Virus Problem!

[Mike S]

My free AVG virus program alerted me to a virus and said
it healed it. But my screen shows "Warning your in
danger" a red x on the task bar says my computer is
infected and takes me to AV Gold Antivirus. I also get
a ! in a triangle that says my ISP might be tracking my
private info.

I have turned off restore, run Adaware, Spybot and AVG
after undating.

AVG shows two viruses Trojan Horses Puper.C and Puper.D
but says it heals them.

An online Symantec virus detection says I have
Download.Trojan and SecurityRisk.Oleadm and the
Trojan.Prova. It also says I have some adware problems
but a search cannot find those files.

Any suggestions?

 

[plun]

Mike S wrote on 2005-06-03 :

Any suggestions?

Hi

Try also TrendMicros online scanner,

http://housecall.trendmicro.com/

Choose "New" scan

Permit TrendMicros ActiveX module.

Scan for both spyware and virus.

 

[Mike S]

Each scan takes one and a quarter hours. Will this site
give me the ability to fix or just identify?

The frustration is that each different company scan gives
me different virus names in different files but not
useful info on how to remove if I don't have their brand
of antivirus software.

 

[plun]

After serious thinking Mike S wrote :

Each scan takes one and a quarter hours. Will this site
give me the ability to fix or just identify?

The frustration is that each different company scan gives
me different virus names in different files but not
useful info on how to remove if I don't have their brand
of antivirus software.

Hi

Virus IS frustrating, if you want the best try this:

http://www.nod32.com/home/home.htm
Free trial.

Or

Taken from microsoft.public.security.virus, David. H.Lipman

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete
Files


Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear


1) Download TrendMicro Sysclean by other of the following 2 methods

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt611.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend
Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

2) Download Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications
as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a
Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and
re-apply any
System Restore preferences, (e.g. HD space to use suggested 400
~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

-- Dave http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[AndyManchesta]

This does sound like you have some big problems if you
still need assistance can you do this:


Download Hijack This :

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save it to its own folder(Desktop or C/drive),Extract and
run ,choose to run a scan and save the logfile

When its scanned your pc it will open the results in
notepad post that back to show whats running



Before you make a hijack this log follow these tips now
you know you are infected :

Download Ccleaner

http://download.ccleaner.com/download119bin.asp




1.Turn off Windows System Restore

Click Start
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System
Restore on all drives" check box
Click Apply
Click OK.

this will delete all existing restore points. Click Yes
to do this(you can re-nable this once you are clean by
following the above steps but unchecking the box 'turn
off system restore' before pressing apply then exit.


Reboot !



2.Run A online Virus Scan at any of these sites :


Trend Micro

http://housecall.antivirus.com/

Panda

http://www.pandasoftware.com/activescan/

Bitdefender

http://www.bitdefender.com/scan/Msie/index.php



3.After the scans have finished run Ccleaner on all three
settings( windows , issues & applications ) and remove
anything found


4. Reboot and check your system for malware if its still
present download sysclean from Trend Micro (Skip this
stage if you are unsure about anything and use hijack
this):


Download Trend Micro's Sysclean

Two stages to this :

Download sysclean :

http://www.trendmicro.com/ftp/products/tsc/sysclean.com


Save it to its own folder (either desktop or c/drive) and
extract.

This tool does the following features:

o Terminate all malware instances in memory
o Remove malware registry entries
o Remove malware entries from system files
o delete all malware copies in all local hard drives


Requirements

Download the latest pattern file from the following
location:

http://www.trendmicro.com/ftp/products/pattern/lpt655.zip


This file must be saved in the same folder where you run
this fix package.


How to Use

Create a folder (right click c/drive or desktop and
choose new from the list then new folder,name it and
press enter,copy SYSCLEAN.COM into this folder.

Download latest pattern file. Extract the downloaded ZIP
pattern file or copy and paste into the created folder.

Close all applications running on your system, including
any antivirus software.

Run the executable file, SYSCLEAN.COM, by Double-clicking
the tool in Windows Explorer.

After the tool finishes its clean up it will save a text
file which contains the results of the scan and shows if
any viruses were found or cleaned.


Reboot

5.Run Hijack this and post back the log





Regards AndyManc

 

[Bill Sanderson]

TrendMicro's scan will clean as well as identify. However, if cleaning is
of any complexity, requiring, say, a reboot or safe mode, you'd need a
different tool. plun has given the details on sysclean, which is an
excellent alternative--but somewhat more complex to use.

--

 

[Mike S]

Ccleaner found nothing but many locked files.

Sysclean found nothing on C but many locked files. It
found and maybe cleaned the QHOSTS.A that TrendMicro scan
saw.

Problem still persists.

Will try Hijack this next.

 

[Mike S]

Nod32 found nothing.

Sysclean found nothing.

Both found locked files. Going to try Hijack this.

Any other thoughts? I feel it is the Puper C virus of
May 17/05

 

[plun]

Any other thoughts? I feel it is the Puper C virus of
May 17/05

Hi

Yup, Puper C is a trojan not a virus.

Google knows:

http://www.google.se/search?hl=sv&q=Puper+C+&btnG=Sök&meta=

Maybe A-squared takes this one:

http://www.emsisoft.com/en/

or Ewido

http://www.ewido.net/en/download/

or some other Google link.

