trojan war

Help and Discussion

Moderator: The Mod Squad

Re: hjt log final

Postby kltsin » Fri Dec 24, 2004 12:44 am

Hmm, this actually is a tough one.

reformat here we come....

After all my ranting and raving though, this is a tough fix, most are quite easy.

It can be done but it will be alot of work, couple of hours, most systems are quite easy and only take a few minutes to fix.

Do as i specified prior.
Run cwshredder and about:buster

Run HJT and check all of the following, close all open windows or programs first

C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
C:\WINDOWS\System32\??plorer.exe
C:\Documents and Settings\Tanya\Application Data\eetu.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)

O4 - HKLM\..\Run: [Login] system.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [A60A3154] C:\WINDOWS\System32\fknsoz.exe
O4 - HKLM\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"

O4 - HKCU\..\Run: [Mslacyi] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fggqoj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"

O4 - HKCU\..\Run: [Smps] C:\Documents and Settings\Tanya\Application Data\utsd.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Tanya\Application Data\eetu.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"


Find these files and delete them

C:\Documents and Settings\Tanya\Application Data\utsd.exe
C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
if there is a folder named "winupd" somewhere near here C:\WINDOWS\system32\drivers\etc\rundll\
delete that folder and all its contents
C:\Program Files\Internet Optimizer delete entire folder
C:\WINDOWS\System32\fknsoz.exe

Reboot run ad aware and spybot again doing full system scans

Post new hjt log, get newest version of hjt as well and use that instead of 1.98

This should take only a few more steps and you should be completely clean

If you think a reformat instead is an option go for it, this is a tricky fix we can do it easily but it will take time since i am going to be unavailable till late tomorrow eastern gmt 5 time

if you can wait for me so be it.

also you can post this log in a security forum where your problem would have been solved by now since they know this stuff by heart, i would suggest net-integration or tom coyotes forums, both are excellent and can fix you up in no time at all.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby tribaloverkill » Fri Dec 24, 2004 8:00 am

Mr T wrote:Disable system restore, then run the AV's and removers in SAFE MODE....

However as others have pointed out doing a total reformat is the best way to clear a system of this crap... It is easy enough to back up data using a portable USB hard drive or a CDRW.. Applications are the responsibility of the customer - no discs - no applications - simple...

Economics is at play here - why waste hours removing adware, viruses etc when they can return on a simple reboot, cause a system crash 'cos AV deleted a system file or a virys fragment remains corrupting files...

I think I would rather spend half an hour reinstalling windows.....



I'm with you bro,...
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Re: hjt log final

Postby tribaloverkill » Fri Dec 24, 2004 8:05 am

kltsin wrote:Hmm, this actually is a tough one.

reformat here we come....

After all my ranting and raving though, this is a tough fix, most are quite easy.

It can be done but it will be alot of work, couple of hours, most systems are quite easy and only take a few minutes to fix.

Do as i specified prior.
Run cwshredder and about:buster

Run HJT and check all of the following, close all open windows or programs first

C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
C:\WINDOWS\System32\??plorer.exe
C:\Documents and Settings\Tanya\Application Data\eetu.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)

O4 - HKLM\..\Run: [Login] system.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [A60A3154] C:\WINDOWS\System32\fknsoz.exe
O4 - HKLM\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"

O4 - HKCU\..\Run: [Mslacyi] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fggqoj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"

O4 - HKCU\..\Run: [Smps] C:\Documents and Settings\Tanya\Application Data\utsd.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Tanya\Application Data\eetu.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"


Find these files and delete them

C:\Documents and Settings\Tanya\Application Data\utsd.exe
C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
if there is a folder named "winupd" somewhere near here C:\WINDOWS\system32\drivers\etc\rundll\
delete that folder and all its contents
C:\Program Files\Internet Optimizer delete entire folder
C:\WINDOWS\System32\fknsoz.exe

Reboot run ad aware and spybot again doing full system scans

Post new hjt log, get newest version of hjt as well and use that instead of 1.98

This should take only a few more steps and you should be completely clean

If you think a reformat instead is an option go for it, this is a tricky fix we can do it easily but it will take time since i am going to be unavailable till late tomorrow eastern gmt 5 time

if you can wait for me so be it.

also you can post this log in a security forum where your problem would have been solved by now since they know this stuff by heart, i would suggest net-integration or tom coyotes forums, both are excellent and can fix you up in no time at all.


It is true that most are easy. I have had this crap on my machine at one point too and all I had to do was delete everything from the the registry that used certain key words. I would open msconfig and write down everything that would start up that wasnt suppose too. I would ctrl+alt+del and write down everything that wasnt suppose to be running. I went to the registry and start seraching a deleting. After that and a reboot none of it came back and everything else was just fine. The thing is that I would reformat a short while aftr because I know I didnt lrid of everything. Those programs leave crap all over the place. It gets messy after a while.
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Postby colinJohn » Fri Dec 24, 2004 8:10 am

think I would rather spend half an hour reinstalling windows.....


problem posted wednesday, not resolved friday after 3 pages of posts

case proven m'lud :twisted:

I'd still like to understand the in and outs of it all tho'

btw, don't mean to knock all your diagnostic work Kltsin; you've put a lot into this one.
"that's some catch that Catch 22"
"It's the best that there is"

Image
colinJohn
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3430
Joined: Sat Jul 24, 2004 12:34 pm
Location: UK

Postby tribaloverkill » Fri Dec 24, 2004 8:19 am

colinJohn wrote:
think I would rather spend half an hour reinstalling windows.....


problem posted wednesday, not resolved friday after 3 pages of posts

case proven m'lud :twisted:

I'd still like to understand the in and outs of it all tho'

btw, don't mean to knock all your diagnostic work Kltsin; you've put a lot into this one.


