Netspry Hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by doogy, Sep 30, 2004.

  1. doogy

    doogy Private E-2

    Hello,
    I'm having a problem with netspry.com

    Whenever I first open Internet Explorer, it will consistently go to netspry.com; HOWEVER if I go to my homepage, it is correct. I only get netspry.com when I first open Internet Explorer and sometimes while surfing. It's getting kind of frustrating. I have run Ad-Aware, Spybot S&D, McAfee Security Center, CW Shredder, and Spy Sweeper, and I still am having problems. Please give me recommendations.
     
  2. PhilliePhan

    PhilliePhan Guest

  3. doogy

    doogy Private E-2

    I went through that whole process, and I still have the same issue. I am running an HP Pavillion system, Windows XP Home ed., 368 MB ram, 1.30 GHz, 40 GB hard drive on cable internet. I have gone through every process listed on the thread given, excluding the online virus detections because I have McCafee... As stated, I have run Ad-Aware, Spybot S&D, McAfee Security Center, CW Shredder, Spy Sweeper, and all other programs listed in the thread you posted. I did not have any of the files or registry items listed on the second site. Still the same problem. More recommendations?

    Thanks,
    doogy
     
  4. PhilliePhan

    PhilliePhan Guest

    Hi Doogy,

    Did you try running a search of your computer for netspry?
    Did you enable the viewing of hidden files?
    The online scans are still a good idea - even if you are using McAfee.

    I imagine, if you tried all of the suggestions in the tutorial, the moderators wouldn't mind if you save a HijackThis log as a .txt file and post it as an attachment as per the instructions here:

    http://forums.majorgeeks.com/showthread.php?t=38752

    It's late - I'll try to check back tomorrow.

    PP
     
    Last edited by a moderator: Oct 1, 2004
  5. doogy

    doogy Private E-2

    Thank you very much for your assistance so far! I just went through that tutorial right before you posted and got rid of everything that looks remotely suspicious to me. Still having the same problem... Will work with it more tomorrow. Thanks again for your help. I may post a HiJack This log tomorrow (according to the instructions of course ;))

    Thanks,
    doogy
     
  6. doogy

    doogy Private E-2

    Ok guys,

    Here's my log as of this morning... I am having MAJOR problems now... cannot surf to many of my daily favorites without going to netspry.com. I can't even view news articles on many big name news sites. What is wrong?

    Thanks,
    doogy

    EDIT: Ok, seems to not be working? What's wrong?
     

    Attached Files:

  7. PhilliePhan

    PhilliePhan Guest

    That may be part of the problem - hope you saved the backups.

    I won't be able to look at your log until this evening when I have more free time. Just wanted to let you know that I didn't forget about you.

    Regards,

    PP
     
  8. Kodo

    Kodo SNATCHSQUATCH

    did you make sure that you did all of this in safe mode?
    Please try the online virus scanners, there's a reason why we ask you to do that.

    From the looks of your log, you have a trojan on your machine.

    Run through the tutorial AGAIN in safe mode with networking, run the online scans.. run this while you're in safe mode:

    A-Squared
    http://www.majorgeeks.com/download172.html

    then run HJT again and clean up the following entries.

    C:\WINDOWS\system32\cic38023.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\WINDOWS\system32\glueftp.exe

    C:\WINDOWS\system32\penstcln.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\AWCUVi.dll
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [MmBILo6N.exe] C:\windows\temp\MmBILo6N.exe
    O4 - HKLM\..\Run: [GbPnV6v.exe] C:\windows\temp\GbPnV6v.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [odtext32] C:\WINDOWS\System32\odtext32.exe
    O4 - HKCU\..\Run: [go7mRkH8T] penstcln.exe

    A Squared should help with the trojan.
    I've never heard of GLUEFTP and a google pulled up nothing and I've never seen that exe in sys32, so I'm flagging it.
     
