[n00bman]

Subject: New VX2 or CoolWebSearch: Extra Lethal


Dear GeeksToGo:

Your site is wonderful. Way to go! Gives me hope that this mess can be fixed.

I have a pretty new variant of VX2 or CoolWebSearch that is extremely advanced. It is being partially impeded via active scanning by Spybot S&D and Ewido, but there are 14 days before Ewido expires.

Switched to FireFox (too late) and am running ZoneAlarm, have Norton Antivirus. Running XP Pro with SP1 (compatibility problems with SP2), got newest Windows updates (perhaps too late).

I followed all of the pre-hijack-this steps except the online removal tools. Had trouble with Firefox and java plugins. Panda site only works with IE. I do not trust IE right now.

VX2 or CoolWebSearch Observations (in order of relevance):

1. Detected by Ad-Aware, but not by Ad-Aware VX2 plug-in v.1.03.
2. This is NOT the VX2 with IEhelper.dll, nor does it have guard.tmp.
3. Primarily does the following:
3.a. Changes IE homepage to “about:blank”
3.b. Installs CoolWebSearch registry values and WildTangent components without connecting to internet.
3.c. Generates pop-ups, downloads more spyware, etc.
4. Primarily consists of the following:
4.a. Several main .dll files with random names which regenerate (see Ewido report below).
4.b. Many, many .exe files in C:\WINDOWS\system32 which regenerate. Names are pseudo-random, designed to deceive – contain mix of junk with “java,” “net,” “sys,” or end in “32.”
4.c. After attempted extraction, regenerates when you launch either internet explorer (the web broswer) or “explorer” (the file manager standard with Windows). It seems to confuse the latter with the former, constantly monitors system to detect launch.
5. CleanUp! was unable to remove many index.dat files in Cookies, IE5 Cache, and Temporary Internet Files.
6. CWShredder originally found “HomeSearch” and “The Real Search,” but no longer detects since cleaning & constant action of Spybot and Ewido. CWShredder repairing IE files triggers partial launch of VX2. Full original report available.
7. Seems to corrupt C:\WINDOWS\locator.exe, abuses it to make internet connections.
8. Zone Alarm detects some of the .exe files attempting to connect to the internet.

General Note: Cleaning with Ad-Aware, Spybot, Ewido, and CWS Shredder is ineffective. Probably needs something deleted while in Safe Mode.

Special Note: My problem seems to be similar to those described by other users with VX2 and “about:blank” homepage problems, such as pcman999, who is being helped by Trevuren.


Ewido Log:

+ Created on: 4:35:58 AM, 5/21/2005
+ Report-Checksum: 59D0606

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 50 min
+ Scanned Files: 76278
+ Speed: 25.34 Files/Second
+ Infected files: 17
+ Removed files: 17
+ Files put in quarantine: 17
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\appin32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atlgm32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\ieum32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ieyr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ipdq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mfcwv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msel.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\netbd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\crik32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\crry.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ipnx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\javaqf.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\rconj.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\sysem.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysjd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysqn.exe -> Trojan.Agent.bi -> Cleaned with backup


::Report End



HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:19 AM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\Program Files\Ewido Security Suite\ewidoctrl.exe
C:\Program Files\Ewido Security Suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GE Optical Mouse\mouse32a.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\Zone Alarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\FireFox\firefox.exe
C:\Documents and Settings\The Man\My Documents\VX2 Removal Stuff\HijackThis.exe

(PS - used to have a C:\WINDOWS\system32 .exe file as a Running Process, but not since removal & active scanning)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msu.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\ntka32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Alarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nds/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A1F318-2CE7-41CD-BE0A-CE6D5F140FBD}: NameServer = 209.137.171.10,209.137.171.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msyx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Security Suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Security Suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)


My apologies for writing so much! Just trying to give good description. I would greatly appreciate the help of anyone on your team. Thank you so much for your care and dedication.

