Jump to content


Photo

Removing Malware that is self installing?


  • Please log in to reply
7 replies to this topic

#1 msiler

msiler

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 June 2004 - 10:08 PM

I religiously run Spyware S&D, Adaware, CW Shredder and HijackThis and now Spyblaster.

Everythjing looks "clean" after I use them but whenever I re-boot (a few times each week) some of the spy/malware programs seem to re-install themselves.

Is there a way of permanently deleting these insidious programs that are "self installing"?

I am running Windows 2000pro and I use Opera instead of IE6 as my browser.
(there is no "System Restore" to turn off before re-booting)

Your help appreciated,
-Matt S-

#2 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 04 June 2004 - 10:22 PM

Hi there msiler,

Can you please download Hijack This into a permanant directory (such as C:/HijackThis).

Next, open HijackThis and press the scan button. Now, press the save log button (where the scan button used to be). Copy the contents of your log and paste them as a reply to this topic.

Help will be on the way, probably me, but you'd never know.

Thank you.
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#3 msiler

msiler

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 June 2004 - 10:28 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:25:14 PM, on 6/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\gearsec.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\TSIRCSRV.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Iomega\AutoDisk\ADService.exe
D:\WINNT\system32\inetsrv\inetinfo.exe
D:\WINNT\system32\rundll32.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
D:\Program Files\Sony Handheld\HOTSYNC.EXE
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\WINNT\system32\hpoipm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\WINNT\explorer.exe
D:\Program Files\Opera75\opera.exe
D:\Download\hijackthis\HijackThis.exe
D:\WINNT\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [REGSHAVE] D:\Program Files\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O10 - Unknown file in Winsock LSP: d:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\inetadpt.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7608.3861805556
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I know this much:
The four 010 Unknown file in Winsock LSP entries need to be deleted.
I have done so previously and they return every so often

The three 01 Hosts entries need to be deleted.
I have done so previously and they return on every re-boot

Thanks in advance for all the help,
Matt

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 June 2004 - 06:05 AM

The four 010 Unknown file in Winsock LSP entries need to be deleted.
I have done so previously and they return every so often

Well, all I can say is that you have been very lucky! Removal of O10 items with Hijack this usually breaks the LSP stack beyond repair.

Please download Lspfix
Unzip and run it. Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.
You will have to click the "I know what I'm doing" button.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com

Reboot after fixing.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 msiler

msiler

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 09:24 AM

Hi Dave,
1) I have used LSP Fix prevously - works great.

2) Looks like Hijack This is corrupted or something is trying to stop it from running. It runs very slow and i get the message below when i try to Fix checked items:

[B][I]An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 207.36.196.189 ieautosearch)
Error #70 - Permission denied

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: [I][B]

3) There are also four files that will NOT be deleted no matter how many times I use Norton Incinerator to remove it. D:\WINNT\system32\drivers\etc\hosts. It is reported by Spybot as being a problem but it cannot be fixed by spybot nor does Adaware remove it either.

Thanks for all the help,
Matt[COLOR=blue][COLOR=blue]

Edited by msiler, 05 June 2004 - 09:26 AM.


#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 June 2004 - 11:15 AM

That hosts file is where your problem lies.

Check the file properties, and ensure that it is not set as a read only or system file. Then try deleting it.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 msiler

msiler

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 02:40 PM

Hi Dave,
I checked the "Properties" of the four "host" files noted above:
3 were "Archive" so I unchecked that and deleted them - bye bye
1 had no designation and is a 1kb file that still returns but no problems so far

That might be it for now - I will check back if I have a problem again.

Thanks again and I hope others benefit from this thread as well.
This board is a great one thanks to all who contribute their time and efforts!

Regards,
-Matt-

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 June 2004 - 04:37 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button