W32.Hostidel.Trojan

Discussion in 'adware, spyware & hijack cleaning' started by mdr, Nov 25, 2003.

Thread Status:
Not open for further replies.
  1. mdr

    mdr Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    2
    After my system was infected with a Trojan Horse by a house sitter recently while out of town (my Norton/ Symantec LiveUpDate anti-virus definitions call it W32.Hostidel.Trojan, and indicate it's new as of 11-13-2003), I installed and ran your very helpful Spyware Blaster (2.6.1). I did so because now, even though my anti-virus software did detect and quarantine the Trojan (which I of course deleted), every time I restart my system my IE Homepage is still being changed, and my Favorites, Host files, and Registry keep being re-corrupted with the "Hijacking" link-content that the defunct Trojan was using to hijack my browser (IE 6.1 in XP Home Edition) to a myriad of porn sites I want nothing to do with, and because I was informed that this was likely due to a lingering ActiveX agent buried somewhere. Since this has continued to occur even after using Spyware Blaster, I'm assuming/hoping that the ActiveX agent responsible, apparently being new as of Nov. 13, may simply not yet have been identified and an update provided by Wilderssecurity via the Spyware Blaster update function. I would be most grateful if you could tell me whether an antidote to this cursed thing is being prepared for the 2.6.1 update service? Thank you for this, a terrific product, and the invaluable service you provide of listing and ranking protection products.

    Sincerely,
    MDR
    MARK REINERS
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Mark,

    Welcome at Wilders. :)

    Could you please follow the directions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913
    I think I can help you get rid of this one.

    Regards,

    Pieter
     
  3. MARK REINERS

    MARK REINERS Guest

    Hijackthis results for W32.Hostidel.Trojan

    Hello Pieter:
    Though I had already installed, updated and run both Ad-Aware and Spybot S&D multiple times (to much good effect), your custom setting instructions for Ad-Aware made all the difference. The standard settings with which I was scanning only examined 50,000+ files; with your custom settings recommendations, it scanned well over 100,000 and found what appears to be the missing, deep-down corrupting agent. Much gratitude. The XP "Runtime Error5 at: 0040437F" message that I had been getting has disappeared now when I boot up. Also, the numerous items planted by the Trojan, and that kept re-appearing in my Registry files, have stopped reappearing with each re-boot. My IE Favorites have also stopped being re-fed the list of porn links that used occur with every boot. The only remaining issue is apparent in the Hijackthis log file below: the list of porn links that appeared and still appear in my Host files. I believe these were originally found and deleted by Spybot S&D, and I thought their continued reappearance in the Host files may have been due to my originally overlooking to erase the backup files that Spybot initially creates. But they persist even though I went back in and deleted those backups. In any case some of the Log file below is clear even to me, but some is also not. I have touched nothing and will await your feedback before doing another Hijackthis scan to actually eliminate anything. This has been both illuminating and enormously helpful, for which I am enormously grateful. For now . . .
    MARK REINERS

    Logfile of HijackThis v1.97.7
    Scan saved at 7:24:52 PM, on 11/25/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Common Files\Symantec Shared\Nmain.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.5900694444
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Hijackthis results for W32.Hostidel.Trojan

    Hi Mark,

    That is good to hear. You can have HijackThis fix the items listed under O1
    Then you can use the Immunize function of Spybot S&D to lock your hosts file or do it manually. For Windows XP the file is loacted at c:\windows\system32\drivers\etc\hosts
    Rightclick it, choose properties and put a checkmark for Read-Only.

    In fact, this is a rather pointless hijack, because it redirects you from one porn-site to another. :rolleyes:

    Regards,

    Pieter
     
  5. Mark Reiners

    Mark Reiners Guest

    W32.Hostidel.Trojan Elimination

    Hello Pieter:
    Apologies for the delayed response. I actually submitted the following immediately after your instructions several days ago and only realized by the absence of response that it may never have reached you because I forgot to Login and was only being regarded as a "guest". Anyway...
    Per your instructions, please find my Hijackthis Logfile copied below. I actually had both Spybot S&D and Ad-Aware previously installed, updated and run multiple times, but your instructions to use the customized, deeper scan made all the difference. Whereas my prior, standard scans had only examined 50,000+ files, after following your instructions, the scan examined over 100,000 files and found what was apparently the lingering malware agent. After deleting this, the following problems have disappeared at startup: the "Runtime Error 5 at:0040437F" is no longer appearing, my IE browser is no longer starting on an alien page, my IE Favorites are no longer being re-corrupted with the unwanted porn links, my Registry is no longer subject to the reappearance of the Trojan entries. The lone remaining corruption problem is the persistence of the list of porn links in my Host files that you'll see in the Logfile below; whether you find other problematic entries there will naturally be of interest. One last observation. The one persisting functional symptom that began after the Trojan infection that remains occurs when I use the bottom scroll arrow in the text-entry field in my hotmail, while writing an email; if I hit the arrow to scroll down, instead of scrolling, it now simply leaps to the bottom of the page. What in the world little line of code in what nook, cranny or corner of the OS might be causing this, or how it ties in with the Trojan infection I haven't a clue, but it never used to occur. It's a relatively minor inconvenience, but you had mentioned that all symptoms should be noted. For now, many thanks for the guidance on the decisive, deeper Ad-Aware scan instructions, and I'll look forward to your instructions on how to deal with the Hijackthis Log entries below; so far I've only scanned and sent this file; I've not executed any fixes even though some of the entries here are clear even to me.
    Sincerely,
    MARK

    Logfile of HijackThis v1.97.7
    Scan saved at 12:29:46 PM, on 11/28/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\Program Files\Common Files\Symantec Shared\Nmain.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.5900694444
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:W32.Hostidel.Trojan Elimination

    Hi Mark,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com

    Then reboot.

    I'll see if I can find someone who can help you with scrollbar problem.

    Regards,

    Pieter
     
  7. Bulldog

    Bulldog Spyware Expert

    Joined:
    Aug 1, 2003
    Posts:
    8
    Hi Mark,
    Some questions.
    Do you use a wheel mouse and does it display the same behavior ?
    Does it only happen at hotmail or on all IE and other windows ?
    Are all user accounts affected or just yours ? Does it work in safe mode ?(that is if other Windows programs are affected. Not just IE at Hotmail.)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bulldog, :)

    Thanks for having a look.

    Regards,

    Pieter
     
  9. Bulldog

    Bulldog Spyware Expert

    Joined:
    Aug 1, 2003
    Posts:
    8
    No problem Pieter.
    I also ran into some other info today. Apparently there is a bug in one of the Windows Updates....(imagine) :eek:

    Do you have this patch installed Mark ?
    /
     
  10. Bulldog

    Bulldog Spyware Expert

    Joined:
    Aug 1, 2003
    Posts:
    8
    Just me again.
    Checking my mail and seen this.

    from..
    http://www.langa.com/newsletters/2003/2003-12-04.htm#3
    /
     
Thread Status:
Not open for further replies.