Jump to content


Photo

My weekly hijack problem


  • Please log in to reply
7 replies to this topic

#1 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 29 July 2004 - 11:29 PM

Well, here I am again...maybe it's the rotten Web company I keep but I've got two items that pop up on hijack this and Spywareguard keeps popping up to tell me I've got some changes "Windows\wingh.dll" keeps comin back and I noticed the Sys32\appt.exe won't go either. Once when I accepted the file it tried to install the old 99967 CWS crap I had a while back. Is this the best I can expect with all available protections? I mean will I be hounded with malware as long as I use Windows? Here's my Hijack this file and FindnFix didn't find the offensive .dll this time. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 9:20:37 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apiva32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\apptn.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.d-web.com/
O2 - BHO: (no name) - {1F3EA21C-F800-4535-B35B-675591E8741E} - C:\WINDOWS\wingh.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
:rofl:

#2 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 12:51 AM

Ok, now with every change of my browser I get an attempt to change my homepage to "C:\Windows\System32\yougiv.dll sp#96676" as a warning from Spywareguard. Nothing detected by Adaware6, Spybot, Norton or Cwshredder...wazzup wit dat?

#3 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 01:10 AM

Here's my FindnFix log showing the offending files I cannot locate in the Windows system32 files...yougiv.dll and zzqxl.dll...


»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2600.0000
The type of the file system is NTFS.
C: is not dirty.

Thu 29 Jul 04 22:59:14
10:59pm up 0 days, 0:05

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/29)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
yugiv.dll Thu Jul 1 2004 1:06:50a A.SH. 71,168 69.50 K
zzqxl.dll Sat Jul 10 2004 10:01:16a A.SH. 71,168 69.50 K

2 items found: 2 files, 0 directories.
Total of file sizes: 142,336 bytes 139.00 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\YUGIV.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ZZQXL.DLL
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 142336
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access PHISHBOY\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access PHISHBOY\Owner


»»Member of...: (Admin logon required!)
User is a member of group PHISHBOY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
11:01pm up 0 days, 0:07
Thu 29 Jul 04 23:01:00

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-29-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-29-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Thu Jul 29 2004 9:00:58p .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ( % G @~ (
00001190: % G @~ ( ;; vk w DeviceNotSelecte
000011D0:dTimeout 1 5 P vk ' GDIProce
00001210:ssHandleQuotaer 9 0 vk P Spooler
00001250: y e s vk Uswapdisk 0
00001290:` vk ocTransmissionRetryTimeout vk
000012D0: ' USERProcessHandleQuota 0 `
00001310: 1,01 00,00 HKR,Config,"Line In Volume",01,ff,7f,ff,7f H
00001350:KR,Config,"Line In Mute",01,00,00,00,00 HKR,Config,"CD Volume",
00001390:01,ff,7f,ff,7f HKR,Config,"CD Mute",01,00,00,00,00 HKR,Config,
000013D0:"MIDI Volume",01,ff,7f,ff,7f HKR,Config,"MIDI Mute",01,00,00,00
00001410:,00 HKR,Config,"IIS Volume",01,ff,7f,ff,7f HKR,Config,"IIS Mut
00001450:e",01,00,00,00,00 HKR,Config,"PC Speaker Volume",01,ff,7f,ff,7f
00001490: HKR,Config,"PC Speaker Mute",01,00,00,00,00 HKR,Config,"Phone
000014D0: Mute",01,01,00,00,00 HKR,Config,"Phone Volume",01,ff,7f,ff,7f
00001510: HKR,Config,"Record Monitor",01,01,00,00,00 HKR,Config,"CD Re
00001550:cord Volume",01,ff,7f,ff,7f HKR,Config,"MIDI Record Volume",01,
00001590:ff,7f,ff,7f HKR,Config,"Line In Record Volume",01,ff,7f,ff,7f
000015D0:HKR,Config,"Aux Record Volume",01,ff,7f,ff,7f HK

