Question
-
CreatorTopic
-
August 2, 2008 at 1:16 pm #2154162
IE Hijacker
Lockedby brian.mccrady · about 14 years, 6 months ago
I am running an XP system and it has been recently infected by an IE Hijacker. I can clean it with Ad-Ware, SpyBot, Sophus, but on reboot it reloads files in C:/Documents and Settings/Owner named (I think, as I have removed them for now) RePatch and Uploader.
Right now, I can’t even get HiJackThis to download (or to run if I load it from a memory stick).
Where do I start?
Thanks
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
August 2, 2008 at 1:16 pm #2919143
Clarifications
by brian.mccrady · about 14 years, 6 months ago
In reply to IE Hijacker
Clarifications
-
August 2, 2008 at 1:55 pm #2919138
Have you
by rob miners · about 14 years, 6 months ago
In reply to IE Hijacker
turned off System Restore and run your Malware removal tools in Safe Mode.
-
August 2, 2008 at 2:04 pm #2919136
No and yes
by brian.mccrady · about 14 years, 6 months ago
In reply to Have you
I had run everything under Safe Mode, but I hadn’t turned off System Restore. I will try that. Thanks.
-
August 2, 2008 at 2:14 pm #2919133
They will be lurking
by rob miners · about 14 years, 6 months ago
In reply to No and yes
in System Restore, let us know how you get on.
-
August 2, 2008 at 3:56 pm #2919107
Nope
by brian.mccrady · about 14 years, 6 months ago
In reply to They will be lurking
I ran Sophus, Ad-Aware, Spybot all in safe mode and all with System Restore off.
When I restarted to normal mode, Sophus pulls up these two warnings:
RunUpdater.exe is part of Mal/Generic-A
RunPatch.exe is part of Mal/DownLdr-OMy internet is still being hi-jacked. I can’t download HiJackThis at all. When I try, the system takes me back to the desktop.
-
August 2, 2008 at 4:04 pm #2919106
Try this
by rob miners · about 14 years, 6 months ago
In reply to Nope
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session)or a Flash Stick.
Restart the computer in Safe Mode. Go to Start|Shut Down. Select ‘Restart’ from the dropdown list and click ‘OK’. Windows will restart. Press F8 when you see the following text at the bottom of the screen “For troubleshooting and advanced startup options for Windows 2000, press F8”. In the Windows 2000 Advanced Options Menu, select the third option ‘Safe Mode with Command Prompt’.
At the affected computer, place the CD in the CD drive (D: in this example). At the command prompt typeD:
to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the file.
-
August 2, 2008 at 7:58 pm #2919061
Still came back
by brian.mccrady · about 14 years, 6 months ago
In reply to Try this
I did the whole procedure, but as soon as I reboot to normal windows, those same files reappear RunPatch and RunUpdater
-
August 2, 2008 at 9:25 pm #2919046
See if this helps
by rob miners · about 14 years, 6 months ago
In reply to Still came back
I wasn’t ready and accidently hit the button.
-
August 3, 2008 at 8:32 pm #2918823
Trend Micro results
by brian.mccrady · about 14 years, 5 months ago
In reply to No and yes
Found one malware JAVA_BYTEVER.BJ and one spyware ADWARE_ALWAYSUPDATEDNEWS. Both were removed.
Previous problem with RunPatch and Updater seems to be fixed. They haven’t returned.
Still can’t run hijackthis. As others have reported, if I try to download it from the Web, the system takes me off the Net and back to the desktop.
I’m certainly better than I was, but I would still like to figure out what the root problem is.
Any more ideas? Your help has been much appreciated so far.
-
August 3, 2008 at 8:48 pm #2911537
Update Spybot
by rob miners · about 14 years, 5 months ago
In reply to Trend Micro results
boot into Safe Mode to run it. While you are there try running HT from your stick.
< add a bit >
See if you can download this and run it. Silent Runners
-
August 3, 2008 at 9:17 pm #2911533
Silent Runners Log
by brian.mccrady · about 14 years, 5 months ago
In reply to Update Spybot
Spybot is already up to date. I tried HT once again in safe mode – nothing.