Sincerely,
n00bman

[Advertisements]

Download SpSeHjfix into a folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Regards,

[Metallica]

Download SpSeHjfix into a folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Regards,

[n00bman]

Metallica -

Thanks for the quick response!

Contact Timing:
Please let me know what time of the day/week when I should post comments or read yours. I'm on the east coast of North America (GMT -5 hrs).

Clarification:
When you say close all programs, do you want me to try closing background processes? Everything under TaskManager\Applications was closed, but there were a number of things in TaskManager\Processes that were running, including Ewido, ZoneAlarm, Spybot, and other typical non-system programs.

SpSeHjfix:
I pressed the "disinfect" button a few times b/c I wasn't sure it had run, since there was no reboot.

Observation Update:
Before running fix, I noticed that VX2 variant launches with any file manager, whether it's Explorer or the My Computer icon.


SpSeHjfix Log:

(5/21/05 4:19:42 PM) SPSeHjFix started v1.1.2
(5/21/05 4:19:42 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/21/05 4:19:42 PM) Language: english
(5/21/05 4:19:42 PM) Win-Path: C:\WINDOWS
(5/21/05 4:19:42 PM) System-Path: C:\WINDOWS\System32
(5/21/05 4:19:42 PM) Temp-Path: C:\DOCUME~1\THEMAN~1\LOCALS~1\Temp\
(5/21/05 4:19:57 PM) Disinfection started
(5/21/05 4:19:57 PM) Bad-Dll(IEP): c:\windows\system32\rconj.dll
(5/21/05 4:19:57 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:19:57 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:19:57 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\rconj.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\rconj.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer, SearchURL:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\rconj.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\rconj.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\system32\rconj.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\rconj.dll/sp.html#55135
(5/21/05 4:19:57 PM) Stealth-String not found
(5/21/05 4:19:57 PM) No locked Files to delete. End without Reboot
(5/21/05 4:20:37 PM) Disinfection started
(5/21/05 4:20:37 PM) Bad-Dll(IEP): c:\windows\system32\rconj.dll
(5/21/05 4:20:37 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:20:37 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:20:37 PM) Bad IE-pages: (none)
(5/21/05 4:20:37 PM) Stealth-String not found
(5/21/05 4:20:37 PM) No locked Files to delete. End without Reboot
(5/21/05 4:20:47 PM) Disinfection started
(5/21/05 4:20:47 PM) Bad-Dll(IEP): c:\windows\system32\rconj.dll
(5/21/05 4:20:47 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:20:47 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:20:47 PM) Bad IE-pages: (none)
(5/21/05 4:20:47 PM) Stealth-String not found
(5/21/05 4:20:47 PM) No locked Files to delete. End without Reboot


(5/21/05 4:21:07 PM) SPSeHjFix started v1.1.2
(5/21/05 4:21:07 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/21/05 4:21:07 PM) Language: english
(5/21/05 4:21:07 PM) Win-Path: C:\WINDOWS
(5/21/05 4:21:07 PM) System-Path: C:\WINDOWS\System32
(5/21/05 4:21:07 PM) Temp-Path: C:\DOCUME~1\THEMAN~1\LOCALS~1\Temp\
(5/21/05 4:21:09 PM) Disinfection started
(5/21/05 4:21:09 PM) Bad-Dll(IEP): (not found)
(5/21/05 4:21:09 PM) Bad-Dll(IEP) in BHO: (not found)
(5/21/05 4:21:09 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:21:09 PM) UBF: 8 - UBB: 2 - UBR: 12
(5/21/05 4:21:09 PM) Bad IE-pages: (none)
(5/21/05 4:21:09 PM) Stealth-String not found
(5/21/05 4:21:09 PM) Not infected->END



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:56 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GE Optical Mouse\mouse32a.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\Zone Alarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\Program Files\Ewido Security Suite\ewidoctrl.exe
C:\Program Files\Ewido Security Suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\The Man\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msu.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\ntka32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Alarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nds/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A1F318-2CE7-41CD-BE0A-CE6D5F140FBD}: NameServer = 209.137.171.10,209.137.171.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msyx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Security Suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Security Suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)


Many thanks for your continued assistance!

n00bman

Edited by n00bman, 21 May 2005 - 11:14 PM.

