Jump to content


Photo

Multiple Trojans, Viri, and Hijacked browser


  • This topic is locked This topic is locked
7 replies to this topic

#1 girlie

girlie

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 July 2004 - 11:45 PM

Ok, I am finally here and able to post a semi-intelligent description... Your help is very much appreciated.

Running windows ME

Early symptoms:
- IE hijacked to http://ssearch.biz/?wmid=1010 upon the trojan's wish;
- Back/forward buttons of IE not functioning, tho right click back/forward works;
- Minimized programs don't show on menu bar from time to time;
- Internet connection crawls or freezes when I try to reach any info sites (including this site) and when I try to download any spyware or AV programs.
- MicroTrend AV that was supposed to work for 30 days free, says the trial period ended after 2 hours! Don't know if the rest of what I have work properly.

I have tried: (all have the latest updates/sig files)

- Ad-Aware 6 - It finds adware but they return in x100s upon reboot.
- BHOdemon - Only one unknown BHO: SDhelper.dll. It think I saw somewhere saying relates to Spybot S & D.
- CWshredder - First time I ran it, it said : You have a variant of CoolWebSearch Trojan (CWS.SmartSearch.2) and it runs out of your MS Java VM and it's trying to close CWshredder, so it scrambled its name and ran but said you system is totally clean! It never found anything. How do I find this booger and get rid of it?!
- I did a search in my registry for SmartSearch and found the location of all the junk domains under ...\Zone Map\Domains and ...\P3P\History. I deleted the keys with everything under it and replaced the key. I also deleted everything under my Windows\Temp but they keep returning there.
- HijackThis - I went thru the Hijack this Tutorial...see log below. Ran & saved log right after reboot.
- Spybloc v2 - totally useless! Or maybe I don't understand it.
- Spybot S & D - This baby found 6 red entries and I fixed them all. I should probably run it again.
- MicroTrend AV - Found 7 Trojans but was able to quarantine only 1. Here is what it found: (I need help with removing these)

- Troj_Agent.G (three times) under C:\_Restore\Temp\A0421164.CPY and C:\_Restore\Archive\FS3189.cab and ...\Archive\FS3248.cab
(not removable - it says it's in use even in safe mode)

- Troj_Istbar.EO (twice) under C:\_Restore\Temp\A0421175.cpy and ...\Temp\A0422920.cpy (not removable even under safe mode)

-Troj_Briss.A (twice) one under the Restore\Temp files (not removable) and one that was quaranteened by Spybot under ...\Windows\Downloadedprogfiles\jao.dll

Right now, I can't use MicroTrend (and a 2nd free online AV I tried) online (they just never load) or on my pc (says 30-day trial ended after 2 hours!). So I don't know what to do to remove these stubborn trojans.


OK, I went and checked every entry in the HijackThis log with the help of the tutorial. Most are ok. A few I couldn't find and my possible suspects and questions out of these are:
1. Kernel32.dll - Guess that's a virus but there are so many viruses related to this file. Which one do I have?! What do I do? This one plus a few other running processes shows up only in the processes and not under O4, does that mean something is fishy here?!
2. Spool32.exe - Guess that is the Backdoor.Asassin Virus or is it?
3. MPRexe.exe - is an ok file but present at startup because I have some viri.
4. lexbces.exe and lexpps.exe - didn't find info on these but my guess is they might be related to my old lexmark printer. If you know what they are, plz let me know.
5. wmi.exe and ddhelp.exe - I found No info on these 2!
6. The systray.exe is running out of Run and not under RunningServices, so does that mean it's a virus?
7. Oh and is STMgr.exe under running processes the same as *StateMgr.exe under O4? (their both under _Restore). If they are the same, then fine but if not, I don't know what STMgr.exe is!
8. Finally, I could not find and have no idea what O4 IKLRKEM.exe (DNSCACHE) under Windows\System\ is. Any clue as to whether it's bad?

-Everything else aside from the 8 files listed above makes sense & I think it's legit.

Ok, here is the log. Ran and taken right after reboot.

Logfile of HijackThis v1.98.0
Scan saved at 7:25:03 PM, on 7/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\IAKLRKEM.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS5\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\MYPROG~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SpyBlocs] D:\MY PROGRAMS\ANTIS\SpyBlocs.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\IAKLRKEM.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: Yahoo! Games Voice Chat - http://yog55.games.s...yog/y/va1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL



Thanks again,
-DVD (yep those are my initials :-)

Edited by girlie, 22 July 2004 - 12:02 AM.


#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 22 July 2004 - 04:22 AM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer, click View > Folder Options - View [tab]:

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click "View" (up top) select: Details
Click the "Like Current Folder" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\IAKLRKEM.exe

Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\SYSTEM\IAKLRKEM.exe <--this file

After the above, reboot, rescan with HijackThis and post a fresh log ...

MicroTrend AV that was supposed to work for 30 days free

Did you uninstall that? (I don't see it running)
I see you have NAV installed, is that updated and working?

As for the files found in the "Restore" folders ...

"Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot, run a full (updated) NAV scan, reboot and turn System Restore back on and create a new Restore Point.

How To: Configure Norton AntiVirus to scan all files
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 girlie

girlie

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 July 2004 - 08:23 PM

Thanks so much for helping WinHelp2002.

- No, I haven't uninstalled the TrendMicro AV. It's still right here!
- The NAV, is out of date (sig file: May 2002) and it shows a padlock next to live update button and says "The administrator has locked this option." This is my personal pc, what admin?!

- Another thing: right now, everytime I run ad-aware, after it finds and quarantines, it seems like it can't delete. I get a window titled "Anwendungsfehler" !! and the box reads:
"Exception EFCreateError in Modul AAWHELPER.DLL bei 000CEC2"
What do I do about this?


Did what you said, here is the HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 6:05:20 PM, on 7/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS5\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\MYPROG~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SpyBlocs] D:\MY PROGRAMS\ANTIS\SpyBlocs.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: Yahoo! Games Voice Chat - http://yog55.games.s...yog/y/va1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 July 2004 - 02:28 AM

Hi,
Your log looks clean now ... good job!

Last Step:

1) Empty the Recycle Bin
2) "Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot run a full Antivirus scan, reboot and turn System Restore back on and create a new Restore Point.

I would suggest adding some "Defense" to your system ...
Posted Image How To: Prevent this from happening again?

The NAV, is out of date (sig file: May 2002)

Perhaps you need to renew the license? Contact NAV ...

"Exception EFCreateError in Modul AAWHELPER.DLL bei 000CEC2"

I have no idea what would cause that error, contact Lavasoft:
http://www.lavasoftsupport.com/
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 girlie

girlie

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 July 2004 - 08:22 AM

Thanks sooooo much Mike. Don't know what I woulda done without you. I flushed system restore and the trojans are gone. My browser doesn't get redirected anymore and the buttons are back in normal function.
thank you, thank you, thank you.... I could kiss you! lol
Just an after-thought... So the Kernel32.dll and spool32.exe are good files?

:-)

Edited by girlie, 23 July 2004 - 08:23 AM.


#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 July 2004 - 08:48 AM

Hi,
You're welcome ... glad to see you were able to resolve your problem.

So the Kernel32.dll and spool32.exe are good files?

Yes those are both Microsoft "system" files ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 girlie

girlie

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 July 2004 - 09:30 AM

((smooooch))

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 November 2004 - 06:26 AM

Glad to see you were able to resolve your problem.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button