 

[AndyManchesta]

Hi Again Mike ,

See how you get on with Sysclean and then post the hijack
log to show exactly what is runnin on your pc.Also use
Ewido Security Suite and run a full scan with that if the
online scans are taking a couple of hours each time and
not clearing it.

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

(Update then run a full system scan in safe mode together
with sysclean)



It may be because all the virus files are stored in the
windows folder and are all in use which is preventing the
scanners removing them.


Before running the scanners check task manager and end
process for any of these.(press control,alt & delete
together) then goto processes and check for these :

notepad2.exe
popuper.exe
intmonp.exe
intmon.exe
paint.exe
shnlog.exe
aolfix.exe


End process for any found :



turn off system restore before running any fixes


Puper.C


intmonp.exe monitors the main process, and restarts it if
it is terminated. The main process restarts the
monitoring process if it is terminated, and recreates it
if it is deleted.

files connected to this :


C:\WINDOWS\winsx.cab
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\winsx.dll
C:\WINDOWS\System32\intmonp.exe
notepad2.exe
popuper.exe

also creates the following registry entry to ensure it is
run when the infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ex
plorer\run

notepad2.exe
popuper.exe

The restarting of the main process by inmonp.exe only
works if the Trojan file is named popuper.exe.
Therefore, the system can be disinfected by first
changing the name of the file popuper.exe, and then
terminating the popuper.exe process.
intmonp.exe will then terminate itself when it cannot
find the main file to re-execute it. Both files can then
be deleted and the registry cleaned.




Puper.D


files connected to this :

C:\WINDOWS\System32\hhk.dll
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hpXX.tmp - where XX denotes randomly
generated characters.
paint.exe
shnlog.exe


In order to run itself on startup, the Trojan creates the
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ex
plorer\run


paint.exe
shnlog.exe


As Puper.C, intmon.exe monitors the main process, and
restarts it if it is terminated. Meanwhile the main
process restarts the monitoring process if it is
terminated, and recreates the file intmon.exe if it is
deleted.


Troj/Puper-D changes settings for Microsoft Internet
Explorer, including Start Page and search settings, by
modifying values (Hijack this would make this part easier)

HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl


Registry entries are set as follows:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)\(default)

The file hpXX.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br
owser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage


The restarting of the main process by intmon.exe only
works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing
the name of the file shnlog.exe, then terminating the
shnlog.exe process.
intmon.exe will then terminate itself when it cannot find
the main file to re-execute it. Both files can then be
deleted and the registry cleaned.
After shnlog.exe has been cleared from the system,
standard procedures can be used for disinfection of the
other two components.




Trojan.Qhosts



Qhost is a trojan that prevents access to certain web
sites and reroutes traffic to certain ip addresses. It
also modifies the DNS setting so the unsuspecting user
might be redirected to sites other than those intended.


It is copied onto the system as aolfix.exe. When
aolfix.exe is automatically executed it drops a bat file
in this directory c:\bdtmp\tmp and executes that file,
the name is randomly generated from numerical characters.
The bat file drops these files:


On all systems:
C:\WINDOWS\System32\o.reg

On 2000/XP systems:

C:\WINDOWS\System32\o2.reg
C:\WINDOWS\System32\o.vbs

The o.vbs goes through every key under the keys below and
changes the NameServer value to a certain ip number.


HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001
\Services\Tcpip\Parameters\interfaces\

HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002
\Services\Tcpip\Parameters\interfaces\


After that it will create a new hosts file in those
directories %windir%\hosts and %windir%\help\hosts. That
file will contain a text that will look something like
this:


<random ip number> elite
<random ip number> www.google.akadns.net
<random ip number> www.google.com
<random ip number> google.com
<random ip number> www.altavista.com
<random ip number> altavista.com
<random ip number> search.yahoo.com
<random ip number> uk.search.yahoo.com
<random ip number> ca.search.yahoo.com
<random ip number> jp.search.yahoo.com
....


After it has completed the above tasks it will delete the
files it dropped. But the C:\bdtmp\tmp directory will
still be there, empty.




Go to Start->Run and type in regedit and press [ENTER].
Then change the following registry keys.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
MSTCP]

"EnableDNS"="1" change this value to "0"
"HostName"="host" remove this value
"Domain"="mydomain.com" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"Search Page"="http://www.google.com" remove this value
"Search Bar"="http://www.google.com/ie" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchURL]

""="http://www.google.com/keyword/%s" remove this value
"provider"="gogl" remove this value


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search]

"SearchAssistant"="http://www.google.com/ie" remove this
value

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


Close regedit.


Now locate the dropped hosts file and delete it.

It is located here :

\Windows\help\hosts




HTML.Helpcontrol



HTML.Helpcontrol!exploit is a generic detection of web
pages or e-mail messages which attempt to exploit
the "Microsoft Internet Explorer HTML Help Control Local
Zone Security Restriction Bypass" vulnerability.
(Basically you have visited a malicious web site that has
written malicious code into their web pages to infect
people with malware-probably where most of your problems
came from) Crack & Serial website are the worst offenders
for this,

This does not necessarily mean that a virus has been
found. It merely means that HTML code was found which
attempts to activate additional executable code without
the user's express permission.

