• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
lorilynne

Trojan Keeps Returning Help!

4 posts in this topic

Sorry this is such a long post but I thought the more info I gave the better idea you can get of my problem.

 

Back on June 12th someone told me I needed Norton on my computer. They gave me a cd to put it on and I did. On June 14th we got our very first Trojan ever. The person who helped me get rid of it didn’t tell me the name of it, just that it was a dialer. She got rid of it as far as we knew and also uninstalled Norton. I thought we were fine, but I couldn’t send emails through yahoo. I got mad and did a system restore, which fixed the yahoo problem. Then a week or so later we get another Trojan. AVG found these, they were called Startpage.6.BH and Downloader.Agent.BF they had also downloaded Home Search Assistant and Shopping Wizard. I thought I would research and try to fix this one since I learned a little bit from the first one. I read from others’ forums to download the following, which I now have on my computer:

Adaware

Spybot

Spyware Blaster

Spygaurd

Sygate

 

These helped but couldn’t get all of it, then I found hsremove and it seemed to have gotten rid of it. HSA and Shopping Wizard were both gone. But, spywareguard keeps giving me 6 pop-ups of the following whenever I open IE, My Documents and others. I always click “restore old value”:

 

Your IE search page has been changed from

“nothing is here in this spot”

to

res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

 

Your IE homepage has been changed from

http://www.journalreview.com/

to

res://fkgzh.dll/index.html#37794

 

Your IE local machine search page has been changed from

“nothing is here in this spot”

to

res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

 

Your IE local machine default page has been changed from

“again nothing in this spot”

to

res://fkgzh.dll/index.html#37794

 

Your IE local machine homepage has been changed from

http://hsremove.com/done.htm (which I know this is from the program I described above.)

To

res://fkgzh.dll/index.html#37794

 

Your IE local machine default page has been changed from

“nothing is here in this spot”

to

res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

 

Yesterday morning AVG found Trojan horse Downloader.Small.8.BE in C:\WINDOWS\SYSTEM32\lsd_f3.dll and in C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP68\A0015259.dll I deleted them.

 

Since then AVG, Avast or Housecall can’t find anything wrong, but HSA and SW are still there along with the pop-ups mentioned above.

 

Last night I downloaded Avast, it found nothing.

 

Also, Sygate keeps giving me popups talking about C:\WINDOWS\winol.exe and something about ifeadsl.exe and I’m now beginning to get porn pop-ups.

 

Just before posting this I ran the following things in the correct order listed:

 

Housecall found:

malware called JR_FORTNIGHT.M and deleted it.

 

AVG found nothing.

 

Avast found:

Win32:CodeRed in C:\Program files\Yahoo!\Messenger\Yserver.log

Win32:Trojano-213[Trj] in C:\WINDOWS\Key2.txt.

It couldn’t repair them so I had them deleted.

 

Adaware found 5 things from Coolwebsearch which was Malware in:

C:\WINDOWS\System32\fkgzh.dll

HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\HSA

HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\SE

HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\SW

HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

 

Spybot found nothing.

 

Also, I have all of the Microsoft Updates up to date.

 

Here’s my HJT log after running the other things.

 

Logfile of HijackThis v1.98.0

Scan saved at 10:36:26 PM, on 7/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\winkw32.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\winol.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\CallWave\IAM.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Documents and Settings\Owner\My Documents\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.journalreview.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {95E91DD0-550D-630E-CCFD-E929FF768505} - C:\WINDOWS\system32\netwm32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [winol.exe] C:\WINDOWS\winol.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [Tray Temperature] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\PsnLite.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qqczerbe.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Share this post


Link to post
Share on other sites

I thought the programs got it since the spywareguard pop-ups had stopped last night. But, they are back this morning again!

Someone, please help me :(

Share this post


Link to post
Share on other sites

lorilynne,

 

Welcome to the SWI Forums.

 

Sorry you had to wait, but there seems to be more HijackThis logs posted than SWI representatives to work on them.

 

Will take a look at your log and get back with you as soon as possible.

 

Also, can you tell me what versions of AdAware and Spybot you ran?

 

Hang in there. :weee:

Edited by FZWG

Share this post


Link to post
Share on other sites

Lorilynne,

 

Thank you for your patience.

 

Looking at your 13 July and 17 July HijackThis logs, it appears a hijacker may be lurking in the system.

 

Lets take the following course:

 

As a first step, I suggest printing this page for easier reference.

 

Download the AboutBuster program from: http://www.downloads.subratam.org/AboutBuster.zip

 

Unzip it to your Desktop

 

Then, reboot to Safe Mode as instructed in the following link:

http://service1.symantec.com/SUPPORT/ts...ec_doc_nam

 

Double click AboutBuster.exe

Click OK, Start, and OK.

 

AboutBuster scans the computer for malicious files and deletes them.

Save the report (copy and paste into Notepad or Wordpad and save as a .txt file) to post a copy for review when done with the steps that follow.

 

Run AboutBuster one more time, and save the report again.

 

Reboot into Normal mode.

 

Since you already have AdAware installed, use: Check for Updates, and obtain its latest reference file.

 

However, this time use the following link to configure AdAware settings for a ‘Full Scan’: http://www.lavahelp.com/howto/fullscan/index.html

 

-Press: Scan Now

-Select: Next, to perform the scan

 

When the scan completes, it may find a number of entries.

-Right-click the pane where the entries are, and choose: Select all

-Remove all items

-Once AdAware has removed the items, close the program

 

Reboot.

 

Now, make sure all windows and browsers are closed before proceeding to run HJT and scan.

 

[Note: if any entries are disabled in MSConfig or any other startup manager, please re-enable them before scanning.]

 

Have HijackThis fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {95E91DD0-550D-630E-CCFD-E929FF768505} - C:\WINDOWS\system32\netwm32.dll

 

O4 - HKLM\..\Run: [winol.exe] C:\WINDOWS\winol.exe

 

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qqczerbe.exe

 

 

In order to perform the next step, make sure Windows XP is set to show Hidden Files & Folders as shown on this link: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Now reboot once again into Safe Mode.

 

Delete the following files if present (in bold):

 

C:\WINDOWS\winol.exe

C:\Program Files\Internet Explorer\qqczerbe.exe

 

 

Now, reboot to Normal mode, and lets do a Time Travel Test:

-Right click the clock on the right side of the Taskbar on your Desktop

-Select: Adjust Date/Time

-Set the date to three days from now!!

-Click Apply, and then OK

 

The reason for doing this step is that this particular hijacker has a tendency to reappear a few days after the infection is supposedly cured. We are going to fool it into thinking it is three days later.

 

Once again make sure all windows and browsers are closed before proceeding to run HijackThis and scan.

 

Post a new HijackThis log, and post the two About Buster logs for review.

 

You can set back the date/time correctly after running HijackThis.

 

There will be some more work to do when you post back.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0