welchia worm,need help!!!pls!!! (merged)

Discussion in 'adware, spyware & hijack cleaning' started by guambabe, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. guambabe

    guambabe Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    welchia worm,need help!!!pls!!!

    Mod Note: Merged Posts 3 & 4 with this thread (stay in one thread please) - snap


    antivirus used: AVG
    NoAdwareV2.0

    svchost.exe program error messages whenever I go online which does not allow me to do anything!.
    Antivirus cannot remove : Trojan horse downloader.Stubby.A--infected,embedded object
    NoAdware cannot remove : Win32.Welchia located in svcfile in sys32
    Autosearch located sys32 safesearchFile

    result of scan :Logfile of HijackThis v1.97.7
    Scan saved at 12:17:25 AM, on 6/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
    C:\WINDOWS\system32\PRPCUI.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\WINDOWS\system32\yacpower.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\program files\primesoft\safesearch\safesearch.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\NoAdware\NoAdware.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\61KRANOJ\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.com/netfind/refer/microsoft.ie4.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll...urrentPage=MyeBaySold&ssPageName=STRK:ME:LNLK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    F1 - win.ini: run=c:\windows\system32\helpex32.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - **C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - **C:\WINDOWS\System32\nzdd.dll (file missing)
    O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [BATTERYAID] C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Microsoft System Checkup] wnetlogin.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [Helpex32] c:\windows\system32\helpex32.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Helpex32] c:\windows\system32\helpex32.exe
    O4 - Global Startup: New Text Document.txt
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://absmnl01.abs-cbn.com/iNotes6.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A9D366-9E9C-4D26-88AA-1C901E1D9382}: NameServer = 205.230.132.2 205.230.132.3
     
    Last edited by a moderator: Jun 28, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: welchia worm,need help!!!pls!!!

    Hi guambabe,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    F1 - win.ini: run=c:\windows\system32\helpex32.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - **C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - **C:\WINDOWS\System32\nzdd.dll (file missing)
    O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll

    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll

    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect

    O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

    O4 - HKLM\..\Run: [Microsoft System Checkup] wnetlogin.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [Helpex32] c:\windows\system32\helpex32.exe

    O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe

    O4 - HKCU\..\Run: [Helpex32] c:\windows\system32\helpex32.exe

    Then reboot into safe mode and delete:
    C:\Program Files\DashBar <= entire folder
    c:\program files\primesoft\safesearch <= entire folder
    c:\windows\system32\mscnt.exe
    c:\windows\system32\helpex32.exe

    Then find this file C:\WINDOWS\system32\drivers\etc\hosts and rename it to hosts.bak

    Then download and run http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. guambabe

    guambabe Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    welchia worm need help,pls! follow up log

    Hi! thank you for the help. I followed instruction after using hijackthis. However cannot find these files to delete :
    c:\windows\system32\mscnt.exe
    c:\windows\system32\helpex32.exe
    they are not in the system32 folder. Followed all the other instruction to the letter but I still have same problem. My AVG still scans the Trojan Horse downloader.Stubby.A virus and the NoAdware scans but cannot remove Welchia worm. I did run the Symantec removal tool and at the end it said "no worm found in your computer".
    Here is the new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:52:32 PM, on 6/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
    C:\WINDOWS\system32\PRPCUI.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\WINDOWS\system32\yacpower.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\K5YJC96J\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.com/netfind/refer/microsoft.ie4.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll...urrentPage=MyeBaySold&ssPageName=STRK:ME:LNLK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [BATTERYAID] C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: New Text Document.txt
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://absmnl01.abs-cbn.com/iNotes6.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A9D366-9E9C-4D26-88AA-1C901E1D9382}: NameServer = 205.230.132.2 205.230.132.3

    thanks,
    ann
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Re: welchia worm need help,pls! follow up log

    Before you start, please unzip HijackThis to it's own folder somewhere.
    The program will make backups in the folder it's run from.
    These easily get lost in a Temp folder and are an annoyance on the desktop.

    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\system32\safesearch.dll


    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
     
Thread Status:
Not open for further replies.