Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web-nexus Infection


  • Please log in to reply
4 replies to this topic

#1 atarinite

atarinite

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 05 January 2006 - 03:19 PM

Hello,
I have been working on a computer that was infected with various malware. I loaded Spybot and Ad-ware, booted-up in save-mode with networking, launched/updated/scanned with Spybot and Ad-ware. They got everything, but one set of adware keeps coming back for more. Ad-ware has it as web-nexus. There seems to be two things common each time the computer gets reinfected. A file called oojz.exe is put into the Allusers Startup folder. Also there is an entry in HKLM/Software/Microsoft/Windows/CurrentVerison/Run that runs ppcakp.exe. Anyhow, here is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:44 PM, on 1/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connect.michigan.gov/portal/site/sos/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SnagIt] C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe /h
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ppcakp.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z0o5RganV] nsvog.exe
O4 - HKCU\..\Run: [ouum] C:\PROGRA~1\COMMON~1\ouum\ouumm.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: XPStartup.lnk = C:\Program Files\XPStartup\XPStartup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html...47AHUS_ZSzeb028
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093013225246
O16 - DPF: {C3CCBC0D-D331-11D2-B2EA-004033A01719} (QKTransfer.QuicTransfer) - http://www.quicknowledge.com/training/cont.../QKTransfer.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sos.ad.state.mi.us
O17 - HKLM\Software\..\Telephony: DomainName = sos.ad.state.mi.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sos.ad.state.mi.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: DAinit.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\SYSTEM32\SLClient.exe
O23 - Service: Software Manager (SwManager) - Unknown owner - c:\windows\system32\SwManager.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 13 January 2006 - 09:54 AM

Do you know what this is?

O4 - Global Startup: XPStartup.lnk = C:\Program Files\XPStartup\XPStartup.exe

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Cas
Mywebsearch

There are a few infections here. Lets clean it up some before we tackle the harder one.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ppcakp.exe reg_run
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z0o5RganV] nsvog.exe
O4 - HKCU\..\Run: [ouum] C:\PROGRA~1\COMMON~1\ouum\ouumm.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: XPStartup.lnk = C:\Program Files\XPStartup\XPStartup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter: text/html - (no CLSID) - (no file)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\System32\ppcakp.exe
C:\Program Files\Cas\
C:\windows\nsvog.exe
C:\PROGRAM FILES\COMMON FILES\ouum\
C:\Program Files\MyWebSearch\

Reboot your computer to go back to normal mode and post a new log.

#3 atarinite

atarinite
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 19 January 2006 - 02:22 PM

Hello,
I have not had a chance to give your recommendation a try. As soon as I do I will be sure to post my log.
thanks, AtariNite

#4 atarinite

atarinite
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 23 January 2006 - 01:29 PM

Here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:56 AM, on 1/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connect.michigan.gov/portal/site/sos/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SnagIt] C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe /h
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093013225246
O16 - DPF: {C3CCBC0D-D331-11D2-B2EA-004033A01719} (QKTransfer.QuicTransfer) - http://www.quicknowledge.com/training/cont.../QKTransfer.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sos.ad.state.mi.us
O17 - HKLM\Software\..\Telephony: DomainName = sos.ad.state.mi.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sos.ad.state.mi.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{31D9596F-0741-4F23-B9DC-E79D22C729FD}: NameServer = 204.23.227.20,204.23.226.20
O20 - AppInit_DLLs: DAinit.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\SYSTEM32\SLClient.exe
O23 - Service: Software Manager (SwManager) - Unknown owner - c:\windows\system32\SwManager.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 23 January 2006 - 01:57 PM

Looks good to me..how does it feel to you?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users