Unsolved
This post is more than 5 years old
31 Posts
0
47445
Help with Maleware/Spyware
My Dell 5100 laptop is bombarded with maleware - elite toolbar, Kalvys, and others thant Norton Anti virus cannot remove, Adware & spybot "clean" them but they are still there on the rescan. My IE toolbar has been hijacked and locked to "about blank". I did go to safe mode and removed all the registry entries pertaining to these but still came back. I also reformatted the hard drive and reloaded using the Dell XP restore cd but the buggers are still there. Is there a possibility that they are residing on the partition that Dell tech support says stays there for system restore? Any help anyone can provide will be great and deeply and desperately appreciated.
Jeff
:smileymad::smileymad::smileymad::smileymad::smileymad:
Midnight Star
4.8K Posts
0
December 28th, 2004 13:00
Jeff,
It looks like it came in via an ActiveX control, possibly from a website you visited - a drive by download.
-
Ok, let's start by doing this...
1. Download, unzip and run "About:Buster". When it's done, run it again for good measure.
2. Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, and click "Scan".
3. Run AdAware SE Personal and "perform a full system scan".
4. Run Spybot S&D and "Check for Problems".
5. Post back a new log.
-
It looks like there's a few viruses/ trojans running and i'm hoping the steps above will get em'. If not, 'wax' em' with HiJackThis.
Mike.
nsfirechap
31 Posts
0
December 28th, 2004 18:00
Mike,
Per your instructions I did the following:
1. Download, unzip and run "About:Buster". When it's done, run it again for good measure.
Ran it and it said nothing found
2. Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, and click "Scan".
tried numerous times and got warnings messages and the site "shut down"
3. Run AdAware SE Personal and "perform a full system scan".
now when I run AdAware the only files it detects refer to "cool web search" but here's the kicker - now when I try and fix them AdAware locks up and I need to use task manager to shut it down. I tried restarting the laptop a few times and it still does this.
4. Run Spybot S&D and "Check for Problems".
Spybot doesn't find anything
5. Post back a new log.
Also I noticed in the add/remove file there is now a program titled Home Search Assistant - when I click on remove it automatically takes me to a web site that gives directions to remove and of course when I follow those nothing happens(I feel like an idiot-probrably should not have clcik on the links it brought me to, eh)
as far as Hijack this log this is it:
Logfile of HijackThis v1.99.0
Scan saved at 11:33:20 AM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\crwc32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CFDEDD7B-3C68-3EA9-44F9-80368394C67C} - C:\WINDOWS\javawc.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [javaqi.exe] C:\WINDOWS\system32\javaqi.exe
O4 - HKLM\..\Run: [iecy.exe] C:\WINDOWS\system32\iecy.exe
O4 - HKLM\..\Run: [mfckn32.exe] C:\WINDOWS\system32\mfckn32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crwc32.exe
I sure owe you big time for your help - gotta do something about this laptop bad - I am heading for Iraq next month and need to get it working right and figure out how to prevent this mess from happening again.
Jeff
Midnight Star
4.8K Posts
0
December 28th, 2004 19:00
Jeff,
Let's try CWShredder and see if it recognizes this thing. Download, unzip and run it. Then click "Fix ->".
Post back the results.
nsfirechap
31 Posts
0
December 28th, 2004 19:00
Midnight Star
4.8K Posts
0
December 28th, 2004 19:00
Now, let's run HiJackThis, then:
2. click " Misc Tools"
3. click " Delete a file on reboot"
4. browse to, then double-click on each of the file(s) below, one at a time:
C:\WINDOWS\javawc.dll
C:\WINDOWS\system32\javaqi.exe
C:\WINDOWS\system32\iecy.exe
C:\WINDOWS\system32\mfckn32.exe
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\elqug.dll/sp.html#14044
O4 - HKLM\..\Run: [iecy.exe] C:\WINDOWS\system32\iecy.exe
O4 - HKLM\..\Run: [mfckn32.exe] C:\WINDOWS\system32\mfckn32.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Post back a new log.
Mike.
nsfirechap
31 Posts
0
December 28th, 2004 19:00
nsfirechap
31 Posts
0
December 28th, 2004 22:00
Mike,
Did what you suggested in kijack - the three programs are still listed in the add/remove folder.
Here's the latest hijack log.
Jeff
Logfile of HijackThis v1.99.0
Scan saved at 3:41:52 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Midnight Star
4.8K Posts
0
December 28th, 2004 23:00
nsfirechap
31 Posts
0
December 28th, 2004 23:00
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Type : File
Data : iiqdr.dat
Category : Malware
Comment :
Object : C:\WINDOWS\
Type : File
Data : kxmwl.dat
Category : Malware
Comment :
Object : C:\WINDOWS\
Type : File
Data : lmvux.txt
Category : Malware
Comment :
Object : C:\WINDOWS\
Type : File
Data : isoqj.log
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : mmwfe.log
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : mzmeg.dat
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : qpaug.txt
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : thbmr.dat
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : wyvvy.txt
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
Type : File
Data : tzcvc.txt
Category : Malware
Comment :
Object : C:\WINDOWS\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 17
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:36.254
Objects scanned:78694
Objects identified:12
Objects ignored:0
New critical objects:12
nsfirechap
31 Posts
0
December 28th, 2004 23:00
Midnight Star
4.8K Posts
0
December 29th, 2004 06:00
Jeff,
Your welcome!
Just curious; can you post back the contents of a couple of the text files first? Only if they contain printable characters.
Like:
lmvux.txt
qpaug.txt
wyvvy.txt
tzcvc.txt
... i'm curious about the contents.
nsfirechap
31 Posts
0
December 29th, 2004 19:00
Mike,
The last few Adaware scans show clean - some of the previously found items show up in registry kets. Also when I run Norton Antivirus the maleware files I had problems with this time (as well as the last time) show up in the log, and as the last few times show as not able to fix.
Jeff
Midnight Star
4.8K Posts
0
December 29th, 2004 20:00
Jeff,
You might try running those from "Safe Mode" and see if they can be deleted that way? Which files are showing up, the ones you posted above? Can they be removed on reboot?
Mike.
nsfirechap
31 Posts
0
December 29th, 2004 21:00
Mike,
I ran Adaware in normal and safe mode - nothing shows up(either in spybot too).
ran Norton Antivirus in normal and safe and the following files show up everytime and when I try and fix them it says fix failed Norton identifies them as Maleware threats:
compressed file bullseye network/bin/adv.exe within c:\windows\system32\mac80ex.idf
next entry same as above ecept adx.exe replaces adv.exe
next entry the same cept entry reading bin/bargains follows bullseye netwrok/
windows\system32\config\systemprofile\local settings\temporary internet files\content.IES\81Q74X63163\bb[1}.exe
compressed file windows/system32\exdl.exe within windows\system32\netut80ex.vxd
next entry the same cept exul.exe followa first system32
next entry the same cept javexulm.vxe follows first system32
next one the same cept mgexdlm.srg follows first system32
windows\system32\msbe.dll within c:\windows\system32\mac80.ex.idf
Midnight Star
4.8K Posts
0
December 29th, 2004 21:00
Jeff,
Ok, they are compressed with an 'archive' type file and that's probably why it can't delete or fix them. Drop Denny Denham a note and see if those 'archives' would be safe to remove. I don't know much about those file types ... :(
Mike.