Attached is the Silent Runners Log. I haven’t looked at it yet.
“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”Startup items buried in registry:
———————————HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
“{C806F694-06A1-1033-0819-050831010001}” = “”C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010001}\Update.exe” mc-110-12-0000140″ [file not found]HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“MsnMsgr” = “”C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [MS]
“NvMediaCenter” = “”RUNDLL32.EXE” C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit” [MS]
“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“PowerBar” = “(empty string)” [file not found]
“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = “”C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” ASO-616B5711-6DAE-4795-A05F-39A1E5104020″ [file not found]
“ISUSScheduler” = “”C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“Macrovision Corporation”]
“WMPNSCFG” = “C:\Program Files\Windows Media Player\WMPNSCFG.exe” [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“iTunesHelper” = “”C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”]
“NvCplDaemon” = “”RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
“QuickTime Task” = “”C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]
“Adobe Photo Downloader” = “”C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”]
“SunJavaUpdateSched” = “”C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“dvd43” = “C:\Program Files\dvd43\dvd43_tray.exe” [empty string]
“TkBellExe” = “”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]
“MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS]
“KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32\(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM…CLSID} = “RealPlayer Download and Record Plugin for Internet Explorer”
\InProcServer32\(Default) = “C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll” [“RealPlayer”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32\(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{933ED98E-57E9-11DD-BF82-A36255D89593}\(Default) = “CUNta”
-> {HKLM…CLSID} = “CUNta”
\InProcServer32\(Default) = “C:\WINDOWS\system32\cunta.dll” [“Insoft”]
{B03C703B-B8AE-9059-F9DA-B7DEBBB75BBB}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\gpa.dll” [file not found]
{B53C766B-E9FB-9759-F7DA-B7DEBBB758E2}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\xmsonbbu.dll” [file not found]
{ED3C7664-BAFF-9051-F1DA-B7DEBBB759E0}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\xtmfldv.dll” [file not found]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”
-> {HKLM…CLSID} = “Display Panning CPL Extension”
\InProcServer32\(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32\(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32\(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-> {HKLM…CLSID} = “iTunes”
\InProcServer32\(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]
“{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders”
-> {HKLM…CLSID} = “My Sharing Folders”
\InProcServer32\(Default) = “C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll” [MS]
“{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]
“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”
-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”
-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
\InProcServer32\(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]
“{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}” = “Sophos Anti-Virus Shell Extension”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32\(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> “BootExecute” = “autocheck autochk *”|”lsdelete” [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> daebefeabc\DLLName = “C:\WINDOWS\system32\daebefeabc.dll” [null data]
<> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”]
<> WRNotifier\DLLName = “WRLogonNTF.dll” [file not found]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”
-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32\(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
SpySweeper\(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]Group Policies {GPedit.msc branch and setting}:
———————————————–Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}“undockwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}“DisableTaskMgr” = (REG_DWORD) dword:0x00000000
{unrecognized setting}Active Desktop and Wallpaper:
—————————–Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “%APPDATA%\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp”Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Owner\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp”Windows Portable Device AutoPlay Handlers
—————————————–HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
DVDFabDecrypterOnDVDArrival\
“Provider” = “DVDFab Decrypter”
“InvokeProgID” = “DVDFabDecrypterOpen”
“InvokeVerb” = “Open”
HKLM\SOFTWARE\Classes\DVDFabDecrypterOpen\shell\Open\command\(Default) = “C:\PROGRA~1\DVDFAB~1\DVDFAB~1.EXE” [file not found]DVDFabHDDecrypterOnDVDArrival\
“Provider” = “DVDFab HD Decrypter”
“InvokeProgID” = “DVDFabHDDecrypterOpen”
“InvokeVerb” = “Open”
HKLM\SOFTWARE\Classes\DVDFabHDDecrypterOpen\shell\Open\command\(Default) = “E:\PROGRA~1\DVDFAB~1\DVDFAB~1.EXE” [file not found]iTunesBurnCDOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.BurnCD”
“InvokeVerb” = “burn”
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Computer, Inc.”]iTunesImportSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ImportSongsOnCD”
“InvokeVerb” = “import”
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Computer, Inc.”]iTunesPlaySongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.PlaySongsOnCD”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Computer, Inc.”]iTunesShowSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ShowSongsOnCD”
“InvokeVerb” = “showsongs”
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Computer, Inc.”]MSWPDShellNamespaceHandler\
“Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = ” ”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32\(Default) = “C:\WINDOWS\system32\WPDShextAutoplay.exe” [MS] -
August 3, 2008 at 9:51 pm #2911528
A couple more steps
by rob miners · about 14 years, 5 months ago
In reply to Silent Runners Log
Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.
