A computer full o' garbage; and not quite clean yet (HiJack This file)

Here's the scoop on this one (a customer's computer):

1. Scanned with adaware & spybot w/latest updates; about 500+ total references to garbage; all removed. Secondary checks came clean.
2. Tried to install Windows Updates from CD (then from online), but 7 of them simply would not install (I know this because we ARE now able to get online, and Windows Update never "updates"--tells me I need to download and install the same updates over and over).
3. Scanned online with Trend Micro's Housecall; found 14 viruses, some duplicates. They were:

BKDR SANDBOX.A
TROJ STILEN.A
TROJ AGENT.EB
TROJ ALECHEMIC.A
TROJ SIBOCA.A
CHM PSYME.C
JS IESTART.PS
JS INOR.M

4. I'm going back to this customer's house to finish this tomorrow. I'll research the viruses, but can you kind folks have a look at the HiJack This log posted below Thanks.



Logfile of HijackThis v1.97.7
Scan saved at 9:28:31 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\documents and settings\craig\local settings\temp\r.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\tktupgrd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Documents and Settings\Craig\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [xanix] C:\WINDOWS\xanix.exe
O4 - HKLM\..\Run: [wvwdudqxce] C:\WINDOWS\System32\wyeveuft.exe
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [SpyDeleter] C:\Program Files\SpyDeleter\SpyDeleter.exe
O4 - HKLM\..\Run: [r] C:\documents and settings\craig\local settings\temp\r.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] c:\installer\id53.exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [kzchytqj] C:\WINDOWS\kzchytqj.exe
O4 - HKLM\..\Run: [jbgsljzun] C:\WINDOWS\nixx.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [dite] C:\WINDOWS\System32\dite.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoLoader20421dTWIYPW] "C:\WINDOWS\System32\spxgrcoi.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [2XDT3XQ26B@PFY] C:\WINDOWS\System32\Wduy.exe
O4 - HKLM\..\Run: [27nk3pO] spxgrcoi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\System32\wintsvtr.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Jw4qRfi2T] tktupgrd.exe
O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\System32\iedkcs32.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8168.7829050926

 

HI phillyphil

What a collection

Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.


Pls. put HJT in its OWN folder like C:\HijackThis. The program will make backups and you want them in the same folder.

Check the following items in HIjackthis - close ALL windows\browsers EXCEPT HijackThis and click "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7

R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

Any idea what this is?
O4 - HKLM\..\Run: [xanix] C:\WINDOWS\xanix.exe
If UNKNOWN - pls. check!

O4 - HKLM\..\Run: [wvwdudqxce] C:\WINDOWS\System32\wyeveuft.exe

O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

Is this a "legitimate" one?
O4 - HKLM\..\Run: [SpyDeleter] C:\Program Files\SpyDeleter\SpyDeleter.exe

O4 - HKLM\..\Run: [r] C:\documents and settings\craig\local settings\temp\r.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <-- optional

O4 - HKLM\..\Run: [mswspl] c:\installer\id53.exe

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [kzchytqj] C:\WINDOWS\kzchytqj.exe
O4 - HKLM\..\Run: [jbgsljzun] C:\WINDOWS\nixx.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [dite] C:\WINDOWS\System32\dite.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [AutoLoader20421dTWIYPW] "C:\WINDOWS\System32\spxgrcoi.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [2XDT3XQ26B@PFY] C:\WINDOWS\System32\Wduy.exe
O4 - HKLM\..\Run: [27nk3pO] spxgrcoi.exe

O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\System32\wintsvtr.exe

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Jw4qRfi2T] tktupgrd.exe

any idea?
O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\System32\iedkcs32.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML


NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:

C:\Program Files\TV Media
C:\WINDOWS\System32\automove.exe
C:\WINDOWS\xanix.exe <--- see above !
C:\WINDOWS\System32\wyeveuft.exe
C:\Program Files\WebRebates
c:\installer\id53.exe
C:\Program Files\SpyDeleter <--- see above
C:\documents and settings\craig\local settings\temp\r.exe
c:\windows\msbb.exe
C:\WINDOWS\kzchytqj.exe
C:\WINDOWS\nixx.exe
C:\Program Files\Internet Optimizer
C:\WINDOWS\System32\dite.exe <----- see above !
C:\Program Files\Lycos
C:\WINDOWS\System32\spxgrcoi.exe
C:\WINDOWS\System32\Wduy.exe
C:\WINDOWS\System32\wintsvtr.exe
C:\WINDOWS\System32\msmc.exe
C:\WINDOWS\System32\iedkcs32.exe <---- see above !

Then reboot and use AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913

Then use the Disk Cleanup Utility to empty all your Temp folders.

Go for free online Virus scans here:

http://www.bitdefender.com/scan/Msie/index.php

http://www.pandasoftware.es/activescan/activescan-com.asp

http://www.ravantivirus.com/scan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
http://www.wilders.org/anti_trojans.htm

Then Disable system restore: Instructions here
Reboot

Enable System Restore.

Pls. post another log.

 

Hi Marianna,

Thanks for your reply. After comparing notes with what you've listed, I believe I reached about the same conclusions as to what to get rid of and what NOT to get rid of. I've made the decision to pick up the customer's computer to work on at home instead of tonight onsite. Because there's so much there, I think I'll mentally need to take a break here and there to clean up this mess; can't really do that on a house call. As a computer repair person, you get caught between a rock and a hard place when it comes to an infection like this. First, you can't really tell how "deep" it is, until you do some partial cleaning. By that time, you get so deep into the repair, that you've spent several hours trying to clean it, and wish you would have opted to do a clean install instead. But that opens up its own can of worms: 1)Does the customer have all the disks necessary to do a clean install?; 2)After the clean install, all patches for the OS need installed, and this takes time; 3)Data has to be backed up before the install to drag it over to the new install; 4)Can you figure out what items will still need drivers, do you have the chipset drivers, what programs will be reinstalled, etc., etc., etc., until your brain is going to pop. No real "winning" way to go in either direction. Both methods take A LOT of time.

 

I agree,

a HUGE mess - but if you start with the Peper trojan - several files should go -

But you are right - both ways will take a LONG time - YIKES.

Then go for the Panda scan - maybe it can clean up all the "nasties"??

Then scan again with Ad aware and SpybotS&D -

Wishing you all the best .