Help with Hijack

Discussion in 'adware, spyware & hijack cleaning' started by SweetPea, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. SweetPea

    SweetPea Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    5
    Hi, I have been working with ChrisRLG in the Dell Community Forum in reference to malware on my system that hijacked my homepage. Although the initial problem seems to be corrected, there is still a file on my system that needs to be deleted and Chris has guided me through several different steps with no success. He suggested I post here for help and link you to the thread at Dell so you may see exactly what steps have been taken and possibly solve this dilema for me. Thanks for taking the time to help! ~Lisa
    Here is the link:

    http://forums.us.dell.com/supportfo...essage.id=13218&view=by_date_ascending&page=1
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Sweetpea,

    While I read the thread completely, please do these things for me:

    Post your latest HijackThis log following the instructions here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then do an online virusscan for example here: http://housecall.antivirus.com/
    and let me know the results.

    In Safe mode go to
    c:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe and delete it.
    The path name could be slightly different in places (I had to guess my way through from a Dutch Win2k computer)

    Regards,

    Pieter
     
  3. SweetPea

    SweetPea Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    5
    Hi Pieter,
    Followed your instructions. Ran Spybot S&D, fixed files found. Ran Hijackthis, log below. Ran that virusscan, first a window came up saying that there was malware found and cleaned, titled: BKDR_TOADCOM.A. At the end of the scan, it said there were 107 infected files detected. I could not copy/paste them to you, I have the window still up but have done nothing at this point. Found infected were several files named TROJ KREPPER.Q, TROJ REVOP.F (also files found ending with - .A, .B) TROJ SMALL.GS, and TROJ NEX.B. They are listed in different directories and all are marked non cleanable.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:23:39 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\stickies\stickies.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: winlogin.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085504918609
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

    Thanks!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Have all the "non-cleanable" files deleted.

    Reboot and post another log.
    Our winlogin friend might be on that list. (if so, it would probably be listed as Troj.Startpage.xx (where xx could be any two letters. I lost count))

    Regards,

    Pieter
     
  5. SweetPea

    SweetPea Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    5
    Hi Pieter,
    Here is my log after rebooting. Also forgot to mention to you in previous post that I attempted to delete winlogin.exe in safe mode as instructed and it wouldn't let me. Said it was a system file and could not be deleted.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:32:26 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\stickies\stickies.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085504918609
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Well that is better then "can't find it"

    Can you try doing that with The Killbox.
    I saw you already have that.
    Just copy and paste the path in the dialog box.

    Regards,

    Pieter
     
  7. SweetPea

    SweetPea Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    5
    Well, well...in KillBox, it DID say - seem no file exists. Aarrrrggh! I did the Delet on Reboot process, ran another Hijackthis log, and guess what's still in there?

    Logfile of HijackThis v1.97.7
    Scan saved at 11:45:21 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\stickies\stickies.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085504918609
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Tell me. :D
    Or give me a ticket to the nearest optometrist

    Regards,

    Pieter
     
  9. SweetPea

    SweetPea Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    5
    HAHAHA....I think I'm the one seeing things!!! :eek: Sorry about that! And thanks for your help :D
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.