Cleaner: Windows
When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.
You don’t have to install all of the add ons or shortcuts just the one to the Desktop.
http://www.ccleaner.com/download
What apart from HijackThis isn’t working.
Go to Start, All Programs and System Tools, Click Internet Explorer (No Add-ons)
Restart Internet Explorer. If it runs smoothly, then it can be determined that one of the add-ons was causing the problem. You will need to continue troubleshooting this issue until you find out which add on was causing the problem.
-
August 3, 2008 at 10:32 pm #2911521
Still not there
by brian.mccrady · about 14 years, 5 months ago
In reply to A couple more steps
CCleaner complete – no registry issues.
IE – even with no add-ons, if I type hijackthis in the Google search bar, IE stops and puts me back to the desktop.
Hijack this still doesn’t work.
-
August 4, 2008 at 12:36 pm #2911312
USB Stick
by brian.mccrady · about 14 years, 5 months ago
In reply to No and yes
Doesn’t seem to accomplish anything. autorun.inf and m.exe are on the stick before and after the del process. I can run the drive through Sophus which always picks up m.exe as belonging to Mal/Generic-A and I can clean it up but it comes right back within seconds. m.exe is part of Win32.x
-
August 4, 2008 at 12:49 pm #2911308
Try and format it
by rob miners · about 14 years, 5 months ago
In reply to USB Stick
as FAT32 and see if that gets rid of it.
-
August 4, 2008 at 1:28 pm #2911289
You’ve lost me
by brian.mccrady · about 14 years, 5 months ago
In reply to Try and format it
I don’t understand the reasoning behing formatting the USB stick?? The m.exe file is being added to the stick from the system somehow. I’ve erased it countless times and it comes right back. Sorry if I’m missing something elemental here….. Wouldn’t be the first time.
-
August 4, 2008 at 1:42 pm #2911282
From which system
by rob miners · about 14 years, 5 months ago
In reply to You’ve lost me
Upon execution, the worm copies itself to the following location.
%WinDir%\msmsgs.exe It drops the following files:
%WinDir%\Debug\sysdeb.ini (data file) %UserProfile%\Local Settings\Temp\windll.exe (BackDoor-CEP trojan) %SystemDir%\explorer.exe (BackDoor-CEP trojan)The worm adds the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Windows Messenger” = %WinDir%\msmsgs.exeThe dropped BackDoor-CEP trojan adds the following registry keys:HKEY_CURRENT_USER\Software\Wget
“klg” = 01 HKEY_LOCAL_MACHINE\SOFTWARE\Wget
“nck” = (binary data) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
“stubpath” = %SystemDir%\explorer.exe sThe BackDoor-CEP trojan attempts to connect the following remote site and waits commands.christophe.[removed].net port:80
Symptoms
Symptoms –Presence of file(s) and registry key(s) as previously mentioned. Unexpected network connections to the mentioned site(s).
Method of Infection
Method of Infection –The worm attemps to drop the following files into the removable drives:
autorun.inf (root folder) Recycler\Recycler\autorun.exe (W32/CEP.worm) Recycler\Recycler\desktop.ini
MANUALLY try to delete it following the steps below.
