Invasing ..ware that refuses all attempts at removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by KeithC, Jun 2, 2005.

  1. KeithC

    KeithC Private E-2

    Started the computer in safe mode with Networking Support
    Ran the Trendmicro Online Scan
    It downloaded and installed xscan53.cab
    It found 1 infected file that it couldn’t clean, TROJ_TOPANTSPY.C
    File Name C:\recycler\s-1-5-21-1987657003-914090876-3233042676-1003\Dc4.exe
    I used the Delete Option

    I attempted to run the Symantec Online Scan in safe mode.
    The link you provided sent me to me to a page that loaded to 100% and then just froze without resolving. So I clicked the [GO] link anyway without luck. The page wouldn’t accept input at that point.

    I booted back into normal to attempt to run Symantec Online Scan again.
    Same effect.

    Back to Safe Mode

    Ran Stinger.exe
    Results were clean

    Cleaned HD with CCleaner
    3.31MB Removed

    Scanned with Ad-Aware SE
    Updated to Build SSE1R49 31.05.2005, Core application 1.06r1 Personal
    Start, Full System Scan, Chose to search for Negligible risk and low risk entries.
    3 Objects recognized
    3 New Critical Objects
    2 Registry Keys Identified
    1 Registry Value Identified
    Scan Summary
    MRU List (1 Objects Total)
    These Objects do not pose a threat
    CommonName (2 Objects Total)
    CommanName has a TAC rating of 7
    RegKey Data Miner HKEY_CLASSES_ROOT:interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\
    RegKey Data Miner HKEY_CLASSES_ROOT:typelib\{1e1v286c-88ff-11d2-8d96-d7acac95951f}\
    Windows (1 Objects Total)
    Windows has a TAC rating of 3
    RegData Vulnerability HKEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon”Shell” (explorer.exe,msmsgs.exe)
    Deleted These Objects
    Scanned with Spybot Search & Destroy
    No Updates found
    No immediate threats were found.

    Ran CWShredder
    Restoring Internet Explorer pages 0 restored
    Restoring hidden IE Options tabs Done
    Removing hosts file redirections None Infected
    CoolWebSearch was not found on this system

    Ran Kill2me

    Ran About:Buster
    Updated to version 28
    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset… Done!


    Ran HS Remove
    8 Items Removed
    REMOVAL COMPLETE

    Ran Bitdefender from link provided
    Installed Version 8
    Indentified Viruses: 7
    Infected Files: 11
    Deleted Files: 15

    Ran Rav Antivirus
    Nothing found

    Ran Trojan Scan Online
    Found 2 Malware files.
    Deleted them manually

    Rebooted back in Regular Mode
    Needed to access email and Safemode didn’t have saved passwords

    Ran A-squard Free Version
    Found 2 Malware Files:
    See first scan above from trendmicro and replace the Dc4.exe with Dc1.EXE and Dc3.exe


    At this point my system is still infected. The infection is characterized by a hijacking of my desktop background with a “You are infected…” message similar to what many other have been posting recently. Another symptom is periodic pop up from the Right Side Task Bar stating various Bullsh.. things such as “Power Security!” click here to check out our BS devices.

    Also get pop up in center of screen which almost invariable states:
    System Warning
    Network fatal error at 00FF:2348AD
    Warning! Your internet connection is not secured. Please, use network security software to protect your PC from remote attacks and hacks. Click “OK” to get all the available “Network Security” software.
    [OK] [Cancel]

    Rebooted to Safe Mode with Network

    Got error message on shutdown about shnlog.exe. I get this everytime I shutdown.

    Ran HJT
    Included .log file as attachment
     

    Attached Files:

    KeithC, Jun 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    From now on please do not post HJT logs unless requested to do so. Also you must post HJT logs from normal boot mode unless specifically requested otherwise. Do that now. Sounds like you have Smitfraud (hundreds of threads here on that one).
     
    chaslang, Jun 2, 2005
    #2
  3. KeithC

    KeithC Private E-2

    Re: Invasive ..ware that refuses all attempts at removal

    Sorry about jumping the gun. Here's the new log.

    Also, not sure if it's important but I use Maxthon as my browser and not IE.
     

    Attached Files:

    KeithC, Jun 2, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Invasive ..ware that refuses all attempts at removal

    Not all of the below items I mention will be found on your PC! That's okay. I list all of these to cover all bases because they could all be there. So look for all the items as indicated. If they are not found, just skip it and continue.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
    Search Maid
    Security IGuard
    Virtual Maid

    Now exit Add/Remove Programs.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (again note: all of these may not be running)
    C:\WINDOWS\System32\msole32.exe
    C:\WINDOWS\System32\shnlog.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\System32\intmonp.exe
    C:\WINDOWS\System32\intmon.exe
    C:\WINDOWS\system32\msmsgs.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp730D.tmp
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Microsoft AntiSpyware helper - {9DB94221-DC9E-4B22-9043-A722E5D09F32} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9DB94221-DC9E-4B22-9043-A722E5D09F32} - (no file) (HKCU)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\WINNT\system32\hp730D.tmp
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\WINDOWS\system32\svcnut.exe
    C:\Program Files\MsConfigs<--- the whole folder
    C:\Program Files\Search Maid<--- the whole folder
    C:\Program Files\Security IGuard<--- the whole folder
    C:\Program Files\Virtual Maid<--- the whole folder
    C:\Windows\System32\Log Files <--- the whole folder


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and continue with the below.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

    Now please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now post a new HJT log. And tell me how things are working.
     
    chaslang, Jun 2, 2005
    #4
  5. KeithC

    KeithC Private E-2

    Upon attempting to "Kill Process" on intmon.exe and shnlog.exe the result would be the files showing up on the bottom of the Process list.

    Background Hijacking is still happening.

    Here's the new HJT log.
     

    Attached Files:

    KeithC, Jun 2, 2005
    #5
  6. KeithC

    KeithC Private E-2

    Ok. Everything appears to be working normally now. Ran HJT again and didn't find any of the questionable files this time. Windows background appears to no longer be hijacked. System has been running for some time now and I haven't yet gotten a popup.

    Thank you for your help. If anything changes/resurfaces I'll report it.
     
    KeithC, Jun 2, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    According to the HJT log you posted! You are not clean yet. See below from your log:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp5C80.tmp (file missing)

    You may need to disable SpySweeper's protections (or uninstall it) to fix these. If you do not disable SpySweeper's protection, you have to make sure you approve the change after making fixes with HJT. Otherwise SpySweeper will see the attempted changes and block them. Normally it notifiies you. Since you are trying to change these item, you have to approve them or SpySweeper will set them right back to the current bad entries.
     
    chaslang, Jun 2, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds