Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed With Various Malware Infections - Nail, Epolvy, Qoologic


  • This topic is locked This topic is locked
4 replies to this topic

#1 LankySlanky

LankySlanky

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 10 November 2005 - 12:37 AM

Okay. This thread will be long. Well, this post at least. I have a client right now that has a seriously infected machine. I did the usual, Spybot and Ad-Aware, CWShredder, AboutBuster, ewido, IE-SpyAd install, Spybot Immunization, IE Security tightening, I removed Windows Messenger, installed the GoogleToolbar, etc etc. Lots of the pop-ups are gone, but some are still coming through.

I ran HijackThis (and unfortunately do not have the log as a file, only in printed form), and found some baddies. She had the dreaded Aurora Nail.exe in the log. Below are all the entries I removed. I'll type them manually:
--------------------------------------------------------------------------------

Running processes:
C:WINDOWS\System32\ozmnbv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:WINDOWS\Nail.exe
02 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
02 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
04 - HKLM...Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
04 - HKLM...Run: [winsync] C:WINDOWS\System32\pwikii.exe reg_run
04 - HKLM...Run [ojzrsh] c:windows\system32\ozmnbv.exe r
016 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
016 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannews.com/app/ST/ActiveX.ocx
--------------------------------------------------------------------------------

Now there were a couple entried in the HJT log that I did not remove that I considered suspect. Here they are:

Running processes:
C:WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyOverride = 127.0.0.1
--------------------------------------------------------------------------------

I also found setdebug.exe, ssk.exe, and offerssk.exe in the C:WINDOWS dir and I deleted them manually. I found also when I CTRL-ALT-DEL there were random .exe running like bvoefhg.exe and when I killed it, another would appear named something completely random again like bfhofhr.exe. I killed all of them until none were present.

I know when infected with Aurora you're suppose to run NailFix.exe in Safe Mode. Unfortunately, for the first time ever, I was unable to boot to safe mode. For what it's worth, I ran it in a normal Windows session, and it said no infection was present. Can malware cause this? I tried to boot into Safe Mode 5 times, and each time it froze upon loading "Mup.sys". I don't know what that is. Are there other ways to get into Safe Mode? I was considering running CHKDSK and seeing if that corrected the issue at hand.

A quick scan with ewido found 15 problems and I deleted them all. I was unable to run any Virus scans or online scans. I am going back Saturday to do so, and to also upgrade her to SP2, config the firewall, and fix whatever you can help me with here. She did have an updated Norton Anti-Virus for what it's worth.

Basically most of the pop-ups were gone, but some are still present, just not as many. So I know there are still infections on her machine. Also, from the things that I did, her email no longer works. I know malware can screw your internet connection, but hers works still, just OE6 doesn't go into her POP mail account any longer. What can cause this? Would a full scan with a retail product like Webroot SpySweeper help at all? 'cuz I just purchased a copy. I hope someone can help me. Thank you. Finally, the reason I didn't just wait till Saturday to do a new log is that I need to correct this asap while I am there. I can post a log still, but the vast majorty of fixes needs to happen that same day.

Edited by Grinler, 11 November 2005 - 11:57 AM.


BC AdBot (Login to Remove)

 


#2 LankySlanky

LankySlanky
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 11 November 2005 - 02:12 PM

Did someone change my thread title? If so, why?

#3 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 13 November 2005 - 02:46 AM

I have a client right now that has a seriously infected machine.

Can you explain this sentence?
Posted Image

#4 LankySlanky

LankySlanky
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 November 2005 - 12:50 AM

I have a client right now that has a seriously infected machine.

Can you explain this sentence?

Sure can. Sorry if it confused anyone. I am a Certified Windows Tech that does many house calls during the week. This particular lady, is a client of mine. I didn't mean client as a machine, but as in a person.
Btw, I went over there last week. I believe all her problems are gone. I ran ewido on all the accounts, X-Cleaner, and Ad-Aware's VX2 plugin found a VX2 variant that was the main source of pop-ups. I believe it was entitled the VX2.ABetterInternet.

#5 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 17 November 2005 - 08:08 AM

I'm sorry, but you can imagine that we, as volunteers, are not willing to do your job. We solely support home users.

I suggest you go to SpywareInfo and post a message in this thread to enter Boot Camp. Alternatively there are many other forums that do teach how to handle HijackThis logs, including Bleeping Computer, GeeksToGo? and Tom Coyote's.

This thread will be locked.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users