sp.html + about:blank

Discussion in 'adware, spyware & hijack cleaning' started by Prospero, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Have browser hijack/spyware on my PC. Have used various programs to get rid - Spybot seearch & Destroy - Adaware 6.1 - Hijack This - to no avail.
    Have saved ginstall.dll from \local settings\temp directory. Think this is related to hijack. Has also renamed notepad.exe to notepad.exe.bak. Similarly has removed file associations to Media Player. Other files have appeared in Temp directory. Some of the ginstall.dll listing from notepad is posted below - looks suspicious to me. I am not an expert in programming, by the way.

    olstrcpyA ulstrlenA SWritePrivateProfileStringA ÿ GetPrivateProfileStringA FreeLibrary Sleep GetProcAddress á GetLastError yLoadLibraryExA òSetErrorMode “MultiByteToWideChar GetShortPathNameA MoveFileExA rlstrcpynA  CompareFileTime öSetFileAttributesA  CloseHandle ùSetFileTime ëSetCurrentDirectoryA % CreateDirectoryA Â GetCurrentDirectoryA xLoadLibraryA Ú GetFileSize + CreateFileA ¸ReadFile øSetFilePointer OWriteFile 1VirtualAlloc 3VirtualFree b ExitProcess  CompareStringA >WaitForSingleObject 7 CreateProcessA flstrcatA šOpenMutexA u FindClose y FindFirstFileA YHeapFree GetProcessHeap SHeapAlloc o FileTimeToSystemTime n FileTimeToLocalFileTime Ý GetFullPathNameA 8GetVersionExA Ä GetCurrentProcess E DeleteFileA é GetModuleFileNameA ë GetModuleHandleA | FindNextFileA ÁRemoveDirectoryA ŽMoveFileA " CopyFileA Û GetFileTime 0GetTickCount = CreateThread ÄResumeThread SuspendThread Ö GetExitCodeThread !GetSystemTime Î GetDriveTypeA å GetLogicalDriveStringsA GetSystemDirectoryA <GetWindowsDirectoryA Ó GetEnvironmentVariableA ïSetEndOfFile Ÿ GetCommandLineA Ì GetDiskFreeSpaceA KERNEL32.dll âSetForegroundWindow * EndDialog IwsprintfA $ CharToOemA
    SetWindowTextA ˆMessageBoxA KwvsprintfA ¹ReleaseDC æ GetDC 5GetWindowTextA Á EnumWindows Æ FindWindowA ÆSendMessageA £ DrawTextA Ü GetClientRect 0GetWindowLongA SetWindowLongA ¯ EndPaint BeginPaint } DefWindowProcA «RegisterClassA gLoadCursorA ÄSendDlgItemMessageA 7UpdateWindow HInvalidateRect í GetDlgItemTextA SetWindowPos eLoadBitmapA GetSysColor Å FillRect !GetSysColorBrush  CharLowerA Ä ExitWindowsEx † DestroyWindow 3GetWindowRect ë GetDlgItem ÞSetDlgItemTextA ShowWindow #GetSystemMetrics £PostMessageA « EnableWindow XIsDlgButtonChecked ì GetDlgItemInt ÓSetClassLongA kLoadIconA Š DialogBoxParamA R CreateWindowExA Ù GetClassNameA áSetFocus ]IsWindowEnabled  CallWindowProcA _IsWindowVisible ( CharUpperA USER32.dll <SelectObject , CreateFontIndirectA ÿ GetTextMetricsA ý GetTextFaceA î GetStockObject F DeleteObject cSetTextColor ,Rectangle @ CreateSolidBrush 7 CreatePen BSetBkColor CSetBkMode c ExtTextOutA aSetTextAlign C DeleteDC
    BitBlt  CreateCompatibleDC  AddFontResourceA =SelectPalette % CreateDIBitmap )RealizePalette 5 CreatePalette GDI32.dll GetOpenFileNameA comdlg32.dll  RegCloseKey á RegQueryValueExA Ù RegOpenKeyExA ì RegSetValueExA Æ RegCreateKeyExA É RegDeleteKeyA Î RegEnumKeyExA Ë RegDeleteValueA
    AdjustTokenPrivileges q LookupPrivilegeValueA ° OpenProcessToken ADVAPI32.dll T ShellExecuteA ; SHGetPathFromIDList , SHBrowseForFolder : SHGetMalloc SHELL32.dll ‚ OleUninitialize k OleInitialize . CoUninitialize  CoCreateInstance  CoInitialize ole32.dll OLEAUT32.dll
    VerQueryValueA GetFileVersionInfoA  GetFileVersionInfoSizeA VERSION.dll


    Have followed recommendations given in other postings but keeps coming back. This could happen to you! Anyone know how I can get rid before I have to reformat my hard drive?
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Prospero,

    Please rescan with Hijackthis and copy and paste the entire contents of the log here in this thread.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Thanks Snap

    Will post listing from Hijack This after I get back on the computer later today.

