This topic is locked This topic is locked
4 replies to this topic

#1 DXGypsy

DXGypsy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 30 August 2005 - 01:18 PM

Howdy all.


I got bugged the other day. From what its doing (hijacking, swerving me towards buying antivirus software, etc.) I thought it was the Antivirus Gold bug.

So I d/l'ed Killbox, Hijackthis, and avgoldfix.I followed the steps but when I was in safe mode and ran Hijackthis, the files I was supposed to check wern't there.

According to instructions I needed to check the following three files:

O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe


However, none of those files are present.

This is a copy of the Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:12 PM, on 8/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\outpostupdate.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Documents and Settings\test\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\test\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\test\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06974509-E7AA-41C3-8C55-EB5945F17711} - C:\WINDOWS\System32\plch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\PROGRA~1\Accoona\atoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Advisor - {5894DB8C-67C1-416F-95C0-AFAF266A4D16} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59163CC5-D500-4450-BDE8-182FCEF81A28}: NameServer = 205.188.146.145
O18 - Filter: text/html - {E7F5D2EE-8616-4DB3-A14C-E68FD93CF2DC} - C:\WINDOWS\System32\plch.dll
O18 - Filter: text/plain - {E7F5D2EE-8616-4DB3-A14C-E68FD93CF2DC} - C:\WINDOWS\System32\plch.dll
O21 - SSODL: Adobe Acrobat 5.0 - {19898479-C88E-86AA-52CD-EC1F30792B55} - c:\program files\adobe\acrobat 5.0\reader\winyeyaau5.dll
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



There are a few mentions of an "outpostupdate.exe". Could that be my badguy?

My Norton is detecting it both "W32.Desktophighjack and Trojan.StartPage

Posted Image

If anyone can identify my bug from the above log and point me in the right direction to kill it I'll buy you the best cup of coffee you ever had.

Well...

OK, I'll buy myself the best cup of coffee ever had...but I promise I'll think of you while I drink it.

Thanks in advance.

~Gypsy

BC AdBot (Login to Remove)

 


#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:30 AM

Posted 01 September 2005 - 04:28 PM

Welcome to Bleeping Computer.

Looks like you've got several problems going on. Let's see if we can get you cleaned up.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download SpSeHjfix for XP/2000 from here:
http://www.trojaner-info.de/cgi-bin/downlo...gi?file=sphjfix
Download and install http://www.ccleaner.com/ccdownload.php

Reboot into safe boot. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter.
Run Ccleaner.
In safe mode doubleclick SpSeHjfix.exe and click " Desinfektion starten", then the tool will restart the computer.



DOWNLOAD PROGRAMS


Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Close Ewido, we will use this later.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX


1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:


O2 - BHO: (no name) - {06974509-E7AA-41C3-8C55-EB5945F17711} - C:\WINDOWS\System32\plch.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\PROGRA~1\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\test\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O18 - Filter: text/html - {E7F5D2EE-8616-4DB3-A14C-E68FD93CF2DC} - C:\WINDOWS\System32\plch.dll
O18 - Filter: text/plain - {E7F5D2EE-8616-4DB3-A14C-E68FD93CF2DC} - C:\WINDOWS\System32\plch.dll
O21 - SSODL: Adobe Acrobat 5.0 - {19898479-C88E-86AA-52CD-EC1F30792B55} - c:\program files\adobe\acrobat 5.0\reader\winyeyaau5.dll


7. Close all other windows click the Fix Checked box.

8. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

9. Open Ad-aware and do a full scan. Remove all it finds.

10. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

11. Next go to Control Panel click appearance and themes>click Display > Desktop Tab> click Customize Desktop > Web tab > Uncheck anthing in there if present.

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Please post the SpSeHjfix logfile, Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.
[/quote]

Edited by viccy, 01 September 2005 - 04:33 PM.


#3 DXGypsy

DXGypsy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 04 September 2005 - 03:29 PM

OK,

I've been working on all this. It seems the virus is gone but I have a few residual problems left over.

Since I ran all these things something happened to my toolbar at the bottom of the screen. My START button is gone. Also when I minimize a window I don't get a button on the toolbar to open it back up.

Also most of the programs that were on my desktop (including all the AV's and cleanups I d/l'd for this project will no longer open. They all say "The application has failed to start because the application configuration is incorrect."

As such I cannot open Adaware, Ewiedo, or the SpSeHjfix.exe log.

Highjackthis is working but the log itself wont appear and without a START button I cant go look for it.

Now I have tried the online scan and it d/led and updated but the next page gives me a script error and has a blank page regardless of if I click yes or no.

Any thoughts on ,my next step?

#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:30 AM

Posted 06 September 2005 - 09:33 AM

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Run Ewido in safe mode and another Hijack This log and post both in your reply.

#5 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:30 AM

Posted 04 October 2005 - 09:35 AM

Due to the lack of feedback this Topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users