Re: Malware doesn't let go

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: RJ (jackbobNOSPAM_at_hotmail.com)
Date: 08/11/04 

Date: Tue, 10 Aug 2004 22:58:02 -0400

Some of this malware is particularly odious. I've had luck with
Pest Patrol finding and fixing infections when other programs (AdAware)
could not.
http://www.pestpatrol.com/Products/PestPatrolHE/

Have you checked your Startup settings? Obviously some program/process
is checking the home page setting and changing it. This might be loaded
during startup. Check out this free Mike Lin utility that will tell you ALL programs
that are started with Windows (and remove them from starting up).
http://www.mlin.net/StartupCPL.shtml

BTW... I think it would be prudent for MS to start addressing
some of these malware exploits and providing users ways
of cleaning them up.

"John" <john@nospam.infovis.co.uk> wrote in message news:OU2zFV0fEHA.1656@TK2MSFTNGP10.phx.gbl...
>
> After some cleanup, below is the hijack log. Anything I can do? Deleting
> registry keys alone does not help. They just come back.
>
> Regards
>
> Logfile of HijackThis v1.97.7
> Scan saved at 02:43:54, on 11/08/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
> C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
> C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\rdpclip.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\DSentry.exe
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
> C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
> 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
> C:\Ben\QuickDCF.exe
> C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
> C:\Program Files\WinZip\WZQKPICK.EXE
> C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
> C:\WINDOWS\system32\logon.scr
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Download\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://yourpoiskovik.com/sp.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://yourpoiskovik.com/index.htm
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://www.google.com
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://www.google.com
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
> http://www.google.com
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> http://yourpoiskovik.com/sp.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> http://yourpoiskovik.com/index.htm
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
> Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINDOWS\System32\msdxm.ocx
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\WINDOWS\System32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
> 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe
> C:\WINDOWS\System32\crazytalk.dll,DllServeMediaFile
> O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend
> Micro\OfficeScan Client\pccntmon.exe" -HideWindow
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [StatusClient] C:\Program
> Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
> 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
> O4 - HKLM\..\Run: [TomcatStartup] C:\Program
> Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
> O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\System32\lexpps.exe
> O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
> Sweeper\SpySweeper.exe" /0
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
> O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk =
> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
> O4 - Global Startup: Exif Launcher.lnk = ?
> O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program
> Files\Microsoft Firewall Client\ISATRAY.EXE
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office 2000\Office\OSA9.EXE
> O4 - Global Startup: winlgn.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: Research (HKLM)
> O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
> O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
> (HKLM)
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://software-dl.real.com/264b9403b90d8ec40805/netzip/RdxIE601.cab
> O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client
> Control (redist)) - https://81.86.68.23/Remote/msrdp.cab
> O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
> http://vs1-73418.highspeedoffice.net/activex/AxisCamControl.ocx
> O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -
> http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
> O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload
> Tool Class) -
> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3au.cab
> O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
> http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
>
>
> "Mary" <Mary@discussions.microsoft.com> wrote in message
> news:7AB670F1-A66D-4700-8D4C-9431C08E4B1C@microsoft.com...
> > Hijack This might help. Also Ad Aware has a brand new version out this
> week.
> > That might do it.
> >
> > "John" wrote:
> >
> > > Hi
> > >
> > > One of the client xp pcs on a win2k network has this annoying start-up
> page
> > > set in the browser; http://yourpoiskovik.com/index.htm. No matter how
> many
> > > times it is set to a different page it always comes back. I have tried
> to
> > > run adaware and spy sweeper but these do not seem to be able to clean
> the
> > > malware permanently.
> > >
> > > Any ideas I can follow to clean this up?
> > >
> > > Thanks
> > >
> > > Regards
> > >
> > >
> > >
>
>

Relevant Pages

  • Re: Win Firewall off briefly
    ... Sorry to be so wordy, but this may be the last I can try to assist you becuase from what I've read in your post, you are dismally protected from malware due to the way you use the computer and a lack of facilities to keep Security levels in place. ... I can even see the possibility now that the off/on of the firewall could be a game controlling the firewall and exposing one or several or all ports to the public. ... And since it's a media center machine, only recover it using the mfr's instructions or you could lose the media center features. ... Go to the MS support web stie and get the instructions and preps and requirements for installing SP3. ...
    (microsoft.public.windowsxp.general)
  • Re: Internet Security Problems - I dont know how to fix
    ... It's possible you have malware. ... it might have affected your firewall settings. ... Looking at the General tab, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Recurrent question
    ... >> PFW, anti-virus, spam filter. ... Some people have installed a PFW which has ... >If the malware is not written too dumb, ... how exactly a "Personal Firewall" looks ...
    (comp.security.firewalls)
  • RE: XP Home firewall Greyed out
    ... There was still some malware there but I still can't get it cleared. ... then reboot to safemode the firewall works ok. ... remote control of your computer which is really dangerous or to download any ... Finish with something realy important .Learn how to protect your computer so ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Page cannot be Displayed in IE. Firefox works fine.
    ... Chances are that another program (possibly malware) is causing this. ... turn on the Windows Firewall before ... The Parasite Fight http://www.aumha.org/a/quickfix.htm Note that for ... To resolve this problem in Internet Explorer, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)