Malware Analysis Needed

Eric_Henry · Mar 24, 2006

I have a Dell Dimension DIM 4400 with an Intel Pent. 4 CPU 1.60 GHz 1.5 Ghz, 256MB RAM running Win XP Home 2002 SP2. I have had countless problems with Malware....in '05 I installed Norton Anti-Virus (and uninstalled it as soon as my year subscription was over)....we recently connected with a cable modem, and I installed the F-Secure Virus Protection offered by my ISP. I have completed all of the steps in the "Read & Run Me First" file, including running the CWShredder. I would really appreciate it if someone with more experience than myself would review my logs from the activescan, bitdefender, and Hijack This scans, and provide any additional advice on how to clean my PC. Most recently, when I shut down my PC I have an "END NOW PROGRAM" pop up titled "WMS ST NOTIF Window 000013A40........" that has to be ended before shuting down the system.

Any input is greatly appreciated.

chaslang · Mar 25, 2006

Welcome to Majorgeeks!

You are running and old version of Sun Java. You need to get updated to the newest version and uninstall the old version. This will be covered in steps you will be given after we fixed all of your malware issues.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winsflt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {18BD7678-F3E6-0F97-58E1-25729D99EF1B} - C:\WINDOWS\addnw.dll (file missing)
O2 - BHO: (no name) - {2EF3F0B2-A80F-927D-4E42-A7707D6E0C09} - (no file)
O2 - BHO: Class - {542306D0-B1E9-0911-0D86-41F194D4F97C} - C:\WINDOWS\system32\crqk.dll (file missing)
O2 - BHO: (no name) - {6F854F82-41AB-C366-B3F3-7E4633BE37DB} - (no file)
O2 - BHO: (no name) - {7B571DBD-964B-80C0-84DA-600100691142} - (no file)
O2 - BHO: (no name) - {7FD318B9-600D-989C-1DCA-4BF6B4D6258D} - (no file)
O2 - BHO: (no name) - {8610500C-F1E8-A81C-08D5-F0E37964B059} - (no file)
O2 - BHO: (no name) - {9FD3E41B-894A-375B-D1FB-85FBCC6A9DFF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [javabr.exe] C:\WINDOWS\system32\javabr.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Norton Internet Security <--- delete the whole folder
C:\Documents and Settings\Amy\Local Settings\Temp <--- delete all file in this Temp folder
C:\Program Files\Audiogalaxy Satellite\ui.dll
C:\WINDOWS\system32\crqk.dll
C:\WINDOWS\system32\javabr.exe
C:\WINDOWS\SYSTEM32\logs1.ini
C:\WINDOWS\SYSTEM32\wppp.html
C:\WINDOWS\NDNuninstall4_34.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\n_hwbquv.dat
C:\WINDOWS\addnw.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

Eric_Henry · Mar 25, 2006

Thanks for your advice.....

I have completed all steps you mentioned....With the exception of the following.
After upgrading the Java, running the LSP-Fix, removing all listed HJT lines, booting into Safe Mode....I was unable to find the following files to to delete: (1) C:\Program Files\Norton Internet Security (2) C:\Windows\system32\crqk.dll (3) C:\Windows\system32\javabr.exe and (4) C:\Windows\addnw.dll. I searched visually using windows explorer, and used the windows search feature to no avail. However, I was able to find the rest of the listed files and deleted them (as well as sucessfully completed the remainder of the list).

As far as how things are working now: Two things--1) everytime I reboot the PC runs the CHKDSK Utility. I have rebooted 5 times and it runs each time. 2)As you can see from the HJT log, it looks like some of the lines (O2) you had me fix using HJT are still there.....Is there any hope for me, or should I shut everything off and move to the mountains.....

Thanks,

EH

chaslang · Mar 26, 2006

Not sure but I doubt that chkdsk running is due to malware. We will see if we can find anything later but first we need to fix remaining malware issues. Either your F-secure stuff is getting in the way or there is a registry key ownership issue. We need to get the below O2 - BHO keys removed:

O2 - BHO: (no name) - {18BD7678-F3E6-0F97-58E1-25729D99EF1B} - (no file)
O2 - BHO: (no name) - {2EF3F0B2-A80F-927D-4E42-A7707D6E0C09} - (no file)
O2 - BHO: (no name) - {542306D0-B1E9-0911-0D86-41F194D4F97C} - (no file)
O2 - BHO: (no name) - {6F854F82-41AB-C366-B3F3-7E4633BE37DB} - (no file)
O2 - BHO: (no name) - {7B571DBD-964B-80C0-84DA-600100691142} - (no file)
O2 - BHO: (no name) - {7FD318B9-600D-989C-1DCA-4BF6B4D6258D} - (no file)
O2 - BHO: (no name) - {8610500C-F1E8-A81C-08D5-F0E37964B059} - (no file)
O2 - BHO: (no name) - {9FD3E41B-894A-375B-D1FB-85FBCC6A9DFF} - (no file)

The easiest way may be to use another tool. Download and install the below:

Download and Install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

To take ownership of teh key do the following:
Click-on the above Registry Key
Click-on Security in the Menu
Select Take Ownership
Now locate each of the below keys under the Browser Helper Objects key and select them (one at a time) and right click on them and select delete:

{18BD7678-F3E6-0F97-58E1-25729D99EF1B}
{2EF3F0B2-A80F-927D-4E42-A7707D6E0C09}
{542306D0-B1E9-0911-0D86-41F194D4F97C}
{6F854F82-41AB-C366-B3F3-7E4633BE37DB}
{7B571DBD-964B-80C0-84DA-600100691142}
{7FD318B9-600D-989C-1DCA-4BF6B4D6258D}
{8610500C-F1E8-A81C-08D5-F0E37964B059}
{9FD3E41B-894A-375B-D1FB-85FBCC6A9DFF}

After delete them exit Registrar Lite and attach a new HJT log,

Eric_Henry · Mar 26, 2006

Here is the newest HJT log....

Looks like the Registry Lite program did the trick...What do you think?

Are there any further steps that you recommend? What do you think is causing the CHKDSK utility to run after every re-boot?

Thanks,

EH

chaslang · Mar 27, 2006

Your log is clean! Do you mean scandisk or do you mean chkdsk?

You may have some file allocation errors that need to be fixed and perhaps chkdsk is in the scan only mode and you need to use the /F option to fix. You may need to run it yourself from the command prompt. There are possible ways to get around this but you really should check to make sure nothing is wrong with your hard disk. This link may give you some tips too: http://www.experts-exchange.com/Operating_Systems/Q_21289926.html

However this is not a topic for the Malware Forum

Eric_Henry · Mar 27, 2006

Okay....

Thanks for your help cleaning my PC.

EH

chaslang · Mar 27, 2006

You're welcome but did you resolve your problem?

Log in or Sign up

Malware Analysis Needed

Eric_Henry Private E-2

Attached Files:

hijackthis.log

Activescan.txt

btdfd1.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Eric_Henry Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Eric_Henry Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Eric_Henry Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member