Maybe it remains in a quarantine folder belonging to your
antivirus software which may need clearing,if its showing
in temp folders,then use Ccleaner or open a internet
window and goto tools then Internet options delete
cookies and files(include all offline content when
deleting files)




Win32.alemond.A


Ive not heard of this one and even searchin eTrusts isnt
showin a match for this,If eTrust has detected this on
the C/drive double check the spelling or see if it shows
where the Virus is saved and under what name.Again it
could be detecting something in a quaratine folder that
belongs to the antivirus sofware(To check this open
c/drive then the folder for the antivirus software you
have and check here for a quarantine folder- If found
open the folder and delete the contents but not the
folder)





Regards Andy Manc

 

[Mike S]

Wow thanks Andy,

Here is my log in case I mess up deleting on Hijack and
cannot get back on for a while. I recognize the Puper C
and D files you mentioned as these were the ones I tried
to delete and couldn't. The weird thing was that I found
them on a search, they said they couldn't be deleted and
them I could not find them again on an other search.

I'll read thru what you said. Then delete and post back
if I can.

Thanks,

Mike

Log =

Logfile of HijackThis v1.99.1
Scan saved at 12:25:40 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Mike\Start
Menu\Programs\HijackThis.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 3 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\system32\hp8906.tmp (file
missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32
\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-
Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program
Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program
Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32
\hookdump.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program
Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-
070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-
00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1
\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}
(HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-
HCM10 Control) - http://142.36.244.87:8888/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Control
s/en/x86/client/wuweb_site.cab?1100231976280
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103}
(WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\hk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32
\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe

-----Original Message-----

Hi Again Mike ,

See how you get on with Sysclean and then post the hijack
log to show exactly what is runnin on your pc.Also use
Ewido Security Suite and run a full scan with that if the
online scans are taking a couple of hours each time and
not clearing it.

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

(Update then run a full system scan in safe mode together
with sysclean)



It may be because all the virus files are stored in the
windows folder and are all in use which is preventing the
scanners removing them.


Before running the scanners check task manager and end
process for any of these.(press control,alt & delete
together) then goto processes and check for these :

notepad2.exe
popuper.exe
intmonp.exe
intmon.exe
paint.exe
shnlog.exe
aolfix.exe


End process for any found :



turn off system restore before running any fixes


Puper.C


intmonp.exe monitors the main process, and restarts it if
it is terminated. The main process restarts the
monitoring process if it is terminated, and recreates it
if it is deleted.

files connected to this :


C:\WINDOWS\winsx.cab
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\winsx.dll
C:\WINDOWS\System32\intmonp.exe
notepad2.exe
popuper.exe

also creates the following registry entry to ensure it is
run when the infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e x
plorer\run

notepad2.exe
popuper.exe

The restarting of the main process by inmonp.exe only
works if the Trojan file is named popuper.exe.
Therefore, the system can be disinfected by first
changing the name of the file popuper.exe, and then
terminating the popuper.exe process.
intmonp.exe will then terminate itself when it cannot
find the main file to re-execute it. Both files can then
be deleted and the registry cleaned.




Puper.D


files connected to this :

C:\WINDOWS\System32\hhk.dll
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hpXX.tmp - where XX denotes randomly
generated characters.
paint.exe
shnlog.exe


In order to run itself on startup, the Trojan creates the
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e x
plorer\run


paint.exe
shnlog.exe


As Puper.C, intmon.exe monitors the main process, and
restarts it if it is terminated. Meanwhile the main
process restarts the monitoring process if it is
terminated, and recreates the file intmon.exe if it is
deleted.


Troj/Puper-D changes settings for Microsoft Internet
Explorer, including Start Page and search settings, by
modifying values (Hijack this would make this part easier)

HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl


Registry entries are set as follows:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\B r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\B r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)\(default)

The file hpXX.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\B r
owser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage


The restarting of the main process by intmon.exe only
works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing
the name of the file shnlog.exe, then terminating the
shnlog.exe process.
intmon.exe will then terminate itself when it cannot find
the main file to re-execute it. Both files can then be
deleted and the registry cleaned.
After shnlog.exe has been cleared from the system,
standard procedures can be used for disinfection of the
other two components.




Trojan.Qhosts



Qhost is a trojan that prevents access to certain web
sites and reroutes traffic to certain ip addresses. It
also modifies the DNS setting so the unsuspecting user
might be redirected to sites other than those intended.


It is copied onto the system as aolfix.exe. When
aolfix.exe is automatically executed it drops a bat file
in this directory c:\bdtmp\tmp and executes that file,
the name is randomly generated from numerical characters.
The bat file drops these files:


On all systems:
C:\WINDOWS\System32\o.reg

On 2000/XP systems:

C:\WINDOWS\System32\o2.reg
C:\WINDOWS\System32\o.vbs

The o.vbs goes through every key under the keys below and
changes the NameServer value to a certain ip number.


HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001
\Services\Tcpip\Parameters\interfaces\

HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002
\Services\Tcpip\Parameters\interfaces\


After that it will create a new hosts file in those
directories %windir%\hosts and %windir%\help\hosts. That
file will contain a text that will look something like
this:


<random ip number> elite
<random ip number> www.google.akadns.net
<random ip number> www.google.com
<random ip number> google.com
<random ip number> www.altavista.com
<random ip number> altavista.com
<random ip number> search.yahoo.com
<random ip number> uk.search.yahoo.com
<random ip number> ca.search.yahoo.com
<random ip number> jp.search.yahoo.com
....


After it has completed the above tasks it will delete the
files it dropped. But the C:\bdtmp\tmp directory will
still be there, empty.