[Metallica]

When I write close all programs I mean all the active Windows.
If i want you to close everything possible I'll advise to boot into safe mode.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\ntka32.dll

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nds/install.cab

Click Start > Run and type cmd > OK
When the Command prompt comes up type or paste in this command and press enter:

sc GetKeyName "Remote Procedure Call (RPC) Helper"

It will give you a name for the service installed by the hijacker.

Type sc delete one space and then the name you got from the 1st command. Press enter.
You should get a success message.

If not, then the key name has some character which sc cannot translate. Let me know.

Reboot when you are done and post a new HijackThis log.

My time zone is GMT+1 but I ususally check in a few times a day.

Regards,

[n00bman]

Dear Pieter:

You've been most kind to continue helping me. I'll try to begin posting at more convenient times.

You anticipated correctly - sc could not translate the name. I tried reconstructing it in MS Word and pasted my replica into the command prompt:

11F▀Σ♠#╖║-╓‘I

This didn't work. But you're right, this isn't the name, it's a translation error and appears differently in the HJT log. My deletion attempt returned the following:

[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.

The other items you requested to remove via HJT were deleted and backups were created.

P.S. - HJT can't detect the IE version b/c I previously (before my first post) renamed both IE's execution file name and folder so that the malware couldn't find it to launch IE at startup.


Latest HJT log after reboot:

Logfile of HijackThis v1.99.1
Scan saved at 3:27:57 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GE Optical Mouse\mouse32a.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\Zone Alarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\Program Files\Ewido Security Suite\ewidoctrl.exe
C:\Program Files\Ewido Security Suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\The Man\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msu.edu:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Alarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A1F318-2CE7-41CD-BE0A-CE6D5F140FBD}: NameServer = 209.137.171.10,209.137.171.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msyx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Security Suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Security Suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)


Thanks again, your advice is solid and has helped me regain some peace of mind!

n00bman

[Metallica]

We don't give up that easy.

Copy the contents of the quote box to Notepad.
Name the file Bye.vbs
Save as Type : All files

Double click on Bye.vbs to run it. You'll get an already stopped message and then another message box saying Done!

 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
   ("Select * from Win32_Service Where DisplayName = 'Remote Procedure Call (RPC) Helper'")
For Each objService in colListOfServices
If objService.State = "Stopped" then
MsgBox "Stopped Already"
Else
objService.StopService()
MsgBox "Service Stopped"

End IF
   objService.Delete()


Next

MsgBox "Done"

If you then run Services.msc you should no longer see the Remote Procedure Call (RPC) Helper Service on the list.

Regards,

[n00bman]

Dear Pieter:

Your custom script is much appreciated!

Unfortunately, it doesn't seem to have worked:

1. The box that appeared said, "Stopped already."

2. A second box appeared (window box title was "Windows Script Host") which said the following:

Script: C:\Documents and Settings\The Man\Desktop\Bye.vbs
Line: 14
Char: 4
Error: Generic failure
Code: 80041001
Source: SWbemObjectEx

3. The Services.msc utility showed the RPC Helper before and after the script was run.

It also shows two other RPC's, although they look more legit (actually have an entry in the description column). They are:

Name - Remote Procedure Call (RPC); Description - Provides the endpoint mapper and other miscellaneous RPC services; Status - Started; Startup Type - Automatic; Log On As - Local System

Name - Remote Procedure Call (RPC) Locator; Description - Manages the RPC name services database; Status - [none]; Startup Type - Manual; Log On As - Network Service

Ours is:
Name - Remote Procedure Call (RPC) Helper; Description - [none]; Status - [none]; Startup Type - Automatic; Log On As - Local System


Thanks for responding so late in the day! I look forward to continuing the fight against this stalwart demon.

n00bman

[Metallica]

It is the "Helper" we want to get rid off.

