Adware/Spyware Desktop Hijack!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Dootdee, Jun 17, 2004.

  1. Dootdee

    Dootdee Private E-2

    Hellooo

    I friend of mine has just got himself on broadband, but unfortunately he didn't have the appropriate security measures in place for an always-on connection, so he's got himself in a bit of a mess...

    Basically, he got home yesterday and found that his desktop background had disappeared and was now "flashing" and that there were a bunch of porn icons on his desktop. Also, when right-clicking the desktop, the only options that appear in the menu are Print, Encoding and Select All [​IMG]

    I guided him through installing Lavasofts' Ad-Aware and Spybot Search & Destroy

    Once that was done, got him to run Ad-Aware, update it, scan the system and remove all the junk that it came up with.
    I then got him to run Spybot Search & Destroy, update it, scan the system and remove all the junk that it came up with....!
    However, the problem remains.

    Having run HijackThis, after the above actions, here is what the logfile looks like:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:17:08, on 17/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Documents and Settings\Matt Sparkes\My Documents\My Received Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8472899E-A967-40A9-91F5-EF8647F03CA3}: NameServer = 62.241.160.200 158.43.240.3

    Hope someone can help
    Cheers
    Ju [​IMG]
     
    Dootdee, Jun 17, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Looks pretty clean. Does he have Antivirus installed? A firewall? SpywareBlaster will prevent a lot of these. CWShredder might find things beyond the big 2 cleaning tools.
     
    Major Attitude, Jun 17, 2004
    #2
  3. Dootdee

    Dootdee Private E-2

    Yeah, he's got Antivirus and has the standard Windows Firewall enabled - currently in the process of setting up a decent firewall, but the problem still remains. Basically, it now appears that something has "taken over" the desktop. It just seems to flash randomly, and as mentioned previously, the only options available in the right-click menu on the desktop are "print" "encoding" and "select all". Accessing the "Display" properties from Control Panel gives no clue as to what is going on with the desktop - it just shows the desktop wallpaper that should be there. Most odd.

    I got him to start up in safe mode and run the various apps again to remove malware (ad-aware, spybot etc). He said that the problem went away in safe-mode, and as you can see from the hijackthis log, it doesn't seem to have a start-up entry of it's own. I got him to run CWShredder, but to our despair it came out completely clean...

    I'm thinking it has perhaps added a syntax to an existing system start-up process so that it is virtually undetectable.

    Does anyone know of any common malware tactics for getting into the system start-up processes?
    I've had to deal with a fair few systems full of malware before, but never one that is so stubborn to get rid of!

    Hope you can help
    Cheers
    Ju
     
    Dootdee, Jun 18, 2004
    #3
  4. alanc

    alanc MajorGeek

    This 213.159.117.132 hijacker is a CoolWebSearch variant that CWShredder should have removed. If you don't have the latest version (1.59) you can download it here:
    http://www.majorgeeks.com/download4086.html
    If yours is up to date fix these lines in HijackThis:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

    This MesengerPlus2 thing is reported to contain lop.com
    Uninstall from Control Panel Add/Remove if it's there, fix this line (if still there)
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    and then run thru the removal instructions here:
    http://sarc.com/avcenter/venc/data/adware.lop.html
     
    alanc, Jun 18, 2004
    #4
  5. Dolemite

    Dolemite Private E-2

    We've had 2 customers so far this week with this problem... from what i've seen, this is a problem with yor background being hijacked and converted to an html document. try going to START>CONTROL PANEL>DISPLAY, then choose the DESKTOP tab. choose CUSTOMIZE DESKTOP, and then the WEB tab. There should be a box in the middle that says WEB PAGES. Clear out any boxes that are checked in, and you can also remove them ( i would recommend it). Your background should no longer be set to stay synchronized with whatever webpage is hijacking it.

    Let me know if this helps........
     
    Dolemite, Jul 16, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds