Bad spyware infection

[Cliff Hartle]

A client of mine just had his OS rebuild after a bad bout with spyware and
viruses.

After following all good practices, Norton AV fully updated, no Kazaa and
running Spy bot almost daily, upon bootup adultlinks would re install itself
after he removed it with Spy bot (fully updated). The client also runs some
sort of internet cleanup software he got from the IT guys at work.

Also, Norton has removed about a dozen or so viruses in the past week such
as Dumaru (sp?) and byte verifier trojan.

I reran spy bot and he had 133 items to remove. All the normal stuff
though it was odd that xupiter squire returned after he had removed it.

I ran Ad aware to see if it would pickup anything else.

Ad aware removed quite a few adult links items and a few other items. After
a reboot I get an error telling me that a device referenced in the
system.ini is corrupted and windows may need to be re installed.

I'm of course sweating bullets now, I press a key to continue and windows
starts normally with no adult links (so far). Though when he first starts
IE he still gets a popup asking him to select his favorite soft drink that I
know is caused by spyware.

My thought is Ad aware removed something or disabled something in the
system.ini and this is the reason for the error.

In tasks I notice a few entries with random file names.

I ran Hijack this and notice a few random file names in the startup. Here
is the log.

Logfile of HijackThis v1.97.7
Scan saved at 3:42:12 PM, on 11/21/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\DXUDXZKT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ALSET\HELPEXPRESS\HP AUTHORIZED CUSTOMER\HXIUL.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\HP AUTHORIZED CUSTOMER\HXDL.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\YUYT10.EXE
C:\WINDOWS\SYSTEM\FNJT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://hp.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} -
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRAM
FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD]
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [wzkrbxyj] C:\WINDOWS\dxudxzkt.exe
O4 - HKLM\..\Run: [AQWANQU] C:\WINDOWS\AQWANQU.exe
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DbhB2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM
FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\HP
Authorized Customer\HXIUL.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin
Systems\Internet Cleanup\onictask.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab


Thanks cliff

[Lance Delacroix]

On Sun, 23 Nov 2003 13:18:14 -0500, "Cliff Hartle" <cknjsp@msn.com>
prounounced a fatwah thus:

>A client of mine just had his OS rebuild after a bad bout with spyware and
>viruses.
>
>After following all good practices, Norton AV fully updated,

There's a bad practice right there.

Wipe the disk, reinstall, use Proxomitron, DNSKong, eDexter, and Kerio
(with Sponge's list), DON'T use Norton/Symantec **** (use AVG
instead,and back up with F-prot), don't use IE, don't use OE, and
don't let him do any (ahem) one-handed surfing w/out all his
anti-intrusion stuff running. Better yet, get him a subscription to
some skin mags.

If he's going to keep ****ing himself up, tell him to put all of his
data on a separate partition so he can reinstall without losing
everything.

I haven't had a problem in a coon's age. My ME and XP are so clean
I'm starting to feel like I'm missing something.

Try Linux. Micro$oft will only get worse as time goes on .

And oh, yeah, read the FAQ.

[Phil]

Wipe the disk!!!! Why not just hit the computer with a sledge hammer???

"Lance Delacroix" <lance_delacroix@fastmail.fm> wrote in message
news:6o02svkjvl1rdrj0aefve8ms3cc57deaf0@4ax.com...
> On Sun, 23 Nov 2003 13:18:14 -0500, "Cliff Hartle" <cknjsp@msn.com>
> prounounced a fatwah thus:
>
> >A client of mine just had his OS rebuild after a bad bout with spyware
and
> >viruses.
> >
> >After following all good practices, Norton AV fully updated,
>
> There's a bad practice right there.
>
> Wipe the disk, reinstall, use Proxomitron, DNSKong, eDexter, and Kerio
> (with Sponge's list), DON'T use Norton/Symantec **** (use AVG
> instead,and back up with F-prot), don't use IE, don't use OE, and
> don't let him do any (ahem) one-handed surfing w/out all his
> anti-intrusion stuff running. Better yet, get him a subscription to
> some skin mags.
>
> If he's going to keep ****ing himself up, tell him to put all of his
> data on a separate partition so he can reinstall without losing
> everything.
>
> I haven't had a problem in a coon's age. My ME and XP are so clean
> I'm starting to feel like I'm missing something.
>
> Try Linux. Micro$oft will only get worse as time goes on .
>
> And oh, yeah, read the FAQ.