Go to Start->Run and type in regedit and press [ENTER].
Then change the following registry keys.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
MSTCP]

"EnableDNS"="1" change this value to "0"
"HostName"="host" remove this value
"Domain"="mydomain.com" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"Search Page"="http://www.google.com" remove this value
"Search Bar"="http://www.google.com/ie" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchURL]

""="http://www.google.com/keyword/%s" remove this value
"provider"="gogl" remove this value


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search]

"SearchAssistant"="http://www.google.com/ie" remove this
value

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


Close regedit.


Now locate the dropped hosts file and delete it.

It is located here :

\Windows\help\hosts




HTML.Helpcontrol



HTML.Helpcontrol!exploit is a generic detection of web
pages or e-mail messages which attempt to exploit
the "Microsoft Internet Explorer HTML Help Control Local
Zone Security Restriction Bypass" vulnerability.
(Basically you have visited a malicious web site that has
written malicious code into their web pages to infect
people with malware-probably where most of your problems
came from) Crack & Serial website are the worst offenders
for this,

This does not necessarily mean that a virus has been
found. It merely means that HTML code was found which
attempts to activate additional executable code without
the user's express permission.

Maybe it remains in a quarantine folder belonging to your
antivirus software which may need clearing,if its showing
in temp folders,then use Ccleaner or open a internet
window and goto tools then Internet options delete
cookies and files(include all offline content when
deleting files)




Win32.alemond.A


Ive not heard of this one and even searchin eTrusts isnt
showin a match for this,If eTrust has detected this on
the C/drive double check the spelling or see if it shows
where the Virus is saved and under what name.Again it
could be detecting something in a quaratine folder that
belongs to the antivirus sofware(To check this open
c/drive then the folder for the antivirus software you
have and check here for a quarantine folder- If found
open the folder and delete the contents but not the
folder)





Regards Andy Manc

.

 

[Mikolaj]

You can do yourself the analysis of HijackThis log - just copy and paste it
to the http://www.hijackthis.de web page and click Analyze button. It will
show you the things that need to be fixed.

 

[Mike S]

Analysis show this one with a red exclamation mark.

How do I fix? Can I just delete using Hijack?

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
Nasty Added as result of a W32/Forbot-BD worm infection
Hit rate: 82 % (result) Must be fixed!

 

[Mike S]

For the record. The eTrust data as I wrote it down was
wininet.dll.....win32.alemond.a.....C:\Windows\$ntuninstal
lk8890923$\content.ie50d4targ9

Tried deleting with Hijack This, have restore off but
still have problem.

Will re-read you suggestions and try again.

-----Original Message-----
Wow thanks Andy,

Here is my log in case I mess up deleting on Hijack and
cannot get back on for a while. I recognize the Puper C
and D files you mentioned as these were the ones I tried
to delete and couldn't. The weird thing was that I found
them on a search, they said they couldn't be deleted and
them I could not find them again on an other search.

I'll read thru what you said. Then delete and post back
if I can.

Thanks,

Mike

Log =

Logfile of HijackThis v1.99.1
Scan saved at 12:25:40 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Mike\Start
Menu\Programs\HijackThis.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 3 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.updatesearches.com/search.php?qq=% 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\system32\hp8906.tmp (file
missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32
\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-
Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program
Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program
Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32
\hookdump.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program
Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-
070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-
00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1
\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}
(HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/A v
Sniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-
HCM10 Control) - http://142.36.244.87:8888/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Contro l
s/en/x86/client/wuweb_site.cab?1100231976280
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/b i
n/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103}
(WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\hk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32
\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe

-----Original Message-----

Hi Again Mike ,

See how you get on with Sysclean and then post the hijack
log to show exactly what is runnin on your pc.Also use
Ewido Security Suite and run a full scan with that if the
online scans are taking a couple of hours each time and
not clearing it.

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

(Update then run a full system scan in safe mode together
with sysclean)



It may be because all the virus files are stored in the
windows folder and are all in use which is preventing the
scanners removing them.


Before running the scanners check task manager and end
process for any of these.(press control,alt & delete
together) then goto processes and check for these :

notepad2.exe
popuper.exe
intmonp.exe
intmon.exe
paint.exe
shnlog.exe
aolfix.exe


End process for any found :



turn off system restore before running any fixes


Puper.C


intmonp.exe monitors the main process, and restarts it if
it is terminated. The main process restarts the
monitoring process if it is terminated, and recreates it
if it is deleted.

files connected to this :


C:\WINDOWS\winsx.cab
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\winsx.dll
C:\WINDOWS\System32\intmonp.exe
notepad2.exe
popuper.exe

also creates the following registry entry to ensure it is
run when the infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run

notepad2.exe
popuper.exe

The restarting of the main process by inmonp.exe only
works if the Trojan file is named popuper.exe.
Therefore, the system can be disinfected by first
changing the name of the file popuper.exe, and then
terminating the popuper.exe process.
intmonp.exe will then terminate itself when it cannot
find the main file to re-execute it. Both files can then
be deleted and the registry cleaned.




Puper.D


files connected to this :

C:\WINDOWS\System32\hhk.dll
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hpXX.tmp - where XX denotes randomly
generated characters.
paint.exe
shnlog.exe


In order to run itself on startup, the Trojan creates the
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run


paint.exe
shnlog.exe


As Puper.C, intmon.exe monitors the main process, and
restarts it if it is terminated. Meanwhile the main
process restarts the monitoring process if it is
terminated, and recreates the file intmon.exe if it is
deleted.


