Another Hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by Lars, Dec 25, 2003.

Thread Status:
Not open for further replies.
  1. Lars

    Lars Guest

    I'm visiting my elderly parents over the holidays and doing routine maintenance on their computer. They got a cable connection in the 18 months since I've seen this box and it was loaded with Spyware and Adware. Luckily I had Norton Anti-Virus installed and it deleted over 30 viruses that their friends had e-mailed them.

    Anyway, I've used Spybot, Spyware Blaster and Spyware Remover and found over 85 Spywar Registry Entries and Cookies. I was getting inundated with Web popups and Messenger popups until I installed Norton Internet Security. I've got a cable router at home and had no idea an unprotected box was this vulnerable.

    I'm wondering about this entry I see in Task Manager/Processes: C:\WINNT\System32\Lun8s9.exe

    I also wonder about these two entries in the Hijackthis log:
    C:\WINNT\System32\RhlN18.exe
    C:\WINNT\System32\Glq3dK.exe

    Do those items suspicious to anyone else?

    Here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:12 PM, on 12/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\UTILIT~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\System32\RhlN18.exe
    C:\WINNT\System32\Glq3dK.exe
    C:\Downloads\hijackthis\HijackThis.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Docs/HomePage.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchnav.com
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [EM_EXEC] C:\UTILIT~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Utilities\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [3SRD7@@5YQPWHP] C:\WINNT\System32\Lun8s9.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6414351852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  2. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    The things you mentioned are suspicious for me too - in has an unclear name, the author may think "the user will not know what this is about, he will not dare to delete it and so my spyware will be left installed".. but I am no moderator here :)

    And this is suspicious for me too:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Docs/HomePage.htm - Main Start Page as a fileo_O What the heck? I smell something fishy here o_O

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present - this is indeed some bastard, the mods recommend to delete it everytime I see it :)

    But it will be better for you to wait until some moderator shows up and will tell you his opinion :)
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Lars,

    You were right being suspicious about those files, they are part of the peper trojan.

    Let's get you cleaned out in the following way :

    Download and run this file to fix Peper Trojan:
    http://home01.wxs.nl/~kleyn080/uninst.exe
    double click on 'uninst.exe', let it run and terminate.

    To delete all the associated files download the following tool:
    http://www.mjc1.com/files/mo/drpeper.html

    It will self extract to C:\

    Find :

    C:\drpeper\Find backup and Delete Peper files.vbs file and double click.

    On the first prompt copy and paste: RhlN18.exe and hit ok.

    You will get a confirmation and proceed:

    On the second, paste: Lun8s9.exe and hit ok

    It will find all the files, delete them and will make backups in the same folder.
    It'll open a text file (Peper.txt) with the list of all files deleted.

    Then in hijackthis fix the following :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchnav.com

    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Can you tell us if they maybe run a local homepage from a network? Or what their normal startpage is

    Reboot after doing so

    Hope this helps,

    Cheers,
     
  4. Lars

    Lars Guest

    >Can you tell us if they maybe run a local homepage from a network? >Or what their normal startpage is

    Yes, I've created a custom start page (html document) for them with a search engine and their favorite URLs.

    >Hope this helps,

    It helps immensely. I followed your instructions, but had to run Hijack twice to get rid of this entry:
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    After running Hijackthis again and checking that entry it was successfully removed.

    What is your advice about Cookies. For example, in Internet Explorer| Internet Options | Privacy, is the Medium setting enough or should it be set higher? My folks need to accept some Cookies so their settings are remembered at sites like NY Times, etc.

    Thanks a million for all your help and for running this great forum. Have a happy Holidays.

    Lars
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Lars,

    Good job cleaning up, sometimes the entries can be real stubborn ;)

    About the coockies :

    In the privacy tab, always make sure that third party cookies are blocked.

    Also there are some good cookie managers like CookieWall (free!) that allow you to perfectly manage the cookies, decide which ones to block, which ones to keep, track per sesion etc...

    CookieWall

    Hope all is well again and happy hollidays to you as well :)

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.