When Adware.TargetSaver is executed, it performs the following actions:
May create one or more of the following folders:
%Program Files%\Common Files\tsa
%Program Files%\Common Files\tsa\rainbow
%Program Files%\Common Files\[random four letter name]
%Program Files%\Common Files\[random four letter name]\[random four letter name]d
%Windir%\[random four letter name]Note:
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.May create one or more of the following files:
%Program Files%\Common Files\tsa\inst.dat
%Program Files%\Common Files\tsa\ts2.exel
%Program Files%\Common Files\tsa\ts2lock
%Program Files%\Common Files\tsa\tsl2.exe
%Program Files%\Common Files\tsa\tsm2.exe
%Program Files%\Common Files\tsa\tsm2lock
%Program Files%\Common Files\tsa\tsm2.exe
%Program Files%\Common Files\tsa\tsm2lock
%Program Files%\Common Files\tsa\tsp2.exe
%Program Files%\Common Files\tsa\tsuninst.exe
%Program Files%\Common Files\tsa\wu
%Program Files%\Common Files\tsa\rainbow\class-barrel
%Program Files%\Common Files\tsa\rainbow\classify.dll
%Program Files%\Common Files\tsa\rainbow\vocabulary
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]p.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\class-barrel
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\[RANDOM FOUR LETTER NAME]c.dll
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\vocabulary
%UserProfile%\Temp\tsupdate_[VERSION NUMBER]_b2.exe
%Windir%\[RANDOM FOUR LETTER NAME]\wu
%Windir%\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]z.dat
%System%\tsuninst.exeNotes:
%UserProfile% is a variable that refers to the current user’s profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).May add the following value:
“Tsa2” = “%Program Files%\Common Files\tsa\tsm2.exe”
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows starts.
May add one or more of the following values:
“[RANDOM FOUR LETTER NAME]” = “%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe”
to the registry subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows starts.
Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_CURRENT_USER\SOFTWARE\TSA
HKEY_CURRENT_USER\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\[RANDOM FOUR LETTER NAME]Downloads updates from a remote site.
Monitors open windows for words from the vocabulary file.
Displays advertisements using pop-up and pop-under windows.
REMOVAL
Note: This adware may include an uninstaller. The uninstaller file is usually %Program Files%\Common Files\tsuninst.exe. Using Windows Explorer, see if this file exists.If you cannot find the file, follow the instructions below.
If the file does exist, double-click it and follow any prompts. After the uninstaller is finished, to make sure that the threat has been removed, follow the instructions below.The following instructions pertain to all Symantec antivirus products that support security risk detection.
Update the definitions.
Run a full system scan.
Delete any values added to the registry.For specific details on each of these steps, read the following instructions.
1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.2. To run the scan
Start your Symantec antivirus program, and then run a full system scan.If any files are detected, and depending on which software version you are using, you may see one or more of the following options:
Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.
Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.
Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.
To actually delete the security risk:
Click its file name (under the Filename column).
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.
Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
If you see a message, “Delete Failed” (or similar message), manually delete the file.
Click the file name of the risk that is under the Filename column.
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Warning messages may be displayed when the computer is restarted, since the risk may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.Click Start > Run.
Type regeditThen click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
“Tsa2” = “%Program Files%\Common Files\tsa\tsm2.exe”
Navigate to the subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
“[RANDOM FOUR LETTER NAME]” = “%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe”
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_CURRENT_USER\SOFTWARE\TSA
HKEY_CURRENT_USER\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\[RANDOM FOUR LETTER NAME]Exit the Registry Editor.
http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-121515-0757-99
-
-
-
August 2, 2008 at 9:58 pm #2919041
Can you get HiJackThis
by rob miners · about 14 years, 6 months ago
In reply to IE Hijacker
to run in Safe Mode and post the log file.
-
August 3, 2008 at 6:13 am #2919000
No, it won’t
by brian.mccrady · about 14 years, 6 months ago
In reply to Can you get HiJackThis
I’ve tried to run it in safe mode. I’ve tried to rename the file. No luck getting it to run.
-
August 3, 2008 at 1:53 pm #2918914
Try this
by rob miners · about 14 years, 6 months ago
In reply to No, it won’t
Click on Start, Run and type in msconfig and press Enter. Disable RunUpdater.exe, RunPatch.exe entry in the list on the Startup Tab and restart the PC. See if you can run HijackThis. If you can’t go to step two remembering to make a Backup in case anything goes wrong.