Got to give it to you too. If anyone figures it out I know it would be you.
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Postby Denniss » Fri Dec 24, 2004 10:47 am

Make sure you have Hijack-This on your HDD with it's own directory to use the Backup-feature in case you disabled too much .

Kill process via Taskmanager then search and delete file (if existing):
-> Make sure your Explorer shows all files including system and hidden !

C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
-> possibly W32 Xabot Worm

C:\Documents and Settings\Tanya\Application Data\eetu.exe
-> maybe another or the same Worm

C:\WINDOWS\System32\??plorer.exe
-> ?? Another Virus/Worm ?

Remove/Fix via Hijack-This :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)
-> Hijacked IE and/or missing files, entries not needed
O4 - HKLM\..\Run: [Login] system.exe
O4 - HKLM\..\Run: [A60A3154] C:\WINDOWS\System32\fknsoz.exe
O4 - HKLM\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKCU\..\Run: [Mslacyi] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fggqoj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Tanya\Application Data\eetu.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
-> Virus/Worm related

O4 - Global Startup: Digital Line Detect.lnk = ?
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com

Reboot into Safe Mode and check again
Disable System Restore
Visit http://www.hijackthis.de/en for automated logfile checks
Denniss
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1577
Joined: Fri May 03, 2002 12:01 am
Location: Around Hannover - Germany

Postby snakebite66 » Fri Dec 24, 2004 10:59 am

Mr T wrote:Disable system restore, then run the AV's and removers in SAFE MODE....

However as others have pointed out doing a total reformat is the best way to clear a system of this crap... It is easy enough to back up data using a portable USB hard drive or a CDRW.. Applications are the responsibility of the customer - no discs - no applications - simple...

Economics is at play here - why waste hours removing adware, viruses etc when they can return on a simple reboot, cause a system crash 'cos AV deleted a system file or a virys fragment remains corrupting files...

I think I would rather spend half an hour reinstalling windows.....



I have not read the rest of the posts but have to say I totally agree here...just did a reformat and fresh install on my Brother-in-laws computer which was infected with hundreds of spyware programmes but several viruses...these were causing major problems even in safe mode, corrupted files etc....

Best solution IMO when things get this bad
"Take counsel in wine, but resolve afterwards in water."
Benjamin Franklin (1706-1790)
snakebite66
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2098
Joined: Mon Aug 19, 2002 5:18 pm
Location: West Midlands UK

Postby kltsin » Sat Dec 25, 2004 1:11 am

Well guys, I must admit if it was my system and I didnt know how to fix it I would probably reinstall because i do back up and save every update etc.

I have my own business working as the sole tech I must do these alot and can fix them, a new version may appear and I do some research and i get the system working better in safer in the end.

As far as the time that has passed, very valid point.

There are some forums where these guys know security inside and out, if I was a security guru and was able to be at my pc all the time this probably would have been solved already.
But so far im the only one reading this thread that helping with this hjt logs and malware/trojan removal (no offense to anyone who has posted), if this post was in a security forum it would have been solved because almost everyone can do it quite well.
thats why I suggested net integration
http://www.net-integration.net/
these guys are really good, but there are others such as tomcoyotes and wilders, those are the best for security (sorry for missing links I am in a rush to wrap xmas stuff)

In hindsite I should have sent him there first instead of trying to do it by myself, it would have been fixed in a day.

You may say a day? thats to long, reinstall..
Dont forget its NOT his computer.
Ive played phone tag many times on wether I could reformat a users pc.
This can take days if they are out of touch.
Then they want you to back up this file and that file and reinstall everything as it was
Its not fun and harder and more time consuming than fixing.

Each issue is different though.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby bubbatech » Mon Dec 27, 2004 7:28 pm

ran cwschredder and about buster both came up clean.
while deleting the files you suggested i ran into a sasser.exe which i deleted. before i installed avasted i removed avg it seems to be more thorough but may consume more resources on this 1.5 celeron.
still avast and adaware say all is well. here is the latest hjt log

Logfile of HijackThis v1.98.2
Scan saved at 11:57:45 AM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\1104\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

still glad i didn't format; however i will probably feel different when i get a usb harddrive( i'm hunting one down now).
thanks again bubba
bubbatech
Initiate
Initiate
 
Posts: 83
Joined: Fri Jun 25, 2004 5:22 pm

Postby kltsin » Tue Dec 28, 2004 12:54 am

This is a great time to do online virus scans.
Use that system to go online and run trends housecall and symantics free online virus scans.

If they come up clean you are looking very good.

If you come across an issue that they cant or wont fix write it down and post it here.

I also suggest running the System file Checker.
This will check each version of a system file and replace it if it seems unofficial.
It requires you have the XP discs for that pcs version though.

open run and type in "sfc.exe /SCANONCE"
This will check for corruption and replace any file if there is the xp cd inserted or use any updates that are legitimat.

you can also run sfc.exe /scannow and it will do it right before your eyes and you can easily opt out or skip files.

I thinks its just a safe precaution

After running a few online scans and sfc post a new hjt log.
Im being overly safe but its what I think is necessary.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

PreviousNext

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron