[Resolved] Help needed with worm/trojan and parasit programs!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
Hi,

I seem to have a trojan/worm on my PC after my brother downloaded some stupid game which has somehow installed numerous programs e.g NewDotNet, Media, Lycos search etc...I have used Norton and Ad Aware but they are not being removed. There is a problem with my toolbar too as it takes ages to load for example when I open a file and close it the file shortcut on the toolbar takes ages to go away and doesnt let me click on the "Start" button time to time. I have pasted my log file below if that is of any help!!

Logfile of HijackThis v1.97.2
Scan saved at 11:49:56, on 05/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\Tqo3oe6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0a\waol.exe
C:\Program Files\AOL 8.0a\shellmon.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\vgdi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {AA5BED4F-4121-4F52-A799-067CC8F88CFE} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Spyware Nuker Installer] C:\Documents and Settings\Alex\Desktop\SpywareNukerInstaller.exe
O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\LnaqxU3.exe
O4 - HKLM\..\Run: [POP_MONITOR] C:\PROGRA~1\POP\monpop.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [vgdi.exe] C:\WINDOWS\System32\vgdi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Alex\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O4 - HKCU\..\Run: [vgdi.exe] C:\WINDOWS\System32\vgdi.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{040146F1-A95F-4C77-9019-D446F58DEAA2}: NameServer = 195.93.51.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F86E61F-9866-4EF8-8520-1CF761C575DE}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{040146F1-A95F-4C77-9019-D446F58DEAA2}: NameServer = 195.93.51.134
 
Joined
Oct 9, 2001
Messages
9,396
Welcome to T.S.G Alex:)

1st thing go to add/remove programs and un-install newdotnet"
Then....
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {AA5BED4F-4121-4F52-A799-067CC8F88CFE} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Spyware Nuker Installer] C:\Documents and Settings\Alex\Desktop\SpywareNukerInstaller.exe
A "spyware removal program" by TrekBlue, which is being heavily advertised through junk e-mail from its affiliates and misleading fake-dialogue-box web advertising. This is the same company as E-mail marketers ‘TrekData’ and ‘Blue Haven Media’, who distribute spyware through ActiveX drive-by-download on web pages.

Can you locate this next one and send me a zipped copy.
[email protected]
O4 - HKCU\..\Run: [vgdi.exe] C:\WINDOWS\System32\vgdi.exe Then "fix" it with H/T

O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\LnaqxU3.exe
O4 - HKLM\..\Run: [POP_MONITOR] C:\PROGRA~1\POP\monpop.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Alex\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Re-boot into safe mode and delete:
C:\Program Files\Alset [FOLDER]
C:\PROGRA~1\POP [FOLDER]
C:\WINDOWS\System32\P2P Networking [FOLDER]

iS aol YOUR ISP?
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
thanks for the reply much appreciated!

"NewDotNet" does not appear in add/remove and you cannot delete it by clicking on the file as access to NewDotNet5_40.dll is denied.

Shall i still run hijack and check the entries?

Aol is my ISP

i have located the vgdi.exe file and will send it to you - i did a search on the internet for it earlier but nothing showed up as i was curious about what it was!

thanks

Alex
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
thanks surpisingly the uninstall feature from their site actually works!!
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
I have done everything that has been said but the most serious problem I seem to have is that my toolbar takes ages to load as i simply cant click on it for long periods of time and the folders and things i have opened stay on the toolbar even though they are closed - any ideas??
 
Joined
Oct 9, 2001
Messages
9,396
Alex......post a 2nd log......these items in you running processes could be suspect.
C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\Tqo3oe6.exe
Lets see if they change their filenames.
 
Joined
Oct 9, 2001
Messages
9,396
Also...........these can be "fixed" with H/T and are not needed to run until you open the programs.

O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

check the others here:http://www.pacs-portal.co.uk/startup_index.htm
you may find there are some more you can disable to reduce clutter.
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
Logfile of HijackThis v1.97.2
Scan saved at 16:12:21, on 05/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\Pdl5Ga08.exe
C:\WINDOWS\System32\IkxNv6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\SnuQDC65.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
in the previous post is the hijack this log...what should i delete now - also the problem with my toolbar only is apparent within the first 30 mins or so of booting my computer up - also $teve what was that .exe file?
 
Joined
Oct 9, 2001
Messages
9,396
Here we are..........spot the difference.
Fix with H/T and then re-boot and delete them in safe mode.

This is from the 1st log.
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\Tqo3oe6.exe
C:\Program Files\Messenger\msmsgs.exe

And this is from the 2nd.
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\Pdl5Ga08.exe
C:\WINDOWS\System32\IkxNv6.exe
C:\Program Files\Messenger\msmsgs.exe


You also need to have H/T "fix" these:
O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\SnuQDC65.exe
Make a note of this one...when you re-run H/T it will have changed its file name.

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
And delete the p2p folder.

Re: The file you sent me.....I mailed it on to a 3rd party...ill let you know as soon is i do......It wasnt viral,probably a new malware variant.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
you have been hit with a new form of scumware that puts on this dodgy toolbar & mutates everytime you try to remove it unless you follow these steps very carefully

run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\SnuQDC65.exe

then open task manager by pressing Ctrl& Alt & delete at same time and stop the runninhg processes on these files

SnuQDC65.exe
Pdl5Ga08.exe
IkxNv6.exe

make sure that you have all files set to show by opening windows explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked
then using windows explorer navigate to & delete these files
C:\WINDOWS\System32\Pdl5Ga08.exe
C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\SnuQDC65.exe

It is vital that you do not reboot at anytime until all 3 files have been deleted, which can only happen once their running process has been stopped.

after carrying out all the above steps then reboot & post a new hijackthis log to check whether you are all clear

NOTE>>>>>>>>>One of the problems with this scumware trojan b=ar loader is that it leaves the old files in place & duplicates them with new names so
You will probably find that you have these 3 files below in your system32 folder, if so stop processses if running and delete them also

C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\Tqo3oe6.exe
C:\WINDOWS\System32\LnaqxU3.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
the problem with doing it in safe mode is that it doesn't load the 2 extra files shown running in the processes and consequently you don't know they are there to delete and when you reboot normally, one of the extra files puts back an entry in the O4 section under a different name.

This has been a right pain to try and fix on several machines and my way as outlined above has so far been the only way to cure it.
I hope one of the adware or antivirus companies soon find a cure for it.
 
Joined
Oct 9, 2001
Messages
9,396
Alex................This is very important!!

C:\WINDOWS\System32\IkxNv6.exe
C:\WINDOWS\System32\Tqo3oe6.exe
C:\WINDOWS\System32\LnaqxU3.exe

Can you please zip and send copies of these 3...this is quite a new threat that needs to dealt with.
I can send them off to the "smarter" people and they can in turn develope a fix for the problem.

thanx.

;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top