[sponge]

"Phil" <Nospam@nospam.net> wrote in message news:<Uzvwb.218457$mZ5.1659447@attbi_s54>...
> Wipe the disk!!!! Why not just hit the computer with a sledge hammer???

Actually, Lance's advice is quite accurate: Any security professional
will tell you that a machine that has been compromised is
untrustworthy. Far more so considering the number of trojans, worms,
and parasites that the OP mentioned and the fact that he wasn't able
to specify several hundred items removed.

I'm looking at his HiJackThis! log and I see a number of entries that
look very much like trojans, as well as a number of other suspicious
items. To wit:

C:\WINDOWS\SYSTEM\YUYT10.EXE
C:\WINDOWS\SYSTEM\FNJT.EXE
HKLM\..\Run: [wzkrbxyj] C:\WINDOWS\dxudxzkt.exe
O4 - HKLM\..\Run: [AQWANQU] C:\WINDOWS\AQWANQU.exe
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DbhB2.exe

These are almost certainly trojans or worms.

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
-
http://fdl.msn.com/zone/datafiles/heartbeat.cab

These two are very suspicious.

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
-
http://fdl.msn.com/zone/datafiles/heartbeat.cab

These look like very intrusive junk.

On top of it all, he's got a Netropa keyboard driver, which can also
be considered malware.

The best solution for a system this screwed is to backup all valuable
data, reformat from known-good media, and be sure not to run any
executable programs or macros from his backups.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

[YoKenny]

sponge wrote:
> "Phil" <Nospam@nospam.net> wrote in message
> news:<Uzvwb.218457$mZ5.1659447@attbi_s54>...
>> Wipe the disk!!!! Why not just hit the computer with a sledge
>> hammer???
>
> Actually, Lance's advice is quite accurate: Any security professional
> will tell you that a machine that has been compromised is
> untrustworthy. Far more so considering the number of trojans, worms,
> and parasites that the OP mentioned and the fact that he wasn't able
> to specify several hundred items removed.
>
> I'm looking at his HiJackThis! log and I see a number of entries that
> look very much like trojans, as well as a number of other suspicious
> items. To wit:
>
> C:\WINDOWS\SYSTEM\YUYT10.EXE
> C:\WINDOWS\SYSTEM\FNJT.EXE
> HKLM\..\Run: [wzkrbxyj] C:\WINDOWS\dxudxzkt.exe
> O4 - HKLM\..\Run: [AQWANQU] C:\WINDOWS\AQWANQU.exe
> O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DbhB2.exe
>
> These are almost certainly trojans or worms.
>
> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
> O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
> -
> http://fdl.msn.com/zone/datafiles/heartbeat.cab
>
> These two are very suspicious.
>
> O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
>
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
> O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
> -
> http://fdl.msn.com/zone/datafiles/heartbeat.cab
>
> These look like very intrusive junk.
>
> On top of it all, he's got a Netropa keyboard driver, which can also
> be considered malware.
>
> The best solution for a system this screwed is to backup all valuable
> data, reformat from known-good media, and be sure not to run any
> executable programs or macros from his backups.

Its the pepper trojan.
http://tomcoyote.org/forums/index.php?showtopic=987

[Al Bundy]

yosponge@yahoo.com (sponge) wrote in
news:8d76ec03.0311272248.548d7c29@posting.google.c om:

> "Phil" <Nospam@nospam.net> wrote in message
> news:<Uzvwb.218457$mZ5.1659447@attbi_s54>...
>> Wipe the disk!!!! Why not just hit the computer with a sledge
>> hammer???
>
> Actually, Lance's advice is quite accurate: Any security professional
> will tell you that a machine that has been compromised is
> untrustworthy. Far more so considering the number of trojans, worms,
> and parasites that the OP mentioned and the fact that he wasn't able
> to specify several hundred items removed.
>
> I'm looking at his HiJackThis! log and I see a number of entries that
> look very much like trojans, as well as a number of other suspicious
> items. To wit:
>
> C:\WINDOWS\SYSTEM\YUYT10.EXE
> C:\WINDOWS\SYSTEM\FNJT.EXE
> HKLM\..\Run: [wzkrbxyj] C:\WINDOWS\dxudxzkt.exe
> O4 - HKLM\..\Run: [AQWANQU] C:\WINDOWS\AQWANQU.exe
> O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DbhB2.exe
>
> These are almost certainly trojans or worms.
>
> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
> O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
> -
> http://fdl.msn.com/zone/datafiles/heartbeat.cab
>
> These two are very suspicious.
>
> O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
> http://download.microsoft.com/downlo...1-4E20-9F5F-94
> 901338C922/wmv9VCM.CAB O16 - DPF:
> {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
> http://fdl.msn.com/zone/datafiles/heartbeat.cab
>
> These look like very intrusive junk.
>
> On top of it all, he's got a Netropa keyboard driver, which can also
> be considered malware.
>
> The best solution for a system this screwed is to backup all valuable
> data, reformat from known-good media, and be sure not to run any
> executable programs or macros from his backups.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 att yahoo dott com


> These are almost certainly trojans or worms.

> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Isn't this one something to do with Adobe digital signatures?

[Jeffrey Morse]

Al Bundy <postmaster@127.0.0.1> wrote in message news:<Xns9441B04D4D2DCAlBundy@news.verizon.net>...
>
> > O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>
> Isn't this one something to do with Adobe digital signatures?

DocBox is installed with Adobe Acrobat Reader. While it isn't the
plugin needed to view PDF content in IE, it is used for DRM encrypted
PDF content such as eBooks. A PDF document explaining its function
can be found on the developer's website at:
http://www.intertrust.com/publishing/docbox1-0_help.pdf

[Al Bundy]

jv009wc02@sneakemail.com (Jeffrey Morse) wrote in
news:f7cb1dc0.0311281919.149b0381@posting.google.c om:

> Al Bundy <postmaster@127.0.0.1> wrote in message
> news:<Xns9441B04D4D2DCAlBundy@news.verizon.net>...
>>
>> > O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>>
>> Isn't this one something to do with Adobe digital signatures?
>
> DocBox is installed with Adobe Acrobat Reader. While it isn't the
> plugin needed to view PDF content in IE, it is used for DRM encrypted
> PDF content such as eBooks. A PDF document explaining its function
> can be found on the developer's website at:
> http://www.intertrust.com/publishing/docbox1-0_help.pdf
>


Aye laddie. And look what's in HP Guru's host list:

127.0.0.1 www.intertrust.com

[YoKenny]

Al Bundy wrote:
> (Jeffrey Morse) wrote:
>> Al Bundy wrote:
>>>> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>>>
>>> Isn't this one something to do with Adobe digital signatures?
>>
>> DocBox is installed with Adobe Acrobat Reader. While it isn't the
>> plugin needed to view PDF content in IE, it is used for DRM encrypted
>> PDF content such as eBooks. A PDF document explaining its function
>> can be found on the developer's website at:
>> http://www.intertrust.com/publishing/docbox1-0_help.pd

> Aye laddie. And look what's in HP Guru's host list:
>
> 127.0.0.1 www.intertrust.com

Happy to see you are using a good HOSTS file. <G>

[Lance Delacroix]

On Mon, 24 Nov 2003 22:25:56 GMT, "Phil" <Nospam@nospam.net>
prounounced a fatwah thus:

>Wipe the disk!!!! Why not just hit the computer with a sledge hammer???

Good idea, Phil.. That might be appropriate. Better yet, perhaps the
OP should hit his client with a sledgehammer.


>"Lance Delacroix" <lance_delacroix@fastmail.fm> wrote in message
>news:6o02svkjvl1rdrj0aefve8ms3cc57deaf0@4ax.com.. .
>> On Sun, 23 Nov 2003 13:18:14 -0500, "Cliff Hartle" <cknjsp@msn.com>
>> prounounced a fatwah thus:
>>
>> >A client of mine just had his OS rebuild after a bad bout with spyware
>and
>> >viruses.
>> >
>> >After following all good practices, Norton AV fully updated,
>>
>> There's a bad practice right there.
>>
>> Wipe the disk, reinstall, use Proxomitron, DNSKong, eDexter, and Kerio
>> (with Sponge's list), DON'T use Norton/Symantec **** (use AVG
>> instead,and back up with F-prot), don't use IE, don't use OE, and
>> don't let him do any (ahem) one-handed surfing w/out all his
>> anti-intrusion stuff running. Better yet, get him a subscription to
>> some skin mags.
>>
>> If he's going to keep ****ing himself up, tell him to put all of his
>> data on a separate partition so he can reinstall without losing
>> everything.
>>
>> I haven't had a problem in a coon's age. My ME and XP are so clean
>> I'm starting to feel like I'm missing something.
>>
>> Try Linux. Micro$oft will only get worse as time goes on .
>>
>> And oh, yeah, read the FAQ.
>