Infected with Adware/Malware/Spyware

[fanofcricket]

hey ppl!

A PC in my office has been seriously infected by either Adware/Malware/Spyware, and its causing havoc by creating its own icons , shutting down IE without notice.
the icons regenerate when you delete them from the desktop.
I ran HJT and i post the log file here to you....Please please help me!! Thanking anyone who replies in advance!!!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:4, on 09/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.168.0.1:3128
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminde C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exer]
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkiv.exe] C:\WINDOWS\system32\kdkiv.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [58816225442454609891642713430501] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B395256-A2E0-422E-BE76-A743482ABE15}: NameServer = 10.20.30.40,172.31.29.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe

--
End of file - 4207 bytes

 

[sude]

dear fanofcricket,
i noticed that u have an antispyware soft already installed (LavaSoft Adaware).. thats good.. but i didnt find any Renowned antivirus like norton, avast etc.

but i FOUND UR CULPRIT it is XP ANTIVIRUS.....

O4 - HKCU\..\Run: [58816225442454609891642713430501] C:\Program Files\XP Antivirus\xpa.exe

THIS IS NOT AN ANTIVIRUS BUT AN SPYWARE SOFTWARE WHICH ACTS AS AN GATEWAY FOR DIFFERENT SPYWARES TO ENTER UR SYSTEM.....

See this page (*www.lancelhoff.com/2008/02/22/how-to-remove-xp-antivirus-protection/) for more details and how to remove it...

---------------------------
after removing XP Antivirus..
perform the following..

Install an antivirus (Free or paid)
For free u can go for Avast antivirus (from www.avast.com/eng/download-avast-home.html) and install it.

Next hope Adaware which is already installed on ur system/s is updated.. if not plz run live update from within the prog.. or download the latest version from its website (www.lavasoft.com/products/ad_aware_free.php).

along with it download another updated antispyware soft SPYBOT SEARCH AND DESTROY from www.safer-networking.org/en/download and install it.
U will need to download the updates for spybot separately..

AFTER INSTALLING IN SAFE MODE RUN AN ANTIVIRUS SCAN....
IF ANY VIRUS FOUND, DELETE...
AND
THEN RUN BOTH THE ANTISPYWARE FOR A FULL SYSTEM SCAN...

OK.

Reply what happened ...

-SUDE
and PLZ dont consider the above lines in Capitals as if i am shouting at u... I just want to lay stress on those lines...ok.

 

[pushkaraj]

I found the following entries suspicious:

C:\WINDOWS\system32\hpzipm12.exe

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkiv.exe] C:\WINDOWS\system32\kdkiv.exe

O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe

O4 - HKCU\..\Run: [58816225442454609891642713430501] C:\Program Files\XP Antivirus\xpa.exe

The last entry clearly shows that ur pc is infected with the XP antivirus which is a rogue antivirus. Go to the following link for instructions on removing the same from ur pc:
*www.bleepingcomputer.com/forums/topic111715.html

From the following entry

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

it seems u hav not uninstalled the symantec liveupdate. Remove it before installing any other antivirus as i dont feel u hav an antivirus installed on ur pc.

Also i recommend installing some good anti-malware like a-squared free. U can download it from here *www.filehippo.com/download_asquared/
U may also consider Windows Defender which is another freeware:
*www.filehippo.com/download_microsoft_antispyware/

 

[fanofcricket]

Hey, thanks for your help, but I don't think the problem is solved. I tired the first method and then the second too {posted by pushkaraj}(everything except the Panda Online..). The icons still keep reappearing, the Log file still contains the xpa.exe entry, but the folder(XP Antivirus) from the program files is gone .

Moreover, i tried installing Nod32, Avast, Spybot on the machine, none of it is installing, everywhere the same corrupt installer error appears. Is this a work of the virus or can all those installers really be corrupt? the avast and Nod 32 installers i have tried at home, and they work fine. Are there any other alternative solutions? Will a system restore to some previous point help??

Here is the logfile, please help me out! Its my Office PC which needs immediate attention! I dont want to format my harddisks!!!!!!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:47, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.168.0.1:3128
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkiv.exe] C:\WINDOWS\system32\kdkiv.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [58816225442454609891642713430501] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B395256-A2E0-422E-BE76-A743482ABE15}: NameServer = 10.20.30.40,172.31.29.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe

--
End of file - 3902 bytes

 

[sude]

i am sorry but i feel that the steps for removal of the XP ANTIVIRUS was not done properly..

and the antivirus s are not installing because maybe that XP Antivirus or other virus has already corrupted ur system files, reqd for proper installaton of softwares..!!

-SUDE

 

[afonofa]

Its possible that your comp is infected with something called Bagle which is preventing you from installing any kind of security software. Try running a non-security software installer and see if you can get that to run. If you can't get any installers to run then maybe its a virus which is corrupting your .exe files.