    :)

    Prospero
     
  4. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    OK Heres the log file from HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:39:28, on 01/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Downloads\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
    O4 - Global Startup: InterCheck Monitor.LNK = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.ic24.net/
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.0219212963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    PS I've uninstalled the Sun Java program so I currently have no java running.

    Thanks

    Prospero
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Prospero,

    I am not seeing any signs of CWS infection in your log.

    I'm afraid I don't know what the coding in the 'ginstall.dll' means, but you could upload the copy you saved for a scan at Kaspersky and see what Kaspersky says about it.

    Some variants of CWS does effect the Windows Media Player and Notepad, so if you have not done so already, download and run CWShredder.
    Make sure ALL browsers and any open windows are closed before running CWShredder.
    Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

    There's a few items we can clean up with hijackthis.
    Place a check beside the following items.
    Close all windows except HijackThis, and click *Fix checked

    (This is optional, but it is a known resource hog and recommended to be fixed)
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    (if you did not set this yourself, then fix it too)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ic24.net/

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.exe


    ****

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Do a follow up scan with Spybot S&D and AdAware6. Make sure you have the latest versions and they have been brought up-to-date.

    Spybot Search&Destroy:
    Bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Ad-Aware6:
    Bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.

    You can replace the Windows Media Player and Notepad by downloading new copies from here: here.

    And here are some steps to follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    Give you computer a few days and reboots, and if the problem looks like it has returned, then come back to this thread and post a new log.

    Regards,

    snap
     
  6. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Thanks Snap

    I won't be able to get back on my computer until Saturday, so I'll try these out then. Thanks for your help.

    Regards

    Prospero
     
  7. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    OK here we go again.
    Have downloaded and run CWShredder. This reported:

    CWS.Searchx
    6 infected IE registry values

    It also queried the file \windows\asx3test.exe in connection with CWS.Control3, which I did not delete as it seems to be a valid file.

    I ran Adaware and this found the following:

    Vendor:possible Browser Hijack attempt
    Category:Data Miner
    Object Type:RegData
    Size:-
    Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
    Last Activity:03-07-2004
    Risk LevelMedium
    Comment:possible browser hijack attempt
    Description:possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

    Vendor:possible Browser Hijack attempt
    Category:Data Miner
    Object Type:RegData
    Size:-
    Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
    Last Activity:03-07-2004
    Risk LevelMedium
    Comment:possible browser hijack attempt
    Description:possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

    After deleting these, I then ran Spybot Search and destroy, CWShredder and Hijack this. Nothing found in all cases.

    I then reinstalled Windows media player.

    I notice that the following file has reappeared in my \local settings\temp folder:

    c1b6a80e.tmp


    Is this a problem?

    Otherwise it looks like I'm clear. Thanks for all your help.

    Prospero
     
  8. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Just after I posted this reply, the file GLB1A2B.EXE reappeared in my temp folder, so I think I'm still infected.

    Prospero
     
  9. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Update
    Ran CWShredder in safe mode & got the following.

    You have a variant of the Coolwebsearch trojan (CWS.Smartsearch.2) that has attempted to close CWShredder. To counter this, CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted.

    The program also reported asx3test.exe as possibly being part of CWS.Control.3

    Nothing else found. Nothing found by Adaware 6 or Spybot S&D.

    A search of the registry revealed the following settings under
    HKCU\Software\Microsoft\Search Assistant\ACMru\5603
    (also listed under HK_USERS):

    (Default) REG_SZ (value not set)
    000 REG_SZ asx3test
    001 REG_SZ *.*
    002 REG_SZ wmplayer
    003 REG_SZ notepad
    004 REG_SZ logon
    005 REG_SZ glb1a2b
    006 REG_SZ ncjmcfa
    007 REG_SZ jusched
    008 REG_SZ notepad.exe
    009 REG_SZ cult
    010 REG_SZ PFAL*.doc
    011 REG_SZ jusched.exe
    012 REG_SZ noah
    013 REG_SZ base5
    014 REG_SZ cab5
    015 REG_SZ autoexec
    016 REG_SZ xvid
    017 REG_SZ nve21
    018 REG_SZ fxstiff.dll
    019 REG_SZ ie*.bmp
    020 REG_SZ 22ani
    021 REG_SZ ic24

    Also listing of *\5604:

    ult) REG_SZ (value not set)
    000 REG_SZ explorer.exe
    001 REG_SZ cab5
    002 REG_SZ config
    003 REG_SZ nero

    Does this confirm my suspicion that the program was using the Sun Java <check for updates> facility as part of it's evil work? (jusched.exe)
    Hope this helps.

