REVOP/SMALL/WINSHOW attack

Discussion in 'adware, spyware & hijack cleaning' started by dave-w, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. dave-w

    dave-w Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    2
    Hi, folks, here's my Tale of Trojan Woe. I hope you can tell if I am still affected. I use Windows ME for web access, protected by AVG6 and Blackice firewall (version 3). I got hit on the evening of 24th March after stumbling into a site with loads of advertisememt pop-ups when AVG warned me that a REVOP.A downloader had appeared uninvited on my m/c. I closed my net access and ran AVG which confirmed the file (go.exe) had been healed. (But it removed it to the virus vault regardless). I scanned again...clear. Went back on net and updated my whole AVG programme as the virus signature update would not download.

    Came off net and rescanned. This time AVG found a DLL file infected with WINSHOW.S, another with SMALL.4.A and two CPY files in the C:\_RESTORE\TEMP folder, one infected with REVOP.A and the other with SMALL.4.A again. (They are all Trojan Downloaders). AVG could not clean the dll's but moved them to the vault. It could not do anything with the .cpy files so I subsequently deleted them from a basic emergency boot dos prompt.

    On rebooting windows, AVG then confirmed no infection but I found IExplorer would not display (although listed in Cntrl-Alt-Del Close Program Dialogue Box) although Outlook Express was fine. The machine took an age to do anything, refused to show Control Panel and could only be shut down by choosing the 'End Programme' option from the 'Explorer Not Responding' box which eventually appeared.

    I eventually found I could fire up IExplorer by shutting down my Burnt Cookies (DDE user) utility but nothing else improved. Then, using a friendly neighbour's broadband facility, I came across Wilders!

    Per instructions I have run Ad-aware which found no less than 125 'bad' things and quaratined them. Now, except for a Rundll bootup error for a missing .dll (quarantined by Ad-aware) that I have solved by removing a registry entry I found hiding under Local machine \software\.......\policies\Explorer\Run, the machine is running apparently fine except for two things. My default ISP dialer (onetel.net) keeps popping up unrequested and my IExplorer home page keeps reverting to MSN's search page. Both suggest that there is still something lurking that shouldn't be.

    I have therefore downloaded and run HackThis and I attach the log below. I look forward to any advice or reassurance you can offer.

    With thanks, Dave-w.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:03:44, on 02/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ANDERSSON DIGITAL DESIGN\BURNT COOKIES\BURNT COOKIES.EXE
    C:\PROGRAM FILES\INTERNET WASHER PRO\IW.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
    C:\PROGRAM FILES\MCAFEE\UNINSTALLER\PLGUNI.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onetel.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = OneTel.Net Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.onetel.net.uk:8080;ftp=proxy.onetel.net.uk:8080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe hpfsched
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PowerQuest Startup Utility] F:\Partition Magic\UTILITY\MMOVER32\PQINIT.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
    O4 - HKCU\..\Run: [BurntCookies] C:\PROGRAM FILES\ANDERSSON DIGITAL DESIGN\BURNT COOKIES\BURNT COOKIES.EXE /h
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
    O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
    O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
    O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
    O16 - DPF: {8DCE908E-9E35-11D3-9431-009099104002} (AButton Class) - http://www.eromusume.com/new_01/DialX4.CAB
    O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37722.5504398148
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi dave-w,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O16 - DPF: {8DCE908E-9E35-11D3-9431-009099104002} (AButton Class) - http://www.eromusume.com/new_01/DialX4.CAB
    O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab

    Then Disable System Restore, reboot do a full system scan and when you are convinced to be clean, re-enable System Restore.
    Directions on System Restore for Windows Me can be found here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam

    Regards,

    Pieter
     
  3. dave-w

    dave-w Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    2
    Can't thank you enough, Pieter. Clearly Heaven exists and you chaps are at its centre! Machine is working fine now. Full scans by AVG and Ad-aware show no signs of anything awry. After a fraught few days, I'm back in business.
    It will be a pleasure to come back but I sure hope I don't have to!
    All the very best to you,
    Dave-w.
     
Thread Status:
Not open for further replies.