---------- WIN.TXT
--------------
--------------
$0100C: ixerInVolume
$011C0: DeviceNotSelectedTimeout
$01208: GDIProcessHandleQuotaer
$012AE: ocTransmissionRetryTimeout
$012E0: USERProcessHandleQuota
$016C0: LeftWaveOutVolume
$016E9: RightWaveOutVolume
$01713: HideWaveOutVolume
$0175F: HideWaveOutMute
$01788: LeftSynthVolume
$017AF: RightSynthVolume
$017D7: HideSynthVolume
$0181F: HideSynthMute
$01846: LeftCDVolume
$0186A: RightCDVolume
$0188F: HideCDVolume
$018F5: LeftLineInVolume
$0191D: RightLineInVolume
$01946: HideLineInVolume
$01990: HideLineInMute
$019B8: LeftMicVolume
$019DD: RightMicVolume
$01A03: HideMicVolume
$01A6C: LeftAuxBVolume
$01A92: RightAuxBVolume
$01AB9: HideAuxBVolume
$01AFF: HideAuxBMute
$01B25: LeftIISVolume
$01B4A: RightIISVolume
$01B70: HideIISVolume
$01BD9: LeftPCSpeakerVolume
$01C04: RightPCSpeakerVolume
$01C30: HidePCSpeakerVolume
$01C5B: PCSpeakerMute
$01C80: HidePCSpeakerMute
$01CAB: LeftPhoneVolume
$01CD2: RightPhoneVolume
$01CFA: HidePhoneVolume
$01D42: HidePhoneMute
$01D97: LeftSynthInVolume
$01DC0: RightSynthInVolume
$01DEA: HideSynthInVolume
$01E15: LeftCDInVolume
$01E3B: RightCDInVolume
$01E62: HideCDInVolume
$01E8A: LeftLineInInVolume
$01EB4: RightLineInInVolume
$01EDF: HideLineInInVolume
$01F0B: LeftMicInVolume
$01F32: RightMicInVolume
$01F5A: HideMicInVolume
$01F83: LeftAuxBInVolume
$01FAB: RightAuxBInVolume
$01FD4: HideAuxBInVolume
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


#4 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 01:56 AM

Bump

Please help...this thing keeps morphing and pops up with every browser change and attempts to dial up when I log on to my ISP.

Logfile of HijackThis v1.97.7
Scan saved at 11:57:15 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apiva32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\apptn.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.d-web.com/
O2 - BHO: (no name) - {1F3EA21C-F800-4535-B35B-675591E8741E} - C:\WINDOWS\wingh.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADAAC5EF-7D9B-420A-956A-C6AD223FAB74}: NameServer = 66.81.0.251 66.81.0.252

Edited by Phishboy, 30 July 2004 - 01:57 AM.


#5 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 10:26 AM

Bump

It's morphed into apicm.dll and is persisting

help.............................................................................................................................................

#6 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 11:32 AM

The Windows file that HijackThis picks up and can't erase is "wingh.dll" and all of my preventions cannot eradicate...nor protect me from...and it continues to morph into other .dll's that FindnFix finds but I cannot locate. It dials out, sets my folder settings to default(no show hidden) and attempts to change my homepage and does change my file views icons.

#7 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 July 2004 - 12:17 PM

ok im no exprt but I did get a nasty off my machine using these forums so, I can help out I think. You wont be hounded for ever, I fought this thing into a corner and finally removed it completely.

Im going to tell you to delete a lot of things here, so back up your computer and be careful and think about / cross reference what I say to do in case I give you bad advice. I don't think I will kill your computer bu I would feel real bad if i did.

First the stupid questions. I assume you have 1) the latest norton virus signatures, 2) the latest adware signatures for adaware and S&D, 3) you run teatimer from S&D, 4) you are immunized by S&D, and 5) you run spyware guard and spyware blaster by javacool.

Second, I assume you ran a full system virus scan with your norton, because sometimes you have more than one problem going on, or the spyware is a trojan or something that the virus scanner can catch. FYI I dumped norton and got Nod32 after all this bs, because norton wouldnt detect the virus. You can get a 30 day trial for free. You can also try panda's free virus scanner. I also assume you ran adaware and S&D scans and removed all the things they found.

You should download firefox to do any browsing during the cleaning process, since it wont be affected by any of the browser malware. Most of them start up when the browser runs or at least have componenets that do. Dont start IE during this.

