Umonitor and other various spyware removal help 1

[cwyman]

I have a computer that has the Umonitor spyware among other. I was searching CastleCops forum and it appears to be a nasty removal process, but I trust my buddies at tek-tips so here I am.

Here's the hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 9:22:26 AM, on 1/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ILTCQUOTE\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Office Tracker 4.0\alarmer.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://esource.waddell.com/ICSLogin/?"https://esource.waddell.com/"

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USB controller] "C:\Temp\ICD4.tmp\svcmm32.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Office Tracker Alarmer.lnk = C:\Program Files\Office Tracker 4.0\alarmer.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: SQL Server.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10FBA3CF-2264-416B-90E5-6F7B751C60B8} (Siebel Option Pack for IE 7.0.5) -

https://core.waddell.com/fins/14314/applets/SiebelOptionPack.cab

O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) -

https://core.waddell.com/fins/14314/applets/siebelhtml.cab

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -

http://www.installshield.com/install/iftwclix.cab

O16 - DPF: {631F0C94-C02F-40AC-A31B-DDC39731FC81} (Siebel Option Pack for IE 7.0.4) -

https://core.waddell.com/fins/14165/applets/SiebelOptionPack.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) -

http://centra.waddell.com/SiteRoots/main/Install/CentraDownloader.cab

O16 - DPF: {DBFF771D-3F92-4C70-9978-508738536F38} (CSConn Class) -

https://core.waddell.com/fins/14314/applets/csagent.cab

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

They have Black Ice and NAV loaded on their system. They also have Ad-aware loaded.

Let me know what needs to be done. I'm having the user download the winsockfix just in case we cause some damage.

TIA,

Carrie

 

[crow053]

This site helps to analyze your log

http://hijackthis.de/index.php

 

[diogenes10]

This one is tough, I haven't looked since before Christmas. At that time solutions were in process.

Current threads by yellowhammer at castlecops would give you an idea of what's being tried right now.

You can also search on ieautosearch at castlecops, spywareinfo (you'll need a membership), and bleeping computer. As I said solutions were starting to emerge but I don't understand enough about some of what is going on there to give you good specific advice.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[cwyman]

I've been reading castlecops and bleeping and posted at both sites but haven't gotten a response from either and it's just killing me!!

I don't mind being patient, but I feel like I'm in limbo.

I've tried some of what yellowhammer has suggested, but unfortunately some of the sypmtoms are not the same so I'm uncomfortable with running his reg hacks unless they are directed to this user's specific infection.

Waiting is the hard part /

Just updating everyone on this.

 

[cwyman]

BTW crow053....


You are my hero. I'm the only one in my department that can half-way read those hijack logs so trying to explaing to 10 other people for support is a bear and you just saved my countless hours of training and 2ndary support!!!

You get a kudos!!

 

[crow053]

aw shucks, twerent nothing. Glad I could help. The experts here and Castle cops are excellent in reading hijack this logs. That site is good for starters though

 

[diogenes10]

I understand the frustration.

Castlecops gets hundreds of posts a day which in itself creates problems in getting a response. When you add to that a newer and difficult infection to repair, that reduces the number of helpers that are qualified to help repair a problem and/or have the time for all the repeat posts necessary to walk through it with you.

Blender at spywarewarrior is another person whose advice you could review to see if you can follow comparisons with your system.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Re dealing with others:
Couple of things I have found to be helpful reading:

http://forums.thetechguys.com/showthread.php?t=5652

http://www.bleepingcomputer.com/forums/tutorial42.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[pechenegs]

post a log here, they are good at cleaning this pest off

http://forums.techguy.org/f54-s.html

pech

 

[diogenes10]

You can also apply to join spywareinfo boot camp here:

http://forums.spywareinfo.com/index.php?showtopic=34

I think you might find that helpful over a longer period of time.

(Also (my soapbox), with posting at multiple sites, when you get your problem fixed at one, please give the other sites the courtesy of a last post in your threads letting them know the problem is resolved. Just by accident I have found situations where I have responded to someone on one site after they have gotten their problem fixed at another site. It is disappointing to waste that time when others need the help. (off my soapbox) )


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

In the absence of other help, here are three umonitor logs at castlecops with responses by three different experts,
Metallica, daemon, and yellowhammer. I do not have the time to do this right now, but my first effort to trying to understand how to fix your situation would be to print these three threads and compare the analysis in them to your log. If you type umonitor in the castlecops search box you can see several other threads in process.

http://computercops.biz/posts94693-0.html

http://computercops.biz/postlite93213-umonitor.html

http://computercops.biz/postlite96389-umonitor.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

I found your castlecops thread here:

http://computercops.biz/postlite97000-hr0205doe.html

Comments for you to consider along with other input.