I'll have to ask the person who wrote that script for help.
No clue what could have caused that error.
Can you check if it's exactly the same as I posted it?

Regards,

[n00bman]

Dear Pieter:

I am truly appreciative that you're still helping me.

I double-checked the script and ran it again with the same negative results. I then did some Googling and whatnot:

(btw easiest to find relevant portion of webpage by searching for "objService.Delete()")

1. I saw this same script given by you and someone else with success on these pages:
http://www.geekstogo...age-t24822.html
http://forums.subrat...t=0

Don't know why this doesn't work on my comp.

2. I saw a very similar script on these pages (actual script follows):
http://www.activxper...ripts/services/
http://www.securityd...om/library/2933
http://dev.cordernet.../FAQ03-0014.htm

<Begin Script to Remove "Db Service">

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = 'DbService'")
For Each objService in colListOfServices
objService.StopService()
objService.Delete()
Next

<End Script>

As my name implies, I'm a real big n00b, but my thoughts on the error were the following:
1. Line 14, Character 4 refers to the command objService.Delete(). On my odd system, could this perhaps be an invalid "End If" argument? I noticed that "End If" often did not have commands following it on: http://www.activxper...ripts/services/
2. Should I try the script above?
3. I noticed that some important .dll files have been removed from my system in this process so far, impairing a few system functions. Could my comp be missing some component involved in running scripts?

(I had planned on replacing the .dll files once the malware was gone, so that it would not corrupt the new ones.)

Thank you again for helping me and taking the time to talk to your associate about the script.


Cheers,

n00bman

[Metallica]

Getting SP2 will replace/renew a lot of system files. That may help.

Sofar I have had one person that I couldn't get a script to work and that one had one other similarity to you:
HijackTHis could not read the IE version

MSIE: Unable to get Internet Explorer version!

I saw my friend that I "borrowed" the script from is online at her forum, so I'm hoping she will get back to me shortly.
She can't reply here herself, but I will be happy to relay her answer.

Regards,

[Metallica]

My friend says this is a problem on your computer with the WMI Repository.
Since you have other Windows issues, we think it is wise to install SP2 first.
Hopefully that will solve several or all of them.

Let me know.

Regards,

[n00bman]

Dear Pieter:

I greatly appreciate your advice, but I must ask if there are other options than SP2. I would rather donate a kidney, stand on my head and juggle than install SP2. Despite updating my drivers, my last SP2 installation wrecked my internet connection and mouse. I had to roll back my ethernet card driver and spend 2 hrs. on the phone with Compaq to get the right mouse driver to fix all the problems.

Is there an option to manually fix the WMI repository? It seems that part of the script runs okay (the "already stopped" box appears), just runs into a problem with the deletion command.


Thank you for your time,

n00bman

[Metallica]

Attempt 1.

Click Start > Run > type services.msc > OK

This will open the "Services" Window
Scroll down to Windows Management Instrumentation.
Check if it is running. Stop the service if it is and rightclick the line.
Choose Properties and set it to Automatic.

Close the Services window and try the script again.

Let me know.

[n00bman]

Dear Pieter:

Thanks for the tip! No luck yet, though.

Any thoughts on these instructions?

http://msdn.microsof...talling_wmi.asp
http://msmvps.com/ld...cles/20217.aspx
(Same script as 2nd link): http://www.pcreview....read-531758.php


Sincerely,

n00bman

[Metallica]

I was following these:
http://www.microsoft...ces/wmifaq.mspx

But maybe this is a better idea.
Please go to this site and choose the correct language:
http://www.microsoft...&displaylang=en

Install Windows Script 5.6 for Windows 2000 and XP that is offered for download there.

Regards,