A computer full o' garbage; and not quite clean yet (HiJack This file)

Discussion in 'adware, spyware & hijack cleaning' started by phillyphil, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. phillyphil

    phillyphil Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    3
    Here's the scoop on this one (a customer's computer):

    1. Scanned with adaware & spybot w/latest updates; about 500+ total references to garbage; all removed. Secondary checks came clean.
    2. Tried to install Windows Updates from CD (then from online), but 7 of them simply would not install (I know this because we ARE now able to get online, and Windows Update never "updates"--tells me I need to download and install the same updates over and over).
    3. Scanned online with Trend Micro's Housecall; found 14 viruses, some duplicates. They were:

    BKDR SANDBOX.A
    TROJ STILEN.A
    TROJ AGENT.EB
    TROJ ALECHEMIC.A
    TROJ SIBOCA.A
    CHM PSYME.C
    JS IESTART.PS
    JS INOR.M

    4. I'm going back to this customer's house to finish this tomorrow. I'll research the viruses, but can you kind folks have a look at the HiJack This log posted belowo_O Thanks.



    Logfile of HijackThis v1.97.7
    Scan saved at 9:28:31 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\documents and settings\craig\local settings\temp\r.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\PROGRA~1\INTERN~3\inetmgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    C:\WINDOWS\System32\tktupgrd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\PROGRA~1\INTERN~3\inetsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Documents and Settings\Craig\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7
    R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [xanix] C:\WINDOWS\xanix.exe
    O4 - HKLM\..\Run: [wvwdudqxce] C:\WINDOWS\System32\wyeveuft.exe
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [SpyDeleter] C:\Program Files\SpyDeleter\SpyDeleter.exe
    O4 - HKLM\..\Run: [r] C:\documents and settings\craig\local settings\temp\r.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [mswspl] c:\installer\id53.exe
    O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [kzchytqj] C:\WINDOWS\kzchytqj.exe
    O4 - HKLM\..\Run: [jbgsljzun] C:\WINDOWS\nixx.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
    O4 - HKLM\..\Run: [dite] C:\WINDOWS\System32\dite.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AutoLoader20421dTWIYPW] "C:\WINDOWS\System32\spxgrcoi.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [2XDT3XQ26B@PFY] C:\WINDOWS\System32\Wduy.exe
    O4 - HKLM\..\Run: [27nk3pO] spxgrcoi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\System32\wintsvtr.exe
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - HKCU\..\Run: [Jw4qRfi2T] tktupgrd.exe
    O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\System32\iedkcs32.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8168.7829050926
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI phillyphil

    What a collection :(

    Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.


    Pls. put HJT in its OWN folder like C:\HijackThis. The program will make backups and you want them in the same folder.

    Check the following items in HIjackthis - close ALL windows\browsers EXCEPT HijackThis and click "Fix checked":

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7

    R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll

    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

    Any idea what this is?
    O4 - HKLM\..\Run: [xanix] C:\WINDOWS\xanix.exe
    If UNKNOWN - pls. check!

    O4 - HKLM\..\Run: [wvwdudqxce] C:\WINDOWS\System32\wyeveuft.exe

    O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

    Is this a "legitimate" one?
    O4 - HKLM\..\Run: [SpyDeleter] C:\Program Files\SpyDeleter\SpyDeleter.exe

    O4 - HKLM\..\Run: [r] C:\documents and settings\craig\local settings\temp\r.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <-- optional

    O4 - HKLM\..\Run: [mswspl] c:\installer\id53.exe

    O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

    O4 - HKLM\..\Run: [kzchytqj] C:\WINDOWS\kzchytqj.exe
    O4 - HKLM\..\Run: [jbgsljzun] C:\WINDOWS\nixx.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\Run: [dite] C:\WINDOWS\System32\dite.exe

    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe

    O4 - HKLM\..\Run: [AutoLoader20421dTWIYPW] "C:\WINDOWS\System32\spxgrcoi.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [2XDT3XQ26B@PFY] C:\WINDOWS\System32\Wduy.exe
    O4 - HKLM\..\Run: [27nk3pO] spxgrcoi.exe

    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\System32\wintsvtr.exe

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - HKCU\..\Run: [Jw4qRfi2T] tktupgrd.exe

    any idea?
    O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\System32\iedkcs32.exe

    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML


    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\Program Files\TV Media
    C:\WINDOWS\System32\automove.exe
    C:\WINDOWS\xanix.exe <--- see above !
    C:\WINDOWS\System32\wyeveuft.exe
    C:\Program Files\WebRebates
    c:\installer\id53.exe
    C:\Program Files\SpyDeleter <--- see above
    C:\documents and settings\craig\local settings\temp\r.exe
    c:\windows\msbb.exe
    C:\WINDOWS\kzchytqj.exe
    C:\WINDOWS\nixx.exe
    C:\Program Files\Internet Optimizer
    C:\WINDOWS\System32\dite.exe <----- see above !
    C:\Program Files\Lycos
    C:\WINDOWS\System32\spxgrcoi.exe
    C:\WINDOWS\System32\Wduy.exe
    C:\WINDOWS\System32\wintsvtr.exe
    C:\WINDOWS\System32\msmc.exe
    C:\WINDOWS\System32\iedkcs32.exe <---- see above !

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Go for free online Virus scans here:

    http://www.bitdefender.com/scan/Msie/index.php

    http://www.pandasoftware.es/activescan/activescan-com.asp

    http://www.ravantivirus.com/scan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. phillyphil

    phillyphil Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    3
    Hi Marianna,

    Thanks for your reply. After comparing notes with what you've listed, I believe I reached about the same conclusions as to what to get rid of and what NOT to get rid of. I've made the decision to pick up the customer's computer to work on at home instead of tonight onsite. Because there's so much there, I think I'll mentally need to take a break here and there to clean up this mess; can't really do that on a house call. As a computer repair person, you get caught between a rock and a hard place when it comes to an infection like this. First, you can't really tell how "deep" it is, until you do some partial cleaning. By that time, you get so deep into the repair, that you've spent several hours trying to clean it, and wish you would have opted to do a clean install instead. But that opens up its own can of worms: 1)Does the customer have all the disks necessary to do a clean install?; 2)After the clean install, all patches for the OS need installed, and this takes time; 3)Data has to be backed up before the install to drag it over to the new install; 4)Can you figure out what items will still need drivers, do you have the chipset drivers, what programs will be reinstalled, etc., etc., etc., until your brain is going to pop. No real "winning" way to go in either direction. Both methods take A LOT of time.
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    I agree,

    a HUGE mess - but if you start with the Peper trojan - several files should go -

    But you are right - both ways will take a LONG time - YIKES.

    Then go for the Panda scan - maybe it can clean up all the "nasties"??

    Then scan again with Ad aware and SpybotS&D -

    Wishing you all the best .
     
Thread Status:
Not open for further replies.