1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Really nasty stuff won't go away with spybot and hijackthis

Discussion in 'Virus & Other Malware Removal' started by fireman949, Apr 28, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. fireman949

    fireman949 Thread Starter

    Joined:
    Apr 28, 2004
    Messages:
    2
    I thought I was good ad using spybot s&d and Hijack this to remove stuff, but then one of the upper management staff where I work pulled me into his office and asked me to fix his computer. A BHO had hijacked his homepage to open 3 - 4 windows immediately and download a trojan in the process. I was able to clean up his Internet Explorer and get it working (at the same time making a plug for Mozilla 0.8), but after 1/2 a day of researching his hijack this log and running spybot s&d 8-10 times (note , I can't get Spybot to run on startup with Windows 2000 - am I missing something) - There are still some files that cannot be deleted.
    Code:
    BrowserAid.LetsSearch: Autorun settings (Registry value, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunWindowsUpdate
    
    DSO Exploit: Data source object exploit (Registry change, fixing failed)  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
    
    eUniverse.UpdMgr: Autorun settings (Registry value, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updmgr
    
    KeenValue.PerfectNav: Interface (Registry key, fixing failed)  HKEY_CLASSES_ROOT\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D}
    
    KeenValue.PerfectNav: Type library (Registry key, fixing failed)  HKEY_CLASSES_ROOT\TypeLib\{DE289BFA-737B-4ABB-A4EC-F8753551B875}
    
    n-Case: Autorun settings (Registry value, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbb
    
    PeopleOnPage: Global settings (Registry key, fixing failed)  HKEY_LOCAL_MACHINE\Software\Envolo
    
    PeopleOnPage: Uninstall settings (Registry key, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate
    
    SearchAndClick: Autorun settings (Registry value, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
    
    SearchAndClick: Class ID (Registry key, fixing failed)  HKEY_CLASSES_ROOT\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
    
    SearchAndClick: Class ID (Registry key, fixing failed)  HKEY_CLASSES_ROOT\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F443}
    
    SearchAndClick: Global settings (Registry key, fixing failed)  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
    
    SearchAndClick: Type library (Registry key, fixing failed)  HKEY_CLASSES_ROOT\TypeLib\{2CF0B992-5EEB-4143-99C0-5297EF71F445}
    
    WhenU.SaveNow: Autorun settings (Registry value, fixing failed)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhenUSave
    
    WhenU.SaveNow: Global settings (Registry key, fixing failed)  HKEY_LOCAL_MACHINE\Software\WhenUSave
    
    Windows Media Player: Client ID (Registry change, nothing done)  HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

    I haven't been able to find any information on this:
    Code:
    Located: HK_CU:Run, Rrcl
      file: C:\Documents and Settings\bridav\Application Data\ropp.exe
      MD5: 15F0A7B6A25CA47E374725DE1EFB863D
    and this is the only other thing I can find that appears to be malware but I can't seem to kill it:
    Code:
    {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
      Class file: RdxIE.dll
        Attributes: archive 
        Date: 1/28/2004 12:13:52 PM
        MD5: C350FD4B920362062BD39EA31007ACFB
        Path: C:\WINNT\Downloaded Program Files\
        Short name: RDXIE.DLL
        Size: 520349 bytes
        Version: 0.6.0.0
      Class name: RdxIE Class
      CLSID database: confirmed malware
        Description: Netster
      Contains file: RdxIE.dll
        Attributes: archive 
        Date: 1/28/2004 12:13:52 PM
        MD5: C350FD4B920362062BD39EA31007ACFB
        Path: C:\WINNT\Downloaded Program Files\
        Short name: RDXIE.DLL
        Size: 520349 bytes
        Version: 0.6.0.0
      Download location: [url]http://software-dl.real.com/31dda83298e8b8e46722/netzip/RdxIE601.cab[/url]
      Last modified: Wed, 28 Jan 2004 20:13:56 GMT
      Version: 6,0,0,10
    Any help would be greatly appreciated.
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi fireman049

    Welcome to TSG! :)

    Please post the hijack This log here so we can help.
     
