New problem at emee's

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi all!

    Pieter, you know already about this case with Esmee. She now cannot use email and all other internet functions anymore.

    Can you see something's is wrong with the logfile below?:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:27:09, on 18-3-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\Mixer.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\system32\wsass.exe
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\system32\internat.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\System32\svchost.exe
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\winnt\system32\system32bak\temp\G6FTPSrv.exe
    C:\winnt\system32\system32bak\temp\ssvchost.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\Program Files\United Devices\UD.EXE
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\WINNT\system32\stisvc.exe
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\WINNT\system32\tjspec.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Microsoft Firewall Sett] lsas.exe
    O4 - HKLM\..\Run: [REMOVE ME] artpol.exe
    O4 - HKLM\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\Run: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\Run: [Windows WKS] wsass.exe
    O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
    O4 - HKLM\..\RunServices: [REMOVE ME] artpol.exe
    O4 - HKLM\..\RunServices: [Update] msexplore.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - HKCU\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\RunOnce: [Update] msexplore.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NPF Messenger.lnk = C:\Program Files\Norman\NPF\NPFMSG.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66


    Regards

    Frans
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Frans,

    There is so much malware running I'm surprised it works at all.
    Let me know how we are going to handle this. I advised on her log by mail, which is not my favorite medium to do troubleshooting,
    but I have no craving to do everything twice either.

    Let us know which AT, AV etc you have tried.

    Regards,

    Pieter
     
  3. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi Pieter,

    She tried Spybot (updates!) and Norman AV. both give no results or help!

    Any extra measures to get higher security are welcome.

    What do you mean by AT?

    Use me as a contact for here. We live close to each other but work is a problem factor here... (as always!) ;-)

    Frans
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Frans,

    One of the things I asked her to do was move or zip up this folder:
    C:\winnt\system32\system32bak
    so that it can no longer be accessed.
    I have a feeling that that folder is the heart of a rootkit and disabling it might make removal a lot easier.
    By AT I meant a dedicated antitrojan http://www.wilders.org/anti_trojans.htm
    Where in cases like these I prefer TDS or TrojanHunter since the logs of the filescanners can be posted for review.

    Regards,

    Pieter
     
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi Pieter,

    The problem with the BAK folder is solved! As a beginner she could not SEE the folder because it was HIDDEN!

    Now it is gone, could you please tell me wich entries from the hijacklog should be marked and removed.

    I hope you understand her problem as a Novice!

    Regards

    Frans
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Frans,

    Al these need to be fixed:

    O4 - HKLM\..\Run: [Microsoft Firewall Sett] lsas.exe
    O4 - HKLM\..\Run: [REMOVE ME] artpol.exe
    O4 - HKLM\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\Run: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\Run: [Windows WKS] wsass.exe
    O4 - HKLM\..\RunServices: [Microsoft Firewall Sett] lsas.exe
    O4 - HKLM\..\RunServices: [REMOVE ME] artpol.exe
    O4 - HKLM\..\RunServices: [Update] msexplore.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe

    O4 - HKCU\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\RunOnce: [Update] msexplore.exe

    Then reboot and delete:
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\system32\wsass.exe
    spolws.exe
    artpol.exe
    lsas.exe

    If you can manage to mail me samples, it would be appreciated.

    Regards,

    Pieter
     
  7. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    It was difficult but I think wre managed. Kindley chack to make sure.

    The two files are underway to me. When they arrive here i will send them to you.

    Logfile of HijackThis v1.97.7
    Scan saved at 23:02:18, on 19-3-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\System32\svchost.exe
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\tjspec.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Mixer.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\system32\wsass.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\system32\internat.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\WINNT\system32\msexplore.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\United Devices\UD.EXE
    C:\WINNT\system32\msexplore.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\SYSTEM32\cmd.exe
    C:\WINNT\system32\ftp.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\Run: [Windows WKS] wsass.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\RunServices: [Update] msexplore.exe
    O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - HKCU\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\RunOnce: [Update] msexplore.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66

    regards

    Frans
     
  8. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Ok we are going to have to do this from safe mode to clean these.

    Here are instructions if needed:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


    Please close all windows and internet explorers. Check mark the following items only in Hijackthis.

    O4 - HKLM\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\Run: [Windows WKS] wsass.exe
    O4 - HKLM\..\RunServices: [Update] msexplore.exe
    O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe
    O4 - HKCU\..\Run: [Update] msexplore.exe
    O4 - HKLM\..\RunOnce: [Update] msexplore.exe


    Click the fix button. Close hijackthis.
    Do not boot out of safe mode yet.

    show hidden files and folders link if needed:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Please delete the following files or folders.

    Files:
    C:\WINNT\system32\msexplore.exe
    C:\WINNT\system32\wsass.exe
    Folders:





    Reboot to normal mode.
    Run a new log and post it here

    Also can we see a startuplist also?

    Can you please generate a startup list with Hijackthis.
    go to config/misc tools.
    Under the startuplist button check both boxes.
    Hit the startuplist button and copy and paste the results here.
     
Thread Status:
Not open for further replies.