  9. PhilliePhan

    PhilliePhan Guest

    Hi Kodo,

    Thanks for stepping in – looks like quite a mess! Now I see why Chaslang gets so aggravated when people skip steps in the tutorial ;)

    Doogy – Much of the advice given in this forum is predicated on people completing the tutorial. It solves a lot of these problems right away.
    Your HijackThis is Waaay out of date, by the way.

    It looks like Kodo got everything in your log. Make sure you use CCleaner to flush your TEMP Files to get rid of these:
    C:\windows\temp\MmBILo6N.exe
    C:\windows\temp\GbPnV6v.exe


    The few references I found for these indicate that it is bad:
    O4 - HKLM\..\Run: [rwwmzq] C:\WINDOWS\System32\nkivtq.exe
    C:\WINDOWS\System32\nkivtq.exe

    Kodo may know better, so DO NOT FIX until we're sure.

    This is mild spyware:
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Viewpoint
    - Many people keep it, though.

    I could not find anything on this:
    O4 - HKLM\..\Run: [ocalspll] C:\WINDOWS\System32\ocalspll.exe
    DO NOT FIX it until we figure out what it is!

    I couldn’t find anything on gluetfp either, Kodo. Guess we’ll wait and see how the tutorial works out his time!


    Best,

    PP
     
  10. doogy

    doogy Private E-2

    Ok, thanks so much for your help guys... I actually got rid of the netspry hijack myself early this afternoon using this method:

    http://www.help2go.com/postt9367.html

    Tonight, I downloaded A squared as instructed and ran it in safe mode - removed 9 items. I then restarted and ran Hijack This in safe mode and removed everything that you instructed me too. I am now surfing easily; however I still have a few unwanted ads in spite of the google toolbar popup blocker. Would anyone care to take a look at my new HJT log? Thanks, PP and Kodo for your help!

    doogy
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There were other items in your log that should be cleanup too. Some Kodo & PP mentioned but there were others not mentioned:

    O4 - HKLM\..\Run: [rwwmzq] C:\WINDOWS\System32\nkivtq.exe
    O4 - HKLM\..\Run: [ocalspll] C:\WINDOWS\System32\ocalspll.exe <--- all reports I see are it is bad
    O4 - HKLM\..\Run: [Ee.exe] C:\documents and settings\owner\local settings\temp\Ee.exe
    O4 - HKLM\..\Run: [2564390b3b89] C:\WINDOWS\system32\cic38023.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\SYSTEM32\ZIG5QX6.EXE
    O4 - HKLM\..\Run: [xFog3qj] glueftp.exe

    You should post a new HJT log so we can see if anything remains after what you have done thus far. A-square may have pickup some of the above.
     
  12. PhilliePhan

    PhilliePhan Guest

    Hi Chas :)

    Thought this was curious as well, but it looks legit - From Pacman's list:

    Evidence Eliminator
    ee.exe
    Evidence Eliminator - cover the tracks of your browsing habits and E-mails if you think you need to. Run manually on a regular basis.

    Best,

    PP
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    PP,

    Yes it "could" be. But Evidence Eliminator should be running from:
    \Program Files\Evidence Eliminator\ee.exe

    It's a little strange to be running from the directory indicated. The files properties should be check to make sure it is Evidence Eliminator. If so, it should be put into a properly label directory to avoid future questioning. And no valid program should be getting installed into C:\documents and settings\owner\local settings\temp. First, its a temp folder that CCleaner should have cleaned up (was it actually run) and personal opinion of mine executable programs should not be put under C:\documents and settings.
     
  14. PhilliePhan

    PhilliePhan Guest

    Agreed! I thought that was odd. Thanks for the lesson :)

    PP
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's worth checking to see what it is. It may well be that Evidence Eliminator was put there by doogy.
     
  16. PhilliePhan

    PhilliePhan Guest

    Could it be that doogy was looking for an easy way to eliminate the evidence that he was using the Evidence Eliminator? Spill, doogy ;)

    PP
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    LOL! :D
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds