Jump to content


Photo

Trojan Keeps Returning Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 lorilynne

lorilynne

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 July 2004 - 10:44 PM

Sorry this is such a long post but I thought the more info I gave the better idea you can get of my problem.

Back on June 12th someone told me I needed Norton on my computer. They gave me a cd to put it on and I did. On June 14th we got our very first Trojan ever. The person who helped me get rid of it didn’t tell me the name of it, just that it was a dialer. She got rid of it as far as we knew and also uninstalled Norton. I thought we were fine, but I couldn’t send emails through yahoo. I got mad and did a system restore, which fixed the yahoo problem. Then a week or so later we get another Trojan. AVG found these, they were called Startpage.6.BH and Downloader.Agent.BF they had also downloaded Home Search Assistant and Shopping Wizard. I thought I would research and try to fix this one since I learned a little bit from the first one. I read from others’ forums to download the following, which I now have on my computer:
Adaware
Spybot
Spyware Blaster
Spygaurd
Sygate

These helped but couldn’t get all of it, then I found hsremove and it seemed to have gotten rid of it. HSA and Shopping Wizard were both gone. But, spywareguard keeps giving me 6 pop-ups of the following whenever I open IE, My Documents and others. I always click “restore old value”:

Your IE search page has been changed from
“nothing is here in this spot”
to
res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

Your IE homepage has been changed from
http://www.journalreview.com/
to
res://fkgzh.dll/index.html#37794

Your IE local machine search page has been changed from
“nothing is here in this spot”
to
res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

Your IE local machine default page has been changed from
“again nothing in this spot”
to
res://fkgzh.dll/index.html#37794

Your IE local machine homepage has been changed from
http://hsremove.com/done.htm (which I know this is from the program I described above.)
To
res://fkgzh.dll/index.html#37794

Your IE local machine default page has been changed from
“nothing is here in this spot”
to
res://C:\WINDOWS\system 32\fkgzh.dll/sp.html#37794

Yesterday morning AVG found Trojan horse Downloader.Small.8.BE in C:\WINDOWS\SYSTEM32\lsd_f3.dll and in C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP68\A0015259.dll I deleted them.

Since then AVG, Avast or Housecall can’t find anything wrong, but HSA and SW are still there along with the pop-ups mentioned above.

Last night I downloaded Avast, it found nothing.

Also, Sygate keeps giving me popups talking about C:\WINDOWS\winol.exe and something about ifeadsl.exe and I’m now beginning to get porn pop-ups.

Just before posting this I ran the following things in the correct order listed:

Housecall found:
malware called JR_FORTNIGHT.M and deleted it.

AVG found nothing.

Avast found:
Win32:CodeRed in C:\Program files\Yahoo!\Messenger\Yserver.log
Win32:Trojano-213[Trj] in C:\WINDOWS\Key2.txt.
It couldn’t repair them so I had them deleted.

Adaware found 5 things from Coolwebsearch which was Malware in:
C:\WINDOWS\System32\fkgzh.dll
HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\HSA
HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\SE
HKEY_LOCAL_MACHINE:Software\Microsoft Windows\Current Version\Uninstall\SW
HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Spybot found nothing.

Also, I have all of the Microsoft Updates up to date.

Here’s my HJT log after running the other things.

Logfile of HijackThis v1.98.0
Scan saved at 10:36:26 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winkw32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\winol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CallWave\IAM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Documents and Settings\Owner\My Documents\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.journalreview.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {95E91DD0-550D-630E-CCFD-E929FF768505} - C:\WINDOWS\system32\netwm32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [winol.exe] C:\WINDOWS\winol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Tray Temperature] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qqczerbe.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab

#2 lorilynne

lorilynne

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 06:11 AM

I thought the programs got it since the spywareguard pop-ups had stopped last night. But, they are back this morning again!
Someone, please help me :(

#3 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 20 July 2004 - 02:30 AM

lorilynne,

Welcome to the SWI Forums.

Sorry you had to wait, but there seems to be more HijackThis logs posted than SWI representatives to work on them.

Will take a look at your log and get back with you as soon as possible.

Also, can you tell me what versions of AdAware and Spybot you ran?

Hang in there. :weee:

Edited by FZWG, 20 July 2004 - 10:55 AM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#4 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 20 July 2004 - 11:08 PM

Lorilynne,

Thank you for your patience.

Looking at your 13 July and 17 July HijackThis logs, it appears a hijacker may be lurking in the system.

Lets take the following course:

As a first step, I suggest printing this page for easier reference.

Download the AboutBuster program from: http://www.downloads...AboutBuster.zip

Unzip it to your Desktop

Then, reboot to Safe Mode as instructed in the following link:
http://service1.syma...ts...ec_doc_nam

Double click AboutBuster.exe
Click OK, Start, and OK.

AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad or Wordpad and save as a .txt file) to post a copy for review when done with the steps that follow.

Run AboutBuster one more time, and save the report again.

Reboot into Normal mode.

Since you already have AdAware installed, use: Check for Updates, and obtain its latest reference file.

However, this time use the following link to configure AdAware settings for a ‘Full Scan’: http://www.lavahelp....scan/index.html

-Press: Scan Now
-Select: Next, to perform the scan

When the scan completes, it may find a number of entries.
-Right-click the pane where the entries are, and choose: Select all
-Remove all items
-Once AdAware has removed the items, close the program

Reboot.

Now, make sure all windows and browsers are closed before proceeding to run HJT and scan.

[Note: if any entries are disabled in MSConfig or any other startup manager, please re-enable them before scanning.]

Have HijackThis fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {95E91DD0-550D-630E-CCFD-E929FF768505} - C:\WINDOWS\system32\netwm32.dll

O4 - HKLM\..\Run: [winol.exe] C:\WINDOWS\winol.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qqczerbe.exe


In order to perform the next step, make sure Windows XP is set to show Hidden Files & Folders as shown on this link: http://www.xtra.co.n...1916458,00.html

Now reboot once again into Safe Mode.

Delete the following files if present (in bold):

C:\WINDOWS\winol.exe
C:\Program Files\Internet Explorer\qqczerbe.exe


Now, reboot to Normal mode, and lets do a Time Travel Test:
-Right click the clock on the right side of the Taskbar on your Desktop
-Select: Adjust Date/Time
-Set the date to three days from now!!
-Click Apply, and then OK

The reason for doing this step is that this particular hijacker has a tendency to reappear a few days after the infection is supposedly cured. We are going to fool it into thinking it is three days later.

Once again make sure all windows and browsers are closed before proceeding to run HijackThis and scan.

Post a new HijackThis log, and post the two About Buster logs for review.

You can set back the date/time correctly after running HijackThis.

There will be some more work to do when you post back.
IPB Image

There are times when everything is understood...then one regains consciousness!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button