TheTechGuide Forum
General Category => Tech Clinic => Topic started by: greg on February 19, 2005, 04:46:02 PM
-
Been battling this spyware for a while now.. All help is greatly appreciated!
Logfile of HijackThis v1.99.0
Scan saved at 4:39:17 PM, on 2/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Trillian\trillian.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\name\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - C:\WINDOWS\System32\mstask64.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105767120529 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105767120529\")
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper - Unknown - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-
Let's try this greg
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Installing Ad-Aware may update and start a scan
Ensure it is updated but don't run a scan yet
Print this out or save to a Notepad file on the desktop
Also know how to start in safe mode, I'm going to ask you to do so shortly, if your unsure, I supplied a link below
Disconnect from the Internet
I'm going to ask you to edit the Registry, please make a fresh restore point
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a Restore point
Name it and click Create
This is just to ensure you have a backup from this point on
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
# Open Registry Editor. Click Start>Run, type REGEDIT
then press Enter.
# In the left panel, expand(+) the following
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
# Still in the left panel, locate and Right click on and delete the subkey:
0 <--this key, don't delete anything else
# Close Registry Editor.
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete these files or folders if they exist
C:\WINDOWS\System32\spoolsrv32.exe <--this file, exact spelling
C:\WINDOWS\System32\runoledb32.exe <--file
C:\WINDOWS\System32\mstask64.dll <--file
If you find any of these related to Smart security, remove them also
Let me know if you found any
Using Windows Explorer and/or Search, locate and delete the following files
they are in bold >>>Not all may exist, but take a look
• C:\WINDOWS\desktop.html '
C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
• C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url
Note* <current user>= user name having a problem with the desktop issue
Can you also let me know if you can find
C:\Program Files\TopAntiSpyware <--this folder
Stay in safe mode to do the rest
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - C:\WINDOWS\System32\mstask64.dll
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to Normal mode to finish the cleaning process
Post back a fresh hijackthis log afterwards and let me know if your problems are resolved
-
I got this same spyware over the weekend. No software I tried could detect it. The way I got rid of it was doing a System Restore back to before the weekend.
Seems to be fine now.
(Running XP SP-1)
Good luck to all with this one.
-
I found that it had installed itself as a fake printer spooler.
You have to boot to safe mode, then go into the registry and remove the phony spooler from
hklm\software\microsoft\windows\current version\runonce
You can also check in
hklm\software\microsoft\windows\current version\run
for a .exe file that will have a random name. If you are unsure about weither you need a startup item or not, you can disable an item by doubleclicking on it, and adding a - to the start of the filename. (if windows can't find it, windows can't run it)
Normally the only time you see something in that runonce is after you've installed new software that is asking you to reboot the machine to complete the install. The first thing this malware does when you start your machine, is to load itself back into that runonce.
after you remove that entry, right click on your desktop and select properties, then the desktop tab, then customize desktop button, then click the Web tab, and remove the checkmark from the malware's active desktop item.
Hope that helps.