Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Err, About This Malewarewipe Trojan Headache


  • Please log in to reply
1 reply to this topic

#1 con4mity

con4mity

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 April 2006 - 09:25 AM

Okay, I've been stuck on this stupid infection for 3 days and still can't kill it. I have done all the preliminary steps as mentioned in the "Do First before posting" topic. I've also gone beyond them a bit as I've identified the file that causes the headaches, but not the one that seems to be causing the file.

The biggest issue is that my IE keeps getting hijacked followed closely by an alert that I havd Backdoor.Trojan.NONE The Hijack takes me to http://www.bestsecurityguide.com which sells spyware removers. Laugh! That's drumming up new business, I guess.

Anyhoot, in my HijackThis log below you'll see this:
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp1160.tmp

Which is atleast part of the infection, but using killbox, or similiar on the file only causes the infection to drop that file and create a new *.tmp file.

Thank you for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 10:23:30 AM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp1160.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recu...RecurPayCom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6A20B59-9B1A-4386-846C-BFDD92ADA217}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS2\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by con4mity, 07 April 2006 - 10:52 AM.


BC AdBot (Login to Remove)

 


m

#2 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 PM

Posted 09 April 2006 - 09:40 AM

Well the 02 BHO is a remanent of a SpyAx/SpywareFalcon/Strike infection. you also have left overs from another infection (Wareout)

Let's see what we can do to get you cleaned up.

First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it on your desktop but don't run it yet..we'll run it later

Download smitRem.exe ©noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all

Please download Ewido Anti-Malware, it is a free version of the program.
  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to the following items
  • O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp1160.tmp
  • O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{B6A20B59-9B1A-4386-846C-BFDD92ADA217}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CS1\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CS2\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
Close all other windows and browsers and click FIX CHECKED

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and scan your system with Ad-aware:

Ad-aware SE - Download - Home Page
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:

Reconfigure Ad-Aware for Full Scan as per the following instructions:
  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.
  • Click the "Scanning" button (On the left side).
  • Under Drives & Folders, select "Scan within Archives"
  • Click "Click here to select Drives + folders" and select your installed hard drives.
  • Under Memory & Registry, select all options.
  • Click the "Advanced" button (On the left hand side).
  • Under "Shell Integration", select "Move deleted files to Recycle Bin".
  • Under "Log-file detail", select all options.
  • Click on the "Defaults" button on the left.
  • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  • Click the "Tweak" button (Again, on the left hand side).
  • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"
  • Under "Cleaning Engine", select the following:
    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarantined objects after restoring"
  • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  • Click on "Proceed" to save these Preferences.
  • Click on the "Scan Now" button on the left.
  • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.[/list]
Now go to the FixWareout you downloaded earlier run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only,
and check the following items:( They MAY have came back after 1st run of HijackThis)
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{B6A20B59-9B1A-4386-846C-BFDD92ADA217}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CS1\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
  • O17 - HKLM\System\CS2\Services\Tcpip\..\{05E7BDDC-DBC3-4CE1-8118-FFD0D3B3EB72}: NameServer = 85.255.116.59,85.255.112.188
Click Fix Checked. Close HijackThis, and click OK to proceed.

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Run the program, accept statement>next>click> scan>next.
If any items are detected have blacklite rename them except for "wbemtest.exe".
Do not rename "wbemtest.exe" its a windows file.

If there are any other files you THINK may be valid don't rename them. We can rename them later Help is available HERE

The tool will ask if you want to reboot (restart) choose yes.

Then run this online virus scan: ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Post the contents
  • of the Panda scan report
  • a new HijackThis Log
  • C:\smitfiles.txt
  • Ewido Log
  • log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log
in a reply to this thread.

You may have to use more than one post to get them all in

Note: IF you are having connection problems follow the directions below
(These instruction's are basically for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users