Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have a new Trojan, or Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 shostetler

shostetler

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 11 May 2004 - 02:29 PM

Hello... I've come here in search for some people who know about these things. I seem to have caught a trojan, and also have a few hijackers running around on my system. So far, my system resources are starting to decline and windows are taking exceedingly long to close. My system startup is also slowing down. Beyond that, every 10 min or so I get a popup window saying "No modem found!", if left alone it will keep trying to open whatever program and will send more msgs saying "already running!". Also, there are Internet Explorer popup windows that just open when I browse my files or close my browser saying I have spyware installed on my computer. Though I use Opera as my primary browser, I caught this by using Flashpeak slimbrowser, Norton caught a virus and deleted it, but it's still infected my computer. There used to be no homepage on Flashpeak, but now there is some page that has no address but shows as "Search for" with links in it. I can't seem to get rid of this, as it keeps coming back. My Incredimail has also recieved emails from myself with the homepage for a "search for" and Norton crashed saying it had corrupted files, then came back up again, a scan with Norton revealed nothing. I've used Spybot to delete everything possible, HiJack this, and Adware Gold.

Adware gave me 16 spywares it found including a "Hijacker.CoolWebSearch" 4 seperate times. This just keeps coming back.

Trojan Hunter gave me 2 seperate Trojans, both of which I have tried renaming. The g1d.exe file keeps renaming itself to something else if I use Trojan Hunter to rename the file.

Found trojan file: C:\WINDOWS\system32\oimg.dll (Hijacker.Plc.100)
Found trojan file: C:\WINDOWS\windial32.exe/g1d.exe (Dialer.Sks.100)
2 trojan files found

Here's a copy of my hijackthis log:

I have deleted the searchmeup files, as well as the iexplorer.exe and they keep coming back.




Logfile of HijackThis v1.97.7
Scan saved at 2:02:30 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Registry Firewall\RegFirewall.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
D:\downloads\HijackThis.exe
C:\Program Files\Opera721\opera.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oimg.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C12F1F25-2A4A-43D5-B8E4-F85AE5C5BC15} - C:\WINDOWS\System32\oimg.dll
O2 - BHO: (no name) - {F2D58883-C656-4BCA-9361-CD9BC102F291} - C:\WINDOWS\System32\mli.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RegFirewall] C:\Program Files\Registry Firewall\RegFirewall.exe -A
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\seth\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_3_1,0,2,5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7520.9263078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 12 May 2004 - 01:59 PM

Hi shostetler and welcome to BC. My apologies for the delay.

Searchmeup is pretty nasty and a safe fix method is still being worked on. You also have the PWSteal.AlLight trojan installed. We're going to try to clean that up first and it may help with the other. Once it's gone you'll need to change any RAS, ICQ, and network passwords. Norton and TrojanHunter may also have been compromised, but we'll deal with that later.

Please run these two online scans:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean.

Then scan again with HijackThis and post another log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 13 May 2004 - 05:37 AM

PapaKid,

Thanks for the reply. Since I've begun trying to remove this virus, I'm unable to read or even select any emails in Incredimail to delete without a popup window from IE coming up telling me I have spyware installed, whether I have IE running or not. As for the scans... I was unable to use my Opera browser to run the scan, so I had to use IE. IE was able to run ActiveScan, however TrendMicro's scan quickly shut down IE before even running and gave me the following error signature:

AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: unknown
ModVer: 0.0.0.0 Offset: 2ae6dfe2

ActiveScan suggested to turn off system restore in Windows XP and reboot and this would delete the virus, only problem is, I already have system restore disabled on all drives. So, now what do I do?

As for the PWSteal.AlLighttrojan, I clicked on the link you provided and went to the symantecs site and followed their recommendations to delete the "RunWin32 %windir%\RunWin32.exe" file from the registry. After running Regedit and getting to the "run" folder specified, there was no such entry, so again, I'm at a loss.

I'm going to click send, reboot, disable everything I can from startup and run HiJackThis again and post a log of what I find. Also, I have a scsi drive as my C drive, as well as 2 other IDE hard drives. As such, I'm unable to start windows in "safe" mode as it hangs up and fails to start.