Troj/Puper-D changes settings for Microsoft Internet
Explorer, including Start Page and search settings, by
modifying values (Hijack this would make this part easier)

HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl


Registry entries are set as follows:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)\(default)

The file hpXX.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage


The restarting of the main process by intmon.exe only
works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing
the name of the file shnlog.exe, then terminating the
shnlog.exe process.
intmon.exe will then terminate itself when it cannot find
the main file to re-execute it. Both files can then be
deleted and the registry cleaned.
After shnlog.exe has been cleared from the system,
standard procedures can be used for disinfection of the
other two components.




Trojan.Qhosts



Qhost is a trojan that prevents access to certain web
sites and reroutes traffic to certain ip addresses. It
also modifies the DNS setting so the unsuspecting user
might be redirected to sites other than those intended.


It is copied onto the system as aolfix.exe. When
aolfix.exe is automatically executed it drops a bat file
in this directory c:\bdtmp\tmp and executes that file,
the name is randomly generated from numerical characters.
The bat file drops these files:


On all systems:
C:\WINDOWS\System32\o.reg

On 2000/XP systems:

C:\WINDOWS\System32\o2.reg
C:\WINDOWS\System32\o.vbs

The o.vbs goes through every key under the keys below and
changes the NameServer value to a certain ip number.


HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001
\Services\Tcpip\Parameters\interfaces\

HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002
\Services\Tcpip\Parameters\interfaces\


After that it will create a new hosts file in those
directories %windir%\hosts and %windir%\help\hosts. That
file will contain a text that will look something like
this:


<random ip number> elite
<random ip number> www.google.akadns.net
<random ip number> www.google.com
<random ip number> google.com
<random ip number> www.altavista.com
<random ip number> altavista.com
<random ip number> search.yahoo.com
<random ip number> uk.search.yahoo.com
<random ip number> ca.search.yahoo.com
<random ip number> jp.search.yahoo.com
....


After it has completed the above tasks it will delete the
files it dropped. But the C:\bdtmp\tmp directory will
still be there, empty.




Go to Start->Run and type in regedit and press [ENTER].
Then change the following registry keys.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\

MSTCP]

"EnableDNS"="1" change this value to "0"
"HostName"="host" remove this value
"Domain"="mydomain.com" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"Search Page"="http://www.google.com" remove this value
"Search Bar"="http://www.google.com/ie" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchURL]

""="http://www.google.com/keyword/%s" remove this value
"provider"="gogl" remove this value


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search]

"SearchAssistant"="http://www.google.com/ie" remove this
value

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


Close regedit.


Now locate the dropped hosts file and delete it.

It is located here :

\Windows\help\hosts




HTML.Helpcontrol



HTML.Helpcontrol!exploit is a generic detection of web
pages or e-mail messages which attempt to exploit
the "Microsoft Internet Explorer HTML Help Control Local
Zone Security Restriction Bypass" vulnerability.
(Basically you have visited a malicious web site that has
written malicious code into their web pages to infect
people with malware-probably where most of your problems
came from) Crack & Serial website are the worst offenders
for this,

This does not necessarily mean that a virus has been
found. It merely means that HTML code was found which
attempts to activate additional executable code without
the user's express permission.

Maybe it remains in a quarantine folder belonging to your
antivirus software which may need clearing,if its showing
in temp folders,then use Ccleaner or open a internet
window and goto tools then Internet options delete
cookies and files(include all offline content when
deleting files)




Win32.alemond.A


Ive not heard of this one and even searchin eTrusts isnt
showin a match for this,If eTrust has detected this on
the C/drive double check the spelling or see if it shows
where the Virus is saved and under what name.Again it
could be detecting something in a quaratine folder that
belongs to the antivirus sofware(To check this open
c/drive then the folder for the antivirus software you
have and check here for a quarantine folder- If found
open the folder and delete the contents but not the
folder)





Regards Andy Manc

.

.

 

[Mike S]

Wait! wait!, I have had partial success!

My IE has the correct home page and is no longer blank!

But my background is still the black background with the
yellow warning telling me I am in danger as I have
spyware.

I will pursue.

-----Original Message-----
Wow thanks Andy,

Here is my log in case I mess up deleting on Hijack and
cannot get back on for a while. I recognize the Puper C
and D files you mentioned as these were the ones I tried
to delete and couldn't. The weird thing was that I found
them on a search, they said they couldn't be deleted and
them I could not find them again on an other search.

I'll read thru what you said. Then delete and post back
if I can.

Thanks,

Mike

Log =

Logfile of HijackThis v1.99.1
Scan saved at 12:25:40 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Mike\Start
Menu\Programs\HijackThis.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 3 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.updatesearches.com/search.php?qq=% 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\system32\hp8906.tmp (file
missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32
\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-
Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program
Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program
Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32
\hookdump.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program
Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-
070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-
00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1
\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}
(HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/A v
Sniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-
HCM10 Control) - http://142.36.244.87:8888/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Contro l
s/en/x86/client/wuweb_site.cab?1100231976280
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/b i
n/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103}
(WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\hk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32
\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe

-----Original Message-----

Hi Again Mike ,

See how you get on with Sysclean and then post the hijack
log to show exactly what is runnin on your pc.Also use
Ewido Security Suite and run a full scan with that if the
online scans are taking a couple of hours each time and
not clearing it.

