Anoying spayware 2

enDomino · Jul 29, 2005

Hi all, I'm suffering an anoying spyware very difficult to get rid of ... Of course anti-spyware does not remove it.
I will explain the way it is working:
1.- There is a process in the background with a random name, for example its name now is: ahiglz.exe, whatever the name it is always in c:\windows\system32 folder
2.- If I kill the process, another process appear with a random name as well, also when it dies, it creates a new entry in the regedit so next time the system starts, the process will be executed
3.- This process has been launch by "explorer.exe" process always, at least it is the "father" process
4.- The exe always has the same size: 83.456 bytes despite the random name

I've tried several things without success:
1.- Remove the entry in the regedit and remove rights in it in order not to created new entries, starts windows in a safe mode and delete the exe file
2.- Rename the exe

I think that explorer.exe is the process that is "infected" but I'm not sure and I don't know how to solve this
Has it happend to any of you?

Thanks in advance

carrr · Jul 29, 2005

What removal tools have you used? Please enumerate.
Are you disabling system restore, if running XP, before running your removal efforts? If not, you're allowing things to "respawn" from the restore files.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

enDomino · Jul 29, 2005

Thanks for your response.
The removal tool I've used is: Ad-Aware (Lavasoft).
I'm not disabling system restore, actually, I don't understand very well what you mean ... could you explain?

carrr · Jul 29, 2005

You absolutely MUST disable system restore when performing cleanup on an XP system.

See here:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Then, use a more robust removal tool. I am not a huge fan of Adaware for a number of reasons. I suggest either Microsoft's AntiSpyware tool or WebRoot's SpySweeper.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

http://www.webroot.com/

Microsoft's tool is free, and you can get a free trial verison from WebRoot.

Pull down one of these (start with Microsoft) and run a scan/clean WITH system restore disabled.

Post back with results.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

enDomino · Jul 29, 2005

I will do it on Monday, today it's late for me.
I will let you know.
Thanks!

enDomino · Aug 1, 2005

Hi again,
I did what you suggested:
1.- Disable "System Restore"
2.- Install "Spy Sweeper" and it did locate several spyware
However, the anoying process is still there, when I kill the process, "Spy Sweeper" prompt me with a window saying that something is going to be added to the registry bla bla so I remove it. But the new process created is executed anyway. It is very difficult to get rid of it since it is launch by "Explorer.exe" and I think it is monitoring by it as well, so when I kill it, explorer.exe itself launch a new one.
I would say explorer.exe is the one that is "infected" but "Norton Antivirus" is not detecting anything ...

The thing is that, for example today, just one pop-up has been shown but I don't like anything running in the background doing "who knows" things ...

Any other advise?

Thanks anyway

2ffat · Aug 1, 2005

Try running your anti-spyware in safe mode. Failing that try one or more of these:
HiJackThis (

http://www.merijn.org)

AutoRuns (

http://www.sysinternals.com/utilities/autoruns.html)

AutoStart Viewer (

http://www.diamondcs.com.au/index.php?page=asviewer)

Advanced Process Termination (

http://www.diamondcs.com.au/index.php?page=apt)

James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

carrr · Aug 1, 2005

It would be good if you could, as suggested above, run Hijack This! and post a log of results so that we can help pinpoint this.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

enDomino · Aug 1, 2005

I've executed HijackThis, the log is:
Logfile of HijackThis v1.99.1
Scan saved at 18:28:47, on 01/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Archivos de programa\OpenVPN\bin\openvpnserv.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\Archivos de programa\OpenVPN\bin\openvpn.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\Babylon\Babylon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
c:\windows\system32\ofajbhp.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Trillian\trillian.exe
C:\Documents and Settings\aiglesias.MYALERT2\Mis documentos\downloads\PROCESSVIEW\PRCVIEW.EXE
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Maxthon\Maxthon.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\aiglesias.MYALERT2\Mis documentos\downloads\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.es/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.forospyware.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.254.254.254:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = athena;downloads.*;192.168.19.70;212.239.17.172;192.168.18.140;premium.simulator.buongiorno.com;

http://www.be3a.com;*.myalert.*;mad...iorno.com;10.1.5.110;antonio.be3a.com;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Archivos de programa\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [jjjqpk] c:\windows\system32\ofajbhp.exe r
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.be3a.com
O15 - Trusted Zone: *.buongiorno.com
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -

http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) -

https://www5.aeat.es/es13/h/cactivex.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Archivos de programa\OpenVPN\bin\openvpnserv.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\Archivos de programa\Archivos comunes\YDP\UserAccessManager\useraccess.exe (file missing)

I think the problem is: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
I didn't see it before ... I'll try to remove it.

Do you any other thing wrong?

Thanks a lot for your help.

carrr · Aug 1, 2005

With System Restore, kill off these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [jjjqpk] c:\windows\system32\ofajbhp.exe r

I think your instincts are correct.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

carrr · Aug 1, 2005

You will also want to boot into safe mode and remove the following file:

c:\windows\system32\ofajbhp.exe

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

pechenegs · Aug 1, 2005

That won't get rid of it!

run the uninstaller from here,

http://www.mypctuneup.com/evaluate.php

Or go to

http://www.mypctuneup.com

and click on free uninstall tool and follow the steps.

post another hijack this log

enDomino · Aug 2, 2005

To be honest, I didn't believe to "pechenegs" at the beginning, actually, I'm still astonished of the easy way to remove that spyware with the tool he has propuse. Yesterday I was searching in the web information about how to remove that and I thought it was going to be hard, but not with the uninstaller within the web page "

http://www.mypctuneup.com",

it seems to be specialized in a few spywares though.
Anyway, thanks to both of you for your help.

Cheers

pechenegs · Aug 2, 2005

That's the company which makes aurora.

For those trying to get rid of this pest see Bill C's post and my recommendations on removing this pest!

Your not dealing with 1 file here but many such as the ones mentioned above and Svcproc.exe. but there are a few dlls as bill C pointed out in bolger.dll and drpmon.dll!

http://www.tek-tips.com/viewthread.cfm?qid=1056555&page=2

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Anoying spayware 2

enDomino

MIS

carrr

Technical User

enDomino

MIS

carrr

Technical User

enDomino

MIS

enDomino

MIS

2ffat

Programmer

carrr

Technical User

enDomino

MIS

carrr

Technical User

carrr

Technical User

pechenegs

MIS

enDomino

MIS

pechenegs

MIS

Part and Inventory Search

Sponsor