I looked at a couple of Yellowhammer's posts and then studied your file.

I have listed below areas that I think might be problems.

Directory of C:\WINDOWS\System32

01/04/2005 03:11 PM 224,957 lvpu0979e.dll
01/04/2005 09:17 AM 225,401 enj6l11s1.dll
12/31/2004 02:02 PM 223,023 nyrssv.dll
12/31/2004 10:40 AM 223,931 uchisapi.dll
12/30/2004 03:29 PM 224,719 hr0205doe.dll

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is A0A2-A5FF

Directory of C:\WINDOWS\System32

01/04/2005 03:46 PM 225,401 guard.tmp

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD7B17FE-2F5E-417F-9F8E-95940C2C82FF}"=""


------------ Keys Under Notify ------------

REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enj6l11s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
fpj203~1.dll Mon Jan 3 2005 4:45:06p ..S.R 225,401 220.12 K
hr0205~1.dll Thu Dec 30 2004 3:29:22p ..S.R 224,719 219.45 K
lv2809~1.dll Tue Jan 4 2005 9:06:44a ..S.R 224,957 219.68 K
nyrssv.dll Fri Dec 31 2004 2:02:40p ..S.R 223,023 217.79 K
uchisapi.dll Fri Dec 31 2004 10:40:20a ..S.R 223,931 218.68 K

------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\SYSTEM32\
enj6l1~1.dll Tue Jan 4 2005 9:17:24a ..S.R 225,401 220.12 K
hr0205~1.dll Thu Dec 30 2004 3:29:22p ..S.R 224,719 219.45 K
lvpu09~1.dll Tue Jan 4 2005 3:11:28p ..S.R 224,957 219.68 K
nyrssv.dll Fri Dec 31 2004 2:02:40p ..S.R 223,023 217.79 K
uchisapi.dll Fri Dec 31 2004 10:40:20a ..S.R 223,931 218.68 K


O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com


If this was my machine:
I would google all the dll files and make a judgement about good or bad.
I would create some backup that would allow getting back to where I am now.
I would then take the information above and craft a repair following Yellowhammer's sequence of actions.
This repair would include, in the proper order,
Deleting all the bad dll files and the guard.tmp file using the delete techniques including killbox as described by Yellowhammer.
A registry fix for the user agent and notify keys above-again following Yellowhammers patterns of repair for each item.
Fixing the hosts lines in the hijackthis log.
Running new logs for further analysis.

I would also work on permanently removing any stuff temporarily disabled by toolbarcop (per comments at bleepingcomputer).


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[cwyman]

Thanks diogenes10.

I will do my best to work on your suggestions and post here and everywhere if it works.

I should know the answer in the next 24-48hours depending on whether or not I can get a hold of my customer.

 

[diogenes10]

I would wait to make a post in the other forums right now until you know you have a fix. The reason is that right now your threads will come up as unanswered when someone checks and you may still get a reply from one of the experts there with detailed steps which will be a better help to you than what I have done here. Once you make another post in those threads, they will no longer be visible to someone scanning for unanswered threads.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[cwyman]

Well, I have bad news. I've had to tell the customer to call a local technician. It's very hard to troubleshoot over the phone when you're several thousand miles away and unable to do a remote assistance.

I was able to run a Spybot S&D and found out that she had DyFuCa and Cool

http://WWWShredder

that we were unable to remove with S&D. Of course I tried to run the killCWS and then the CWShredder, but it was in vain.

I tried to run another Find-it because after posting my original Find-it it is my belief that she had rebooted and therefore changed the contents of the Find-it so all the files I tried to kill in the Killbox weren't there and the files were no where to be found when doing a search (with hidden files and folders selected). But whenever I tried to run Find.bat it would flash the DOS screen for a few seconds and say file not found and then disappear so I don't know what's up with that.

Anyway, they were tired of dealing with the issue (for a week now) and so I recommended a local tech and if they are unable to resolve then they may have to reformat and reload.

I really do appreciate everyone's help. My job sucks sometimes because all my work is done over the phone with customers spread through the US. If I'm lucky I can do a remote into their system and fix it myself, but other times its a bunch of OTP steps with emails of hijack logs and the like so it's pretty tough. I love the challenge though!!!

Thanks again for everyone's suggestions and in the future, I hope I can be more successful on the next victim, I mean customer LOL!!

 

[pechenegs]

your best trying to tell them to post a hijack this log at a reputable site, although that's beyond most of them.

khaz