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

(Update then run a full system scan in safe mode together
with sysclean)



It may be because all the virus files are stored in the
windows folder and are all in use which is preventing the
scanners removing them.


Before running the scanners check task manager and end
process for any of these.(press control,alt & delete
together) then goto processes and check for these :

notepad2.exe
popuper.exe
intmonp.exe
intmon.exe
paint.exe
shnlog.exe
aolfix.exe


End process for any found :



turn off system restore before running any fixes


Puper.C


intmonp.exe monitors the main process, and restarts it if
it is terminated. The main process restarts the
monitoring process if it is terminated, and recreates it
if it is deleted.

files connected to this :


C:\WINDOWS\winsx.cab
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\winsx.dll
C:\WINDOWS\System32\intmonp.exe
notepad2.exe
popuper.exe

also creates the following registry entry to ensure it is
run when the infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run

notepad2.exe
popuper.exe

The restarting of the main process by inmonp.exe only
works if the Trojan file is named popuper.exe.
Therefore, the system can be disinfected by first
changing the name of the file popuper.exe, and then
terminating the popuper.exe process.
intmonp.exe will then terminate itself when it cannot
find the main file to re-execute it. Both files can then
be deleted and the registry cleaned.




Puper.D


files connected to this :

C:\WINDOWS\System32\hhk.dll
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hpXX.tmp - where XX denotes randomly
generated characters.
paint.exe
shnlog.exe


In order to run itself on startup, the Trojan creates the
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run


paint.exe
shnlog.exe


As Puper.C, intmon.exe monitors the main process, and
restarts it if it is terminated. Meanwhile the main
process restarts the monitoring process if it is
terminated, and recreates the file intmon.exe if it is
deleted.


Troj/Puper-D changes settings for Microsoft Internet
Explorer, including Start Page and search settings, by
modifying values (Hijack this would make this part easier)

HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl


Registry entries are set as follows:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)\(default)

The file hpXX.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage


The restarting of the main process by intmon.exe only
works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing
the name of the file shnlog.exe, then terminating the
shnlog.exe process.
intmon.exe will then terminate itself when it cannot find
the main file to re-execute it. Both files can then be
deleted and the registry cleaned.
After shnlog.exe has been cleared from the system,
standard procedures can be used for disinfection of the
other two components.




Trojan.Qhosts



Qhost is a trojan that prevents access to certain web
sites and reroutes traffic to certain ip addresses. It
also modifies the DNS setting so the unsuspecting user
might be redirected to sites other than those intended.


It is copied onto the system as aolfix.exe. When
aolfix.exe is automatically executed it drops a bat file
in this directory c:\bdtmp\tmp and executes that file,
the name is randomly generated from numerical characters.
The bat file drops these files:


On all systems:
C:\WINDOWS\System32\o.reg

On 2000/XP systems:

C:\WINDOWS\System32\o2.reg
C:\WINDOWS\System32\o.vbs

The o.vbs goes through every key under the keys below and
changes the NameServer value to a certain ip number.


HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001
\Services\Tcpip\Parameters\interfaces\

HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002
\Services\Tcpip\Parameters\interfaces\


After that it will create a new hosts file in those
directories %windir%\hosts and %windir%\help\hosts. That
file will contain a text that will look something like
this:


<random ip number> elite
<random ip number> www.google.akadns.net
<random ip number> www.google.com
<random ip number> google.com
<random ip number> www.altavista.com
<random ip number> altavista.com
<random ip number> search.yahoo.com
<random ip number> uk.search.yahoo.com
<random ip number> ca.search.yahoo.com
<random ip number> jp.search.yahoo.com
....


After it has completed the above tasks it will delete the
files it dropped. But the C:\bdtmp\tmp directory will
still be there, empty.




Go to Start->Run and type in regedit and press [ENTER].
Then change the following registry keys.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\

MSTCP]

"EnableDNS"="1" change this value to "0"
"HostName"="host" remove this value
"Domain"="mydomain.com" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"Search Page"="http://www.google.com" remove this value
"Search Bar"="http://www.google.com/ie" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchURL]

""="http://www.google.com/keyword/%s" remove this value
"provider"="gogl" remove this value


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search]

"SearchAssistant"="http://www.google.com/ie" remove this
value

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


Close regedit.


Now locate the dropped hosts file and delete it.

It is located here :

\Windows\help\hosts




HTML.Helpcontrol



HTML.Helpcontrol!exploit is a generic detection of web
pages or e-mail messages which attempt to exploit
the "Microsoft Internet Explorer HTML Help Control Local
Zone Security Restriction Bypass" vulnerability.
(Basically you have visited a malicious web site that has
written malicious code into their web pages to infect
people with malware-probably where most of your problems
came from) Crack & Serial website are the worst offenders
for this,

This does not necessarily mean that a virus has been
found. It merely means that HTML code was found which
attempts to activate additional executable code without
the user's express permission.