    Regards

    Prospero
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Prospero,

    jusched.exe is a valid file (belongs with Sun Java), if it was jusched32.exe, then it would belong to a CWS variant.

    Can you upload those files to (individually) for a scan at Kaspersky. Please post back what the scan says about them.

    c1b6a80e.tmp
    GLB1A2B.EXE
    asx3test.exe

    I'm not too worried about the .tmp files since they are in the temp folder and not running, and the files in the temp folder do have some strange names given to them. But the asx3test.exe file I an unsure of. I searched for some more information on that and some have said delete it and the person has had no ill effect, and in another log where it was deleted, the person did have a bad effect. So for now don't delete the asx3test.exe file until we find out more about it.

    Could you post a new hijackthis log please, and we'll have another look at it.

    Regards,

    snap
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Ok, took me a few minutes to look up in my registry, and see what was listed there under HKCU\Software\Microsoft\Search Assistant\ACMru\5603

    This is not easy for me to explain because I am no registry expert, but this is your "Search Assistant" and it will show different files that you have looked up. Because I was looking up similar files, I also have some of the one's listed under my 5603 folder that you have listed, along with a few more files that are known baddies, but I do not have those files on my system. They are just entered under that registry key because they were 'searched'.

    Hope that helps explain it a bit better and puts your mind at ease. But I can ask one of our Experts to look into your thread just as a second opinion to make very sure we haven't missed anything. Ok? :)

    Regards,

    snap
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Prospero, could you check the version of CWShredder you are using?
    Make sure you have the most recent version, which is 1.59.01

    If you don't have that version, then you can download CWShredder v.1.59.01 from here: https://www.wilderssecurity.com/showthread.php?t=14086

    snap
     
  13. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Hi There Snap

    Have run files through at Kapersky but nothing found.
    Am using latest version of CWShredder.

    AV software reports Troj/StartPa-BM in HijackThis backup files.

    Will investigate this further and get back to you.

    The c1b6a80e.tmp file seems to disappear at the same time the GLB1A2B.exe file appears.

    Latest HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 04:07:05, on 04/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
    C:\Downloads\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
    O4 - Global Startup: InterCheck Monitor.LNK = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.0219212963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    Regards


    Prospero
     
  14. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Hi Snap

    Good News.

    The latest update of my anti-virus software has picked up the Troj/StartPa-BM virus in a file called \System32\ppnpgb.dll so I've deleted this file.

    For some reason, the anti-virus software did not pick up the virus when I did a scan.

    It was only when I started up Internet Explorer this morning that the virus was spotted.

    Will have to speak to the anti-virus people for further information, and to see if this is a variant of Cool Websearch.

    Will keep you posted on the outcome.

    Regards

    Prospero
     
  15. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    The problem is still recurring.

    Here is the response from my anti-virus people (soph*s) - judge for yourself.

    "Hi *****

    although we have decided to classify this as a Trojan there is a very
    fine between it and some other adware applications. Currently it is
    our policy not to detect adware as it very often tells the user
    exactly what it will do and requires a EULA to be agreed to. It can
    also be simply uninstalled through Control Panel-Add/Remove Programs.

    Regards "

    etc

    Can't find anything in the Control Panel-Add/Remove Programs, also, it was installed without my permission, and without an EULA.

    What you think that?

    Regards

    Prospero

    Added:

    PS I can send you a copy of the infected .dll if you like. I've saved it as a zipped file with a .zi_ extension.
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Prospero,

    I can kind of understand why your antivirus vendor would say that, and quite a few very nasty spyware/malware files are now behaving more like viruses and trojans, so they end up getting a name with 'troj' in them.

    Could you download the latest version of Hijackthis v1.98.0 from https://www.wilderssecurity.com/showthread.php?t=12516

    Unzip it to it's own folder, scan, and post a new log here. Maybe we'll see the dll this time in the log. ;)

    Regards,

    snap
     
    Last edited: Jul 12, 2004
  17. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    Snap - here's the latest Hijackthis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 18:17:15, on 12/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Downloads\Hijack This\HijackThis1980hf.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
    O4 - HKLM\..\Run: [ORTEKMKBD] C:\Program Files\ORTEK\Multimedia Keyboard\1.1\KbdAp32A.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
    O4 - Global Startup: InterCheck Monitor.LNK = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    Prospero
     
  18. Prospero

    Prospero Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    12
    No further progress to date.

    However, I have noted the following events in the Event Viewer are occuring regularly since the start of the infection:


    Event System
    The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.


    VSS
    Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.


    Userenv
    Windows saved user ****\**** registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.


    Does this mean anything to anybody?

    Regards

    Prospero
     
Thread Status:
Not open for further replies.