Another Hijackthis log

I'm visiting my elderly parents over the holidays and doing routine maintenance on their computer. They got a cable connection in the 18 months since I've seen this box and it was loaded with Spyware and Adware. Luckily I had Norton Anti-Virus installed and it deleted over 30 viruses that their friends had e-mailed them.

Anyway, I've used Spybot, Spyware Blaster and Spyware Remover and found over 85 Spywar Registry Entries and Cookies. I was getting inundated with Web popups and Messenger popups until I installed Norton Internet Security. I've got a cable router at home and had no idea an unprotected box was this vulnerable.

I'm wondering about this entry I see in Task Manager/Processes: C:\WINNT\System32\Lun8s9.exe

I also wonder about these two entries in the Hijackthis log:
C:\WINNT\System32\RhlN18.exe
C:\WINNT\System32\Glq3dK.exe

Do those items suspicious to anyone else?

Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 7:10:12 PM, on 12/25/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\UTILIT~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\RhlN18.exe
C:\WINNT\System32\Glq3dK.exe
C:\Downloads\hijackthis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Docs/HomePage.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchnav.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\UTILIT~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Utilities\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [3SRD7@@5YQPWHP] C:\WINNT\System32\Lun8s9.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6414351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

 

The things you mentioned are suspicious for me too - in has an unclear name, the author may think "the user will not know what this is about, he will not dare to delete it and so my spyware will be left installed".. but I am no moderator here

And this is suspicious for me too:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Docs/HomePage.htm - Main Start Page as a file What the heck? I smell something fishy here

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present - this is indeed some bastard, the mods recommend to delete it everytime I see it

But it will be better for you to wait until some moderator shows up and will tell you his opinion

 

Hi Lars,

You were right being suspicious about those files, they are part of the peper trojan.

Let's get you cleaned out in the following way :

Download and run this file to fix Peper Trojan:
http://home01.wxs.nl/~kleyn080/uninst.exe
double click on 'uninst.exe', let it run and terminate.

To delete all the associated files download the following tool:
http://www.mjc1.com/files/mo/drpeper.html

It will self extract to C:\

Find :

C:\drpeper\Find backup and Delete Peper files.vbs file and double click.

On the first prompt copy and paste: RhlN18.exe and hit ok.

You will get a confirmation and proceed:

On the second, paste: Lun8s9.exe and hit ok

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.

Then in hijackthis fix the following :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchnav.com

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Can you tell us if they maybe run a local homepage from a network? Or what their normal startpage is

Reboot after doing so

Hope this helps,

Cheers,

 

>Can you tell us if they maybe run a local homepage from a network? >Or what their normal startpage is

Yes, I've created a custom start page (html document) for them with a search engine and their favorite URLs.

>Hope this helps,

It helps immensely. I followed your instructions, but had to run Hijack twice to get rid of this entry:
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

After running Hijackthis again and checking that entry it was successfully removed.

What is your advice about Cookies. For example, in Internet Explorer| Internet Options | Privacy, is the Medium setting enough or should it be set higher? My folks need to accept some Cookies so their settings are remembered at sites like NY Times, etc.

Thanks a million for all your help and for running this great forum. Have a happy Holidays.

Lars

 

Hi Lars,

Good job cleaning up, sometimes the entries can be real stubborn

About the coockies :

In the privacy tab, always make sure that third party cookies are blocked.

Also there are some good cookie managers like CookieWall (free!) that allow you to perfectly manage the cookies, decide which ones to block, which ones to keep, track per sesion etc...

CookieWall

Hope all is well again and happy hollidays to you as well

Take care

Cheers,