Maybe it remains in a quarantine folder belonging to your
antivirus software which may need clearing,if its showing
in temp folders,then use Ccleaner or open a internet
window and goto tools then Internet options delete
cookies and files(include all offline content when
deleting files)




Win32.alemond.A


Ive not heard of this one and even searchin eTrusts isnt
showin a match for this,If eTrust has detected this on
the C/drive double check the spelling or see if it shows
where the Virus is saved and under what name.Again it
could be detecting something in a quaratine folder that
belongs to the antivirus sofware(To check this open
c/drive then the folder for the antivirus software you
have and check here for a quarantine folder- If found
open the folder and delete the contents but not the
folder)





Regards Andy Manc

.

.

 

[Mikolaj]

Analysis show this one with a red exclamation mark.

How do I fix? Can I just delete using Hijack?

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
Nasty Added as result of a W32/Forbot-BD worm infection
Hit rate: 82 % (result) Must be fixed!

Take a look here
http://www.processlibrary.com/directory/files/msmgs/index.
php

Start the computer in the Safe mode (F8 during startup)
and delete this file C:\WINDOWS\system32\msmsgs.exe).

Also check the computer in the Safe mode with antivirus
software with actual signatures, and of course you can
check the system (again in the safe mode) with the
following apps:

Spybot Search&Destroy http://www.safer-
networking.org/en/spybotsd/index.html
HijackThis http://www.majorgeeks.com/download3155.html
CWShredder
http://www.intermute.com/spysubtract/cwshredder_download.h
tml
Ad-Aware SE Personal
http://www.lavasoft.com/software/adaware/
McAfee Stinger http://vil.nai.com/vil/stinger/

 

[Mike S]

Gee Andy,

I still cannot get my background back.

Ran Ewido in safe mode and it found and said it cleaned
the puper.M virus along with many spyware. It took more
than the 1 1/4 hours as it stopped for each virus and
waited for a response. But it did find them.

Can you think of a file thatI can delete that will put my
background back?

It is there and shows up briefly but the warning covers
it and lets the icons show through. I really feel I have
got the virus but just can't get ride of the file that is
covering my background.

Of course the real proof of how much damage I have done
is over the next few days as I try to use my normal
programs.

Thanks for your help. I won't give up.

Mike

-----Original Message-----
Wow thanks Andy,

Here is my log in case I mess up deleting on Hijack and
cannot get back on for a while. I recognize the Puper C
and D files you mentioned as these were the ones I tried
to delete and couldn't. The weird thing was that I found
them on a search, they said they couldn't be deleted and
them I could not find them again on an other search.

I'll read thru what you said. Then delete and post back
if I can.

Thanks,

Mike

Log =

Logfile of HijackThis v1.99.1
Scan saved at 12:25:40 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Mike\Start
Menu\Programs\HijackThis.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 3 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.updatesearches.com/search.php?qq=% 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\system32\hp8906.tmp (file
missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32
\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-
Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32
\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program
Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program
Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32
\hookdump.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program
Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-
070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-
00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1
\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}
(HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/A v
Sniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-
HCM10 Control) - http://142.36.244.87:8888/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Contro l
s/en/x86/client/wuweb_site.cab?1100231976280
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/b i
n/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103}
(WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\hk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32
\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe

-----Original Message-----

Hi Again Mike ,

See how you get on with Sysclean and then post the hijack
log to show exactly what is runnin on your pc.Also use
Ewido Security Suite and run a full scan with that if the
online scans are taking a couple of hours each time and
not clearing it.

Download Ewido Security Suite

http://download.ewido.net/ewido-setup.exe

(Update then run a full system scan in safe mode together
with sysclean)



It may be because all the virus files are stored in the
windows folder and are all in use which is preventing the
scanners removing them.


Before running the scanners check task manager and end
process for any of these.(press control,alt & delete
together) then goto processes and check for these :

notepad2.exe
popuper.exe
intmonp.exe
intmon.exe
paint.exe
shnlog.exe
aolfix.exe


End process for any found :



turn off system restore before running any fixes


Puper.C


intmonp.exe monitors the main process, and restarts it if
it is terminated. The main process restarts the
monitoring process if it is terminated, and recreates it
if it is deleted.

files connected to this :


C:\WINDOWS\winsx.cab
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\winsx.dll
C:\WINDOWS\System32\intmonp.exe
notepad2.exe
popuper.exe

also creates the following registry entry to ensure it is
run when the infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run

notepad2.exe
popuper.exe

The restarting of the main process by inmonp.exe only
works if the Trojan file is named popuper.exe.
Therefore, the system can be disinfected by first
changing the name of the file popuper.exe, and then
terminating the popuper.exe process.
intmonp.exe will then terminate itself when it cannot
find the main file to re-execute it. Both files can then
be deleted and the registry cleaned.




Puper.D


files connected to this :

C:\WINDOWS\System32\hhk.dll
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hpXX.tmp - where XX denotes randomly
generated characters.
paint.exe
shnlog.exe


In order to run itself on startup, the Trojan creates the
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\

e

x
plorer\run


paint.exe
shnlog.exe


As Puper.C, intmon.exe monitors the main process, and
restarts it if it is terminated. Meanwhile the main
process restarts the monitoring process if it is
terminated, and recreates the file intmon.exe if it is
deleted.


Troj/Puper-D changes settings for Microsoft Internet
Explorer, including Start Page and search settings, by
modifying values (Hijack this would make this part easier)

HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl


Registry entries are set as follows:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)\(default)

The file hpXX.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

B

r
owser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage


The restarting of the main process by intmon.exe only
works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing
the name of the file shnlog.exe, then terminating the
shnlog.exe process.
intmon.exe will then terminate itself when it cannot find
the main file to re-execute it. Both files can then be
deleted and the registry cleaned.
After shnlog.exe has been cleared from the system,
standard procedures can be used for disinfection of the
other two components.