  3. fireman949

    fireman949 Thread Starter

    Joined:
    Apr 28, 2004
    Messages:
    2
    Sorry about that,
    Here is his hijack log...

    ---------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 9:41:53 AM, on 4/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\starter.exe
    C:\WINNT\system32\mobsync.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\winnt\temp\otBczhj.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\IEHost.exe
    C:\WINNT\system32\msodv.exe
    C:\Documents and Settings\bridav\Application Data\ropp.exe
    C:\WINNT\system32\wcpsvcc.exe
    C:\Program Files\FacetCorp\FacetWin\fwagent.exe
    C:\Documents and Settings\bridav\Start Menu\Programs\Startup\STICKIT.EXE
    C:\WINNT\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [msbb] c:\winnt\msbb.exe
    O4 - HKLM\..\Run: [bqjyl] C:\WINNT\bqjyl.exe
    O4 - HKLM\..\Run: [otBczhj] C:\winnt\temp\otBczhj.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [qqnf32l] C:\WINNT\system32\msodv.exe
    O4 - HKCU\..\Run: [Rrcl] C:\Documents and Settings\bridav\Application Data\ropp.exe
    O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvcc.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Startup: STICKIT.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: FacetWin Agent.lnk = C:\Program Files\FacetCorp\FacetWin\fwagent.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31dda83298e8b8e46722/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37880.5412384259
    O16 - DPF: {CB005660-D0C7-11CF-B7F6-00AA00A3F278} - http://activex.microsoft.com/controls/microsoft_only/ticker.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ptwlan.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F1EA038-2E55-438F-BC15-FA55BEB90734}: NameServer = 192.168.1.3
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ptwlan.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1F1EA038-2E55-438F-BC15-FA55BEB90734}: NameServer = 192.168.1.3
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ptwlan.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1F1EA038-2E55-438F-BC15-FA55BEB90734}: NameServer = 192.168.1.3

    ---------------------------------------------
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

    Come back here and post another Hijack This log and we'll get rid of what's left.


    After running CWShredder run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm

    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe

    O4 - HKLM\..\Run: [msbb] c:\winnt\msbb.exe

    O4 - HKLM\..\Run: [bqjyl] C:\WINNT\bqjyl.exe

    O4 - HKLM\..\Run: [otBczhj] C:\winnt\temp\otBczhj.exe

    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain

    O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe

    O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe

    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [qqnf32l] C:\WINNT\system32\msodv.exe

    O4 - HKCU\..\Run: [Rrcl] C:\Documents and Settings\bridav\Application Data\ropp.exe

    O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvcc.exe

    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31dda83...ip/RdxIE601.cab


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

    Now find and delete:

    The C:\Program Files\ClockSync folder
    The c:\Program Files\Instant Access folder
    The C:\Program Files\Save folder
    The C:\Program Files\Common files\updmgr folder
    The C:\Program Files\Common Files\Dpi folder
    The c:\winnt\msbb.exe file
    The C:\WINNT\uptodate.exe file
    The C:\WINNT\bqjyl.exe file
    The C:\WINNT\system32\IEHost.exe file
    The C:\WINNT\system32\dp-him.exe file
    The C:\WINNT\system32\msodv.exe file
    The C:\WINNT\system32\wcpsvcc.exe file
    The C:\WINNT\system32\pcs folder
    The C:\Documents and Settings\bridav\Application Data\ropp.exe file

    Also in safe mode navigate to the C:\winnt\temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    To finish the cleanup do the following:

    Go here and download Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Then go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Really nasty stuff
  1. FatDaddy
    Replies:
    15
    Views:
    1,340
  2. bigwill2k
    Replies:
    3
    Views:
    496
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224609

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice