A client of mine just had his OS rebuild after a bad bout with spyware and
viruses.
After following all good practices, Norton AV fully updated, no Kazaa and
running Spy bot almost daily, upon bootup adultlinks would re install itself
after he removed it with Spy bot (fully updated). The client also runs some
sort of internet cleanup software he got from the IT guys at work.
Also, Norton has removed about a dozen or so viruses in the past week such
as Dumaru (sp?) and byte verifier trojan.
I reran spy bot and he had 133 items to remove. All the normal stuff
though it was odd that xupiter squire returned after he had removed it.
I ran Ad aware to see if it would pickup anything else.
Ad aware removed quite a few adult links items and a few other items. After
a reboot I get an error telling me that a device referenced in the
system.ini is corrupted and windows may need to be re installed.
I'm of course sweating bullets now, I press a key to continue and windows
starts normally with no adult links (so far). Though when he first starts
IE he still gets a popup asking him to select his favorite soft drink that I
know is caused by spyware.
My thought is Ad aware removed something or disabled something in the
system.ini and this is the reason for the error.
In tasks I notice a few entries with random file names.
I ran Hijack this and notice a few random file names in the startup. Here
is the log.
Logfile of HijackThis v1.97.7
Scan saved at 3:42:12 PM, on 11/21/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\DXUDXZKT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ALSET\HELPEXPRESS\HP AUTHORIZED CUSTOMER\HXIUL.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\HP AUTHORIZED CUSTOMER\HXDL.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\YUYT10.EXE
C:\WINDOWS\SYSTEM\FNJT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://hp.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} -
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRAM
FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD]
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [wzkrbxyj] C:\WINDOWS\dxudxzkt.exe
O4 - HKLM\..\Run: [AQWANQU] C:\WINDOWS\AQWANQU.exe
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DbhB2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM
FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\HP
Authorized Customer\HXIUL.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin
Systems\Internet Cleanup\onictask.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet
cleanup\adlsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
Thanks cliff
Reply With Quote