Re: Malware doesn't let go

From: RJ (jackbobNOSPAM_at_hotmail.com)
Date: 08/11/04 

Date: Tue, 10 Aug 2004 22:58:02 -0400

Some of this malware is particularly odious. I've had luck with
Pest Patrol finding and fixing infections when other programs (AdAware)
could not.
http://www.pestpatrol.com/Products/PestPatrolHE/

Have you checked your Startup settings? Obviously some program/process
is checking the home page setting and changing it. This might be loaded
during startup. Check out this free Mike Lin utility that will tell you ALL programs
that are started with Windows (and remove them from starting up).
http://www.mlin.net/StartupCPL.shtml

BTW... I think it would be prudent for MS to start addressing
some of these malware exploits and providing users ways
of cleaning them up.

"John" <john@nospam.infovis.co.uk> wrote in message news:OU2zFV0fEHA.1656@TK2MSFTNGP10.phx.gbl...
>
> After some cleanup, below is the hijack log. Anything I can do? Deleting
> registry keys alone does not help. They just come back.
>
> Regards
>
> Logfile of HijackThis v1.97.7
> Scan saved at 02:43:54, on 11/08/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
> C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
> C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\rdpclip.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\DSentry.exe
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
> C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
> 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
> C:\Ben\QuickDCF.exe
> C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
> C:\Program Files\WinZip\WZQKPICK.EXE
> C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
> C:\WINDOWS\system32\logon.scr
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Download\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://yourpoiskovik.com/sp.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://yourpoiskovik.com/index.htm
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://www.google.com
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://www.google.com
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
> http://www.google.com
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> http://yourpoiskovik.com/sp.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> http://yourpoiskovik.com/index.htm
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
> Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINDOWS\System32\msdxm.ocx
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\WINDOWS\System32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
> 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe
> C:\WINDOWS\System32\crazytalk.dll,DllServeMediaFile
> O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend
> Micro\OfficeScan Client\pccntmon.exe" -HideWindow
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [StatusClient] C:\Program
> Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
> 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
> O4 - HKLM\..\Run: [TomcatStartup] C:\Program
> Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
> O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\System32\lexpps.exe
> O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
> Sweeper\SpySweeper.exe" /0
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
> O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk =
> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
> O4 - Global Startup: Exif Launcher.lnk = ?
> O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program
> Files\Microsoft Firewall Client\ISATRAY.EXE
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office 2000\Office\OSA9.EXE
> O4 - Global Startup: winlgn.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: Research (HKLM)
> O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
> O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
> (HKLM)
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://software-dl.real.com/264b9403b90d8ec40805/netzip/RdxIE601.cab
> O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client
> Control (redist)) - https://81.86.68.23/Remote/msrdp.cab
> O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
> http://vs1-73418.highspeedoffice.net/activex/AxisCamControl.ocx
> O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -
> http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
> O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload
> Tool Class) -
> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3au.cab
> O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
> http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
>
>
> "Mary" <Mary@discussions.microsoft.com> wrote in message
> news:7AB670F1-A66D-4700-8D4C-9431C08E4B1C@microsoft.com...
> > Hijack This might help. Also Ad Aware has a brand new version out this
> week.
> > That might do it.
> >
> > "John" wrote:
> >
> > > Hi
> > >
> > > One of the client xp pcs on a win2k network has this annoying start-up
> page
> > > set in the browser; http://yourpoiskovik.com/index.htm. No matter how
> many
> > > times it is set to a different page it always comes back. I have tried
> to
> > > run adaware and spy sweeper but these do not seem to be able to clean
> the
> > > malware permanently.
> > >
> > > Any ideas I can follow to clean this up?
> > >
> > > Thanks
> > >
> > > Regards
> > >
> > >
> > >
>
>

Loading