Couple things i noticed. do you have an common exe files renamed to exe.bak? I had notepad.exe renamed to notepad.exe.bak. I got a good version of notepad from someone with the same os. Beofre I replaced notepad.exe and delete notepad.exe.bak and notepad.exe, i jotted down the date. I used agent ransack to search for all files around that date thinking the installer might be found. Sure enough I found several other files around that date and eradicated or replaced them with known good ones. My media player was one of the weird .bak files.

I also noticed a svchost process in task manager that took a lot of memory (> 5 or 10) I killed it every time it showed up. I think this was associated with the trojan. I tried killing as many processes as I could that I didnt understand or looked like they were taking a lot of mem. Some of them forced a reboot because they were actually important (woops), but if you get the one with the trojan, it weakens it enough that it might not be able to reinstall or something during the delete process. Anything you do to beat it back helps. I had to beat mine back slowly for a week till it was totally gone. I have been malware free for weeks now. But for 10 days the damn thing kept creeping back even though it was weaker and weaker. Weaker in the sense that its installer might still work, but the program wouldnt (teatimer wouldnt allow the registry changes that would run the trojan in ie, or i deleted enough of its configuration files that it couldnt work)

Also, my google toolbar dll got changed to goolgetoolbar2.dll. I unistalled google and reinstalled it. It seemed to help.

I also noticed a couple strange programs in subdirs of program files or the windows drectory. Search for files with "casino" haha. Anyway, you dont recognize a program file directory, take the exe name and search google to see if people report bad things about it. If so, delete the directory. If not, rename the directory so the installer can't find it - you can rename it back if one of your apps stops working. Be carefull with subdirs in windows.

look in the windows\inf directory and delete any inf files from the date of the infection. If delete scares you, move the questionable ones to a temp dir of your own creation. Some of the inf files can be associated with the virus. I think I browsed cabs, driver cache etc and looked for anything around the date.

Dont run the uninstaller for any of the malware.

Turn system restore off, because it can put back removed files. how to disable system restore (http://service1.syma...src=sec_doc_nam)

Unless you are natted behind a router, a firewall is a must. ZoneAlarm is still available for free. " - hudsonsmith
http://www.zonelabs....reeDownload.jsp.
I got this one. It gives you piece of mind that no malaware dirtbag is controlling your computer remotely or getting data feeds of you keystrokes when you do your online banking. This can take some time to set up and is pretty technical, but it pops up warnings whenever a program access the internet, and you can use it to find bad ones and shut off their connections.

Next, for the stuff I learned in the forum. These malware bastards put their reinstallers in temp directories, and there are tons of temp directories out there. Also, these MB play with the security attributes of their files so they don't show up, or they are impossible to delete. So you can't find the dll in the temp or windows dirs anyway.

How to delete a hidden (even after you turn on show hidden system files) or in use file: I have xp pro and it comes with a local security policy editor, if you have xp home I don't think you have that and you may need someone else to help do this part. But I went to local policy editor Start|Settings|Control Panel|Administrative Tools|Local Security Policy, and under security settings|local policies|security options there are two settings you need to turn on to see hidden files: Recovery Console XXXX. Change those to Enabled. When I did this, I could at least see the dll that was causing problems in windows explorer. You cant delete it yet, but this helps. Click on the offending dll and change its security attributes to full access. You still can't delete it because it will be in use. I downloaded DrDelete to do this.

How to delete all the temporary directories on the system. We all know about windows\temp and c:\temp, but under documents and settings\your user name, there are a bunch more. I used agent ransack to search for all files under my name and then sorted by directory. Anything that looked like a temproary directory (had the word temp or cache or something in it) I deleted everything. You have to close internet explorer and mail etc to do this. Also, be aware a lot of programs save configuration information and data in there, so dont delete the wrong stuff...make a backup copy if you are unsure. Then empty the recycle bin.

If you have done all this, you will likely have gotten the installer, but it may take a couple reboots and a couple passess at this to completely get it. I know I had a dll hlp.dll that just kept comming back. You may have to download security task manager because it shows you more information than the regular task manager. I used that to find processes that were weird (running from a super hidden file for instance)

Looks like you got rid of AppInitDlls. Just delete that entry in the registry.