Again, Thank you for your help.

#4 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 13 May 2004 - 06:43 AM

Here's my latest hijackthis scan upon rebooting.... btw, perhaps this is a dumb question but what are RAS passwords??

Logfile of HijackThis v1.97.7
Scan saved at 6:39:33 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\runwin32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\ctfmon.exe
D:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iici.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8EEBD11F-A141-4ED0-86D3-2C47E299A6A0} - C:\WINDOWS\System32\iici.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C12F1F25-2A4A-43D5-B8E4-F85AE5C5BC15} - C:\WINDOWS\System32\oimg.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {F2D58883-C656-4BCA-9361-CD9BC102F291} - C:\WINDOWS\System32\mli.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\seth\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_3_1,0,2,5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7520.9263078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#5 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 May 2004 - 11:47 AM

Since I've tried deleting these files with Trojan hunter I've scanned again, and come up with these 2 files.....

Found trojan file: C:\WINDOWS\system32\hkpp.dll (Hijacker.Plc.100)
Found trojan file: C:\WINDOWS\windial32.exe/dGmRX.exe (Dialer.Sks.100)
2 trojan files found


The dll and exe files, no matter what I do just keep renaming themselves into another file. Is there some other file or virus that I have that is causing these files to reappear as something else? Thanks in advance...

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 15 May 2004 - 12:39 PM

shostetler

You've got a new version of the Look2ME/VX2/Betterinternet parasite. Removal is very complex and I'm still figuring it out. Your setup (multiple drives) and not having access to safe mode further complicates matters. But I believe we can work around that. Just hang in there a little longer. One thing I need to know, your OS is installed on the C:, right? How do you use your other drives?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 May 2004 - 01:08 PM

Well, when I built my computer, I wanted speed, so I had to use a seagatge cheetah as my main drive, only problem was, it's scsi.... looking back, I wish I had done things differently.

My drive setups are as follows, C has Windows XP installed with service pack 1, also, all my "programs" I try to install and run on C drive as well. D drive is IDE and used for games as well as mp3s, pictures, etc etc, drive G is just a small 40 gig drive just for movies and video clips. E and F are cd/dvd drives. I'm not sure why I have a problem with rebooting in safe mode. It will get to something called WUD.dll, or something like that and just hang. This also happens if I try doing a scan disk upon reboot, it will also hang up, which has been even harder to fix. Please let me know if there is anything else I can let you know about my setup that would assist you. Thanks!

#8 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 May 2004 - 07:17 PM

Just out of curiosity, I deleted runwin32, as well as windial32 from my "downloads" folder. Since then, everything seems to be ok... need to run a scan, but no more popups... what exactly runwin32 does is beyond me, I'm gonna have to look up some info on it to see if I can delete it from my registry or not.

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 15 May 2004 - 07:42 PM

OK shostetler, I'm not sure what those files are, but I sincerely doubt that the hijacker is gone. Reboot a time or two, then post another log. Were those files in a directory you download to or in the Downloaded Program Files folder?

I was posting to this thread when I got the notice you had posted. I'll continue that after you've posted another log. But here is some other information I'd like to know.

Have you always been unable to boot into safe mode or did that just happen when you were hijacked?

Try booting into safe mode & post back exactly what it's getting hung up on. Error codes and filename or whatever information you can get.

We'll work on trying to get rid of that trojan next time.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 17 May 2004 - 07:37 AM

Ok, this is weird. I tried booting up in safe mode, and got hung up on a wup.sys file. I was writing the whole extension down when it booted up in safe mode. So... anyways, I figured if need be, I can use safe mode. I deleted runwin32.exe as well as windial32.exe from my C:Downloads file. Since then, I have not had any pop ups advertising spyware software or anything. Trojan Hunter has also not come up with any Trojans, Norton has no virus's, and here's a log of my most recent Hijack this log....