Start, Run and type in regedt32 and press Enter. Navigate to these Run Keys and look for RunUpdater.exe, RunPatch.exe and delete them.
There are seven Run keys in the registry that cause programs to be run automatically:
? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup
-
August 3, 2008 at 5:24 pm #2918874
Getting closer
by brian.mccrady · about 14 years, 6 months ago
In reply to Try this
Couldn’t find runpatch or updater in the registry keys but did find some other nasties; csrrs and access2007a. Deleted both of those.
On restart, runpatch and uploader are no longer appearing in the c:/documents and settings/owner file, but Hijackthis will still not start (not in normal mode; haven’t tried safe mode yet; nope to safe mode too)
I ran a full Ad-Aware in safe mode and did get indication of Malware in HKLM/system/controlset001/control/safeboot/minimal//ctl_w32l.sys but I could neither delete it or send it to quarantine.
Really appreciate the help so far.
Any other ideas
-
August 3, 2008 at 5:39 pm #2918870
See if this will help
by rob miners · about 14 years, 5 months ago
In reply to Getting closer
do an online scan with Bitdefender.
-
August 3, 2008 at 6:57 pm #2918846
BitDefender log
by brian.mccrady · about 14 years, 5 months ago
In reply to See if this will help
Log is attached
BitDefender Online Scanner
Scan report generated at: Sun, Aug 03, 2008 – 19:50:30
Scan path: A:\;C:\;D:\;E:\;F:\;
Statistics
Time
00:56:01Files
119830Folders
4863Boot Sectors
4Archives
902Packed Files
5624Results
Identified Viruses
8Infected Files
17Suspect Files
0Warnings
0Disinfected
0Deleted Files
17Engines Info
Virus Definitions
1414001Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)Scan plugins
16Archive plugins
43Unpack plugins
7E-mail plugins
6System plugins
5Scan Settings
First Action
DisinfectSecond Action
DeleteHeuristics
YesEnable Warnings
YesScanned Extensions
*;Exclude Extensions
Scan Emails
YesScan Archives
YesScan Packed
YesScan Files
YesScan Boot
YesScanned File
StatusC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)=>t.exe
DeletedC:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)
Update failedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521=>OP.class
Infected with: Trojan.Exploit.Java.Byteverify.LC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521=>OP.class
DeletedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521
UpdatedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>OwnClassLoader.class
Infected with: Trojan.Exploit.Byteverify.VC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>OwnClassLoader.class
DeletedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
UpdatedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>ProxyClassLoader.class
Infected with: Trojan.Exploit.Byteverify.ACC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>ProxyClassLoader.class
DeletedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
UpdatedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>Installer.class
Infected with: Trojan.Downloader.Java.Agent.AC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>Installer.class
DeletedC:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
UpdatedC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\1217391382[1].exe
Infected with: Trojan.Downloader.Small.AAQXC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\1217391382[1].exe
DeletedC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
Infected with: Trojan.Downloader.JS.Psyme.SGC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
Disinfection failedC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
DeletedC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
Infected with: Trojan.Downloader.JS.Psyme.SGC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
Disinfection failedC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
DeletedC:\WINDOWS\system32\92c642fb10056c59727f39e6b60f83e0.TMP
Infected with: Trojan.Inject.IZC:\WINDOWS\system32\92c642fb10056c59727f39e6b60f83e0.TMP
Deleted -
August 3, 2008 at 7:13 pm #2918841
One more
by rob miners · about 14 years, 5 months ago
In reply to BitDefender log
http://housecall.trendmicro.com/au/
I am certainly earning my Thumbs on this one.
Let us know how it is going eh!
-
-
-
August 3, 2008 at 10:56 pm #2911518
Try this link
by rob miners · about 14 years, 5 months ago
In reply to IE Hijacker
http://www.majorgeeks.com/download.php?det=3155
I really need to look at a log file from HT if at all possible but if not another log from Silent Runners will have to do and then I will have to do a bit of research. You could also try this.
