[Resolved] Help needed with worm/trojan and parasit programs!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
there seems to be a problem when i press crtl + alt + delete then close the processes as I close IkxNv6.exe but they keep on reapearing sometimes under different names

I also tried to send them to $teve but AOL (mcafee) automatically detected an unrepairable virus within the files

Tqo3oe6.exe
Sfn7d.exe
Pdl5Ga08.exe
Ila55.exe
IkxNv6.exe
Ikr50Zm4.exe
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
Logfile of HijackThis v1.97.2
Scan saved at 19:47:19, on 05/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\Bku8.exe
C:\WINDOWS\System32\Cxe0n.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [[email protected]#C5B58CGKKG] C:\WINDOWS\System32\LnaqxU3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

I done what you said but the files have just changed names as I restarted my computer to see if the files had disappeared but now Bku8.exe and Cxe0n.exe
 
Joined
Oct 9, 2001
Messages
9,396
Hi alex...........
Try end tasking and deleting them them one at a time without re-booting.
Also,a good idea would be to post a startuplist.

In H/T click the "config" button.....then "misc tools" and then "generate startuplist".
Copy/paste just as you did with your logfile.

Do you have a web-base email account like hotmail or yahoo?
You could send from there......although im sure you would`ve thought of this:rolleyes:

Stick with this,your in the best place by far to deal with this problem.
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
Here is my startuplist below:

StartupList report, 06/10/2003, 10:41:25
StartupList version: 1.52
Started from : C:\Documents and Settings\Alex\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\Nyf42n.exe
C:\WINDOWS\System32\Nyf42n.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
GSICONEXE = gsicon.exe
DSLAGENTEXE = dslagent.exe USB
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
[email protected]#C5B58CGKKG = C:\WINDOWS\System32\SnuQDC65.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll -

{BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,011 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

How do I stop programs automatically running on startup?
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
i have also noticed a file called msg{C9E17926-FB59-4973-B540-AB552120A3EF}0111.dll in system32 file which I cannot delete and this was installed the time as all the other parasite programs, I clicked on Properties and it had bundleware.com copyright etc and it seems this website actually could be the cause.

strangely too I went on the internet I then closed it and the Lycos side search Icon had reapeared on the desktop - it had installed itself again!!
 
Joined
Dec 9, 2000
Messages
45,855
We've seen a few threads like this before. It is a very difficult removal. The two processes work in tandem checking for each other's presence in memory. When one is terminated the other responds within seconds and morphs into a different file name that is loaded on rebooting.

There are a couple of ways to attack this. If you try to terminate them you must do each within a couple of seconds of each other and then without rebooting delete the files in the system32 folder.

Example: open both the Task Manager and a command shell (start>run cmd

Terminate the process:

Nyf42n.exe

and/or any other suspicious file that may be there. If more than one, do them both quickly.

>> Now at the command prompt type and enter each line:

del C:\WINDOWS\System32\Nyf42n.exe
del C:\WINDOWS\System32\SnuQDC65.exe


Also use HijackThis to delete the above registry entry.([email protected]#C5B58CGKKG = C:\WINDOWS\System32\SnuQDC65.exe)

Method number two is to delete the files in Safe Mode. FIRST, before shutting down, make sure you know the current names appearing in the Task window and in HijackThis. Copy the full paths to them exactly.

Then shutdown completely and wait 20 seconds before restarting. Restart in Safe Mode (press f8 to access the boot menu and select Safe Mode). If you miss starting in Safe Mode you will need to verify that the file names have not changed before restarting. You may want to run msconfig and select the /safeboot option under the Boot.ini tab to make sure you do not miss safe mode.

In Safe Mode you should be able to delete the files. They should not start or be in the Task Manager. You can also use HijackThis to delete the registry entry.
 
Joined
Oct 9, 2001
Messages
9,396
Thanx for the info Rog........another copy/paste for the desktop.

Ive also forwarded the 2 files to TK and Lavasoft.
(y)
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
I seem to have got rid of the mutating files now - I ran H/T fixed/deleted that [email protected] whatever it was then went into system32 and deleted all the files that were created at the same time and closed the running processes and i deleted a .dll file which appeared to have been created with them and a.xml file. This appears to have worked as my toolbar did not take ages to work when booting up

However that msg{...dll file is there and i cannot get rid of it

thanks for the help
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
it doesnt show in the system32 file, infact none of the parasite .exes did
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is TICKED and hide protected operating system files is UNTICKED

then try
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
yes my mistake the msg{.....dll file is in the system32 file when i boot up in safe mode but when i go to delete it access is denied because it says the file is currently in use or something
 
Joined
Dec 9, 2000
Messages
45,855
Well it is certainly odd that it would be in use in Safe Mode and it would be nice to determine just what application or service was using it. It might be possible to delete it from a Safe Mode with Command Prompt option, a different startup mode, but that would be unenlightening and you would have to copy and type the full exact dll name.

If this were happening on my machine I would use Process Explorer to find out what is using the dll.

You can download in it here:

http://www.sysinternals.com/

Here's how you use it. Once you have the application open, look at the row of icons on the top menu bars. You will see either "Handles" with a page icon under it, or "Dlls" with a gear icon under it. If you see "handles" click the icon to toggle it and you will get "dll"

Now click Search and a search window will open. Enter a partial string of characters from the name of the dll sufficient to identify it and click "search"

What applications or services is the dll associated with? You will need to terminate that to delete it.

Also if you do a registry search for *0111.DLL what hits do you get for it and can you delete them? (ignore "mru" related references which represent past searches)

>> actually you might not have to use the full name to delete it.

If you select Safe Mode with Command Prompt from the startup menu you can try this at the prompt:

del c:\windows\system32\*0111.dll
 

alexrwl

Thread Starter
Joined
Oct 5, 2003
Messages
20
hmm this may be difficult to remove as the process it associated with is explorer.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top