Trojan.Qhosts



Qhost is a trojan that prevents access to certain web
sites and reroutes traffic to certain ip addresses. It
also modifies the DNS setting so the unsuspecting user
might be redirected to sites other than those intended.


It is copied onto the system as aolfix.exe. When
aolfix.exe is automatically executed it drops a bat file
in this directory c:\bdtmp\tmp and executes that file,
the name is randomly generated from numerical characters.
The bat file drops these files:


On all systems:
C:\WINDOWS\System32\o.reg

On 2000/XP systems:

C:\WINDOWS\System32\o2.reg
C:\WINDOWS\System32\o.vbs

The o.vbs goes through every key under the keys below and
changes the NameServer value to a certain ip number.


HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001
\Services\Tcpip\Parameters\interfaces\

HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002
\Services\Tcpip\Parameters\interfaces\


After that it will create a new hosts file in those
directories %windir%\hosts and %windir%\help\hosts. That
file will contain a text that will look something like
this:


<random ip number> elite
<random ip number> www.google.akadns.net
<random ip number> www.google.com
<random ip number> google.com
<random ip number> www.altavista.com
<random ip number> altavista.com
<random ip number> search.yahoo.com
<random ip number> uk.search.yahoo.com
<random ip number> ca.search.yahoo.com
<random ip number> jp.search.yahoo.com
....


After it has completed the above tasks it will delete the
files it dropped. But the C:\bdtmp\tmp directory will
still be there, empty.




Go to Start->Run and type in regedit and press [ENTER].
Then change the following registry keys.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\

MSTCP]

"EnableDNS"="1" change this value to "0"
"HostName"="host" remove this value
"Domain"="mydomain.com" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"Search Page"="http://www.google.com" remove this value
"Search Bar"="http://www.google.com/ie" remove this value


[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchURL]

""="http://www.google.com/keyword/%s" remove this value
"provider"="gogl" remove this value


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search]

"SearchAssistant"="http://www.google.com/ie" remove this
value

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
\Services\Tcpip\Parameters]

"DataBasePath"="DataBasePath"="%SystemRoot%\help" change
this value to "%SystemRoot%\System32\drivers\etc"


Close regedit.


Now locate the dropped hosts file and delete it.

It is located here :

\Windows\help\hosts




HTML.Helpcontrol



HTML.Helpcontrol!exploit is a generic detection of web
pages or e-mail messages which attempt to exploit
the "Microsoft Internet Explorer HTML Help Control Local
Zone Security Restriction Bypass" vulnerability.
(Basically you have visited a malicious web site that has
written malicious code into their web pages to infect
people with malware-probably where most of your problems
came from) Crack & Serial website are the worst offenders
for this,

This does not necessarily mean that a virus has been
found. It merely means that HTML code was found which
attempts to activate additional executable code without
the user's express permission.

Maybe it remains in a quarantine folder belonging to your
antivirus software which may need clearing,if its showing
in temp folders,then use Ccleaner or open a internet
window and goto tools then Internet options delete
cookies and files(include all offline content when
deleting files)




Win32.alemond.A


Ive not heard of this one and even searchin eTrusts isnt
showin a match for this,If eTrust has detected this on
the C/drive double check the spelling or see if it shows
where the Virus is saved and under what name.Again it
could be detecting something in a quaratine folder that
belongs to the antivirus sofware(To check this open
c/drive then the folder for the antivirus software you
have and check here for a quarantine folder- If found
open the folder and delete the contents but not the
folder)





Regards Andy Manc

.

.

 

[AndyManc]

Hi Mike

Dont delete msnmgs.exe its not malicious its msn
messenger.The online scanner has give the wrong reading
on that one.

Its 4am here (UK) so i will be able to check your log
abit later when i get back on.You may have a CWS
infection with the 020 line showing in hijack this,you
can delete it but it will probably return also remove the
file in the windows folder :

c:\windows\system32\hk.dll


I'll get back to you later mike


Andy

 

[AndyManc]

If you want to delete a file and it will not let
you,first check task manager(control,alt and delete) and
check the processes for the one your trying to delete,
end the process if found

If that doesnt work find the file and right click it and
choose properties uncheck any restrictions such as ' read
only ' or ' hidden ' then click apply and try delete it
again .

If your still having problems try renaming the file,right
click and choose rename,change it from say csd.exe to
csd.bad and save then try delete it .


I'll get back to you in a bit though about the desktop
background


Regards Andy

 

[Mike S]

Thanks Andy,

It is a lot earlier in the colonies but I am heading to
bed soon as well. eh!

I deleted msmgs.exe but my msn messenger still seems to
work.(6.2) I also deleted hk.dll

Everything seems good except I still have a black
background with yellow warning sign. It appears to cover
my normal azul background. I have tried re-applying it.

Ewido did find puper.M and deleted it in two locations as
well as the Trojan.Prova in my E drive.

But I have also noticed that
I have in the "add or remove programs" some entries that
I don't recognize.
S3 S3Display
S3 S3Gamma2
S3 S3info2
S2 S3overlay

Can I remove them or could this be related to my monitor
and it would stop working?

Mike