How to reinstall or repair Internet Explorer in Windows XP
-
August 3, 2008 at 11:22 pm #2911515
Root maybe?
by kron1109 · about 14 years, 5 months ago
In reply to IE Hijacker
u said u ran sophos and others, did ur scan include rootkit detection?
Also is your boot slower than normal?
-
August 4, 2008 at 12:54 am #2911504
Good thinkin
by rob miners · about 14 years, 5 months ago
In reply to Root maybe?
i’ll supply the links. 😉
BitDefender RootkitUncover
http://www.majorgeeks.com/BitDefender_RootkitUncover_d5157.html
RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
When you think that you are clean re-enable Systen Restore
-
August 4, 2008 at 5:40 am #2911440
Rootkit
by brian.mccrady · about 14 years, 5 months ago
In reply to Good thinkin
The BitDefender program ran and found one file and renamed it.
However, I couldn’t access the technet file from the infected computer (when I tried to access the file, I got kicked back to the desktop). I accessed the file from a clean computer and e-mailed it to the bad one, but it acts the same as HiJackThis; the computer won’t let me run it.
-
August 4, 2008 at 6:16 am #2911429
Try running it in safe mode with no networking.
by dumphrey · about 14 years, 5 months ago
In reply to Rootkit
And if your comfortable with servics etc on your computer then DarkSpy may be able to let you find the suspect service, or IceSword. Both good programs and not as main stream as HT.
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/software/IceSword.htmMy preference is for Darkspy. I like its process viewer. Either burn to a cd or put on a flash drive from a “clean” computer and copy to the infected machine in safe mode.
-
August 4, 2008 at 10:57 am #2911348
still problematic
by brian.mccrady · about 14 years, 5 months ago
In reply to Try running it in safe mode with no networking.
While trying to open DarkSpy I ended up somehow adding a minor problem (IEDefender) to my clean computer. SpyBot got rid of it, but I’m getting nervous moving between the two.
I also noticed that the main problem computer (C1 for short; I’ll call the clean one C2) is adding a file (m.exe) to my E:drive (that’s the USB port drive). I can clean it off, or delete it, but it comes right back. Sophus says it’s part of Mal/Generic-A.
OK, I got DarkSpy on C1 and it gives me an error message “fails to start” in Safe Mode. It runs in normal mode, but what do I do with the results? I’ve got various tabs…. the machine just crashed; I’ve rebooted. Should I run DarkSpy again…
advice please before I go any farther.
Many thanks for all the help so far.
-
August 4, 2008 at 11:47 am #2911332
DarkSpy running
by brian.mccrady · about 14 years, 5 months ago
In reply to still problematic
I have DarkSpy operational. I have info on the process tabs which doesn’t seem to point to anything I don’t recognize as OK.
-
August 4, 2008 at 12:19 pm #2911316
Try this on your USB stick
by rob miners · about 14 years, 5 months ago
In reply to DarkSpy running
One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ?Ravmon? , ?New Folder.exe?, ?Orkut is banned? etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives.
Don?t click on Ok , just choose ?Cancel?. Open the Command Prompt by typing ?cmd? in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
Autorun.inf
Ravmon.exe
New Folder.exe
svchost.exe
Heap41aor any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the ?Autorun.inf? file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
http://www.whoismadhur.com/2008/01/26/how-to-remove-virus-from-usb-drives/
-
-
-
August 4, 2008 at 1:54 pm #2911272
You know
by rob miners · about 14 years, 5 months ago
In reply to IE Hijacker
from the amount of time that we have been trying to remove this parasite you could have backed up and reinstalled several times. It is starting to look to me that you may have inadvertently infected the second PC. If this virus is on the USB stick that has been placed in both PC’s there is a possibility that it is infected as well.
If the previous instructions have no effect you may want to consider a reinstall.
-
August 6, 2008 at 10:49 pm #2932567
Clean!
by brian.mccrady · about 14 years, 5 months ago
In reply to You know
I finally got HJT running by finding a rogue .exe in the registry and removing it. Once that was done, the final cleanup went rather smoothly. Thanks for the help.
-
August 6, 2008 at 11:40 pm #2932564
-
-
-
-
AuthorReplies