Did you try CWSShredder and about:blank buster? I ran them after I did all my own work and they said I was clean, so I think we do the same stuff.

Send me that wingh.dll and aptn.dll I want to see if my antivirus catches it. jfranco@openscantech.com.

Ok, so that was the brain dump of what I can remember. Here is what I would do with you.

1. USE IE to download firefox and install that.
1.5 turn off system restore, you can turn it back on if you want later. I worry that mine will reinstall the virus though.
2. Reboot in safe mode with networking do not run IE anymore during this process. You hit the F8 key during reboot. On my computer its F2 - and it only senses it 25% of the time (frustrating to have to reboot 4 times). In safe mode with no IE, we hopefully can bypass some of the startup of the crap, which makes em easier to kill. If the installer is started, it will keep installing itself.
1.75 install zone alarm and allow any program you trust to access the trusted and internet zones as a client. I haven't allowed anything to act as a server except the default setting za came with for generic host process for win32 services. So if some program wants to act as a server, deny it. With this baby installed we can be sure we are not being hacked. If any program comes up you don't recognize, deny everything to that program. You can change za permissions for it later if it turns out to be a good program.
3. Make sure all virus and adware signatures are up to date and run adaware, S&S and norton full disk scan. Also for the heck of it run panda's antivirus and do a full system scan too. If any files turn up that cause problems and you can't delete them and your antivirus cant delete them, then use the delete process I told you about.
4. Make sure you immunize and run teatimer in S&D. Teatimer can prevent the registry from changing, which is how some of these viruses keep comming back.
4. Run hijack and delete any bho's you are not familar with, if you screw something up, you can always reinstall it.

Definately i dont like these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.d-web.com/
O2 - BHO: (no name) - {1F3EA21C-F800-4535-B35B-675591E8741E} - C:\WINDOWS\wingh.dll
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe

I dont recognize this, do you. I dont like anything that installs itself into a directory with a bizarre name like "MI948F~1". Google it to see if its good if you are unsure. As a rule If i see a bogus name like that for a program, my radar goes off:
HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

I dont recognize these:
Sniffed -> C:\WINDOWS\SYSTEM32\YUGIV.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ZZQXL.DLL
Google em and maybe move em to a temp dir (your temp dr, not one the malware will know about). I googled YUGIV and it must be a russian word. I found nothing on these files, so I would move em to some other dir for the time being.

I keep mentioning moving files you are unsure about rather than deleteing them. This is so you can put em back if your system stops working. Make a subdir beneath the dir where the file was. Name it "malware bastardos" and put the questionable files there. Then if you do big damage, you can move em back. If you rename the file or move it to a normal temp dir, the trojan might be smart enough to get it back.

Did you create this security group: PHISHBOY? If not, you might search for any file associated with it. Might be something the virus added. It could be the virus gave ownership of the virus files to the phisboy group so it would be harder for you to delete them.

I dont recognize these:
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXBCES.EXE
Google em and maybe move em to your malware dir

this is probably a virus or something bad, someone else on the net said to delete it, and there is a strain of virus that renames certain files with 32 on the end:
C:\WINDOWS\system32\apiva32.exe
I'd at least move it to the malware dir if I didnt know what it was.

run hijack after this. Anything you deleted that comes back is definatly our bad guy. I'd like to know about who comes back.

4.5 for luck, run cwsshredder and about:blank buster to see if they get anything.

5. Open regedit and find all the runXXX keys and make sure nothing is in there you dont want to be there. Hijack should fix this, but I like to make sure. Look for WinAppDlls under the Windows NT\Windows key and make sure it does not exist.

6. Use agent ransack to browse all the files (ransack shows you files even if they are hidden from expolorer i think, so i use it) in documents and settings\your user name. Look for obvious temp files and delete em all. Leave the main temp dirs, but any subdirs under a temp dir are fair game to delete.

6. Empty the recycle bin

Phew

try rebooting in normal mode and before running explorer, look for the telltale signs. use hijack and see if any of the things we removed cam back. Look for a big svchost file, za going off, popups etc. At the worst, we might have a badly injured version of the malware left.

#8 Phishboy

Phishboy

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 30 July 2004 - 05:42 PM

Thanks Johnny...will keep you posted and attempt to follow helpful instructions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button