Logfile of HijackThis v1.97.7
Scan saved at 7:26:31 AM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
D:\downloads\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C12F1F25-2A4A-43D5-B8E4-F85AE5C5BC15} - C:\WINDOWS\System32\oimg.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {E3245963-7D4D-486E-9843-7C6433FD19A9} - C:\WINDOWS\System32\hkpp.dll (file missing)
O2 - BHO: (no name) - {F2D58883-C656-4BCA-9361-CD9BC102F291} - C:\WINDOWS\System32\mli.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\seth\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_3_1,0,2,5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7520.9263078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 17 May 2004 - 10:33 AM

Hi,
I'm afraid I misdiagnosed this as a VX2 infection when actually it is a tricky new variant of CoolWebSearch that CWShredder is unable to fix yet. You still have an active file. Here's what I want you to do:

Any programs I recommend that you don't already have should be downloaded first. Then disconnect from the net for the rest of it.

1. Run CWShredder.
Direct Download of CWShredder

After you download the program, unzip it into a directory (folder). Double click on CWShredder.exe to open it and click Fix.

Please view this tutorial for details: How to remove CoolWebSearch with CoolWeb Shredder

Run AdAware--not to be confused with Adware Gold. Get it from Here:
http://www.lavasoftusa.com/software/adaware/

Please review out tutorial here: Ad-Aware Tutorial
But configure it like this:

1. Click Settings (Gear at the top) > Tweaks > click the + sign next to Scanning Engine to expand & check "Unload recognized processes during scanning."

2. In the same window, expand Cleaning Engine & check "Let Windows remove files in use after reboot."
Press "Scan Now".
Confirm that "Use Custom scanning options" & "Activate In-Depth Scan" are checked.
Now press "Next" to let Ad-aware scan your drives.
Allow the program to fix what it finds.

3. Run Spybot Search & Destroy 1.3--this is the new version with the latest updates. See this thread. I recommend that you uninstall v 1.2 and when installing 1.3 and it asks you to install Immunize and TeaTimer, say no--that can be done later. Do allow it to back up your registry. Check for updates, run it and allow it to fix all that it finds.
Spybot - S&D Tutorial

4. Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.


O2 - BHO: (no name) - {C12F1F25-2A4A-43D5-B8E4-F85AE5C5BC15} - C:\WINDOWS\System32\oimg.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {E3245963-7D4D-486E-9843-7C6433FD19A9} - C:\WINDOWS\System32\hkpp.dll (file missing)
O2 - BHO: (no name) - {F2D58883-C656-4BCA-9361-CD9BC102F291} - C:\WINDOWS\System32\mli.dll (file missing)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_3_1,0,2,5.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

If you know what this is and use it, keep it. Otherwise remove:
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\seth\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html


5. Now boot into safe mode. Delete the following files:

C:\WINDOWS\runwin32.exe <--The trojan
C:\Program Files\iWon <--delete the iWon folder.

If it still won't delete, try opening Task Manager (Ctrl+Alt+Delete)>processes tab>select runwin32.exe>End Task.

6. To avoid losing the use of Internet Explorer/internet connection, do this while in safe mode. This is assuming that you don't use a proxy to connect.

Open Internet Explorer>Tools>Internet Options>Connections>double-click on your connection>make sure "use a proxy server..." is unchecked >OK.

Now click the programs tab>Reset web settings>OK>close IE.

7. Boot back into normal mode, scan again with Hijackthis and post another log. If you have any questions or get stuck anywhere, let us know.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 17 May 2004 - 11:03 AM

sounds good, and I'll get on it asap, my popups have again started to resurface when I opened yahoo msnger. I'll post a log as soon as possible. Thanks again for the help!

#13 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 17 May 2004 - 09:59 PM

Well, I hope this did the trick... here's my updated hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 9:57:52 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Opera721\opera.exe
D:\downloads\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7520.9263078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 18 May 2004 - 01:07 AM

Hey you did great! That log looks good. You should be fine now.

There is one thing I need to check on. If you get more of the same popups let us know.

I want to answer some of your other questions and make some recommendations for prevention but I need to get up early tomorrrow. The first thing you should do, tho, is go to Windows Updates and make sure you have ALL patches rated critical.
:thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#15 shostetler

shostetler
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 18 May 2004 - 06:06 PM

Cool! Thanks again for all the help. I do have one other issue with "popups", but I think I'll post it in another topic. Again, Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users