You could also:
1. Disconnect the infected computer from the internet
2. Disable system restore
3. Delete all the files in your temp folders(some files won't delete)

By default temp folders are at:
a. C:\Documents and Settings\Your Username\Local Settings\Temp
b. C:\Windows\Temp
c. Temporary Internet Files (delete through your browser's interface)

I'm not sure if its doable but you can try burning the installer for Kaspersky AntiVirus v7.0.1.325 onto a cd and try to install KAV from that cd.

If it installs then:
1. Check the Enable Self Defense Before Install option(checked by default).
2. Activate the trial for KAV(you will need connect to the internet for this)
3. Update KAV
4. Disconnect from the internet
5. Scan...BUT this is IF you get it to install

If its possible can you attach the HJT log here instead of posting the contents?

 

[fanofcricket]

Hey, thanks for the suggestion , i will try it out. meanwhile i post the .txt file as requested...

 

[anandk]

Delete C:\WINDOWS\system32\winupdate.exe
Use DeleteDoctor if required.
Disable system restore.
Now run your AV and AV.
Reboot.
Run CCleaner.

 

[afonofa]

If you have already followed the instructions for removal of XP Antivirus(just incase check once more) then delete winupdate.exe and kdkiv.exe from C:\Windows\system32. Boot your comp in safe mode if you can't delete in normal mode.

Then go to
Start > Run > type regedit > hit enter
In the registry editor browse to

[B]HKEY_CURRENT_USER[/B]\Software\Microsoft\Windows\CurrentVersion\Run

and delete the registry entry for xpa.exe
then browse to

[B]HKEY_LOCAL_MACHINE[/B]\Software\Microsoft\Windows\CurrentVersion\Run

and delete the registry entry for kdkiv.exe
Close registry editor

Again go to
Start > Run > type win.ini > hit enter
It will open in notepad, locate the entry for winupdate.exe and delete the whole line. Don't leave a blank space. Close the notepad and you will be asked if you want to save changes. Save it.

Depending on which version of Norton you had, download Norton removal tool and run it.

Reboot and try to install KAV.

 

[fanofcricket]

hey everyone who replied....

Thanks for your invaluable suggestions. I think i have finally rid my PC of those malicious Adwares. I post another HJT file, I think because i am yet to delete the registry entry for xpa.exe, it still comes in the log. Please do have a look at it and tell me if anything else needs to be done.

Thanks again for all your help. I mixed and matched all of your wonderful suggestions, and i'll keep my fingers crossed and hope that this is the end of my Malware infestation.

Thank you again! Cheers!

 

[fanofcricket]

Hey all,

I did the requisite registry changes and i post the latest HJT log.

Thanks for all your help again. You guys ROCK!

Cheers!
fanofcricket

 

[afonofa]

Since you can install security software and your HJT log looks clean, I think the malware problem is history.
But a few recommendations:

1. If you feel like it, switch to a more secure browser, Firefox, its free. If you want to continue with Internet Explorer, upgrade to the latest Internet Explorer v7.0

2. Keep windows Automatic Updates and Windows Firewall(if your symantec product doesn't have a firewall) turned on.

3. Update Java. You only need to install Java Runtime Environment (JRE) 6 Update 7.

4. Install Sandboxie. It's available in a free version. Go through it's tutorial. Do all your browsing in a sandbox.

5. Browse this forum for tweaking tips. You have unneeded processes loading at startup and active all the time. Turning them off will improve your system performance and boot time. (Don't turn off using msconfig. Turn them off from within the program itself or from within Spybot S & D)

6. Don't forget to regularly(weekly?) backup your important data.

7. If your Symantec subscription is expiring anytime soon, then think about getting a better antivirus/internet security suite.

(I recommend an AV starting with Kasp and ending with ersky )

EDIT: Just saw the entry for msserv.exe in your HJT log.

Please read this and do a full system scan.

I knew I missed something Good thing is that removal is easy.

 

[pushkaraj]

The latest HJT file that u hav uploaded does not show any traces of any malicious content except one ->
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe

The info that i found on the net is this:

If msserv.exe is located in the folder C:\Windows then the security rating is 93% dangerous. File size is 112128 bytes. There is no information about the maker of the file. The program is not visible. It is located in the Windows folder, but it is not a Windows core file. File msserv.exe is not a Windows system file. The process uses ports to connect to LAN or Internet.

Source

More info:
*www.prevx.com/filenames/2625169213469712817-X1/MSSERV.EXE.html

Removal:
*vil.nai.com/vil/content/v_99108.htm

 

[fanofcricket]

thank you afonofa and pushkaraj for your tips. I'll follow them for sure. Since its a PC at my office I am apprehensive about tweaking. And its an accounts PC. And don't worry about backup, we take an everyday backup on ZIP Drive floppies.

And about msserv.exe, well my office is connected by a LAN, maybe its coz of that?

 

[afonofa]

It probably came in through an infected email in Microsoft Outlook. It's malicious and its got to go. If it's not a huge LAN then you should check the other comps for the msserv.exe worm or your pc may get it again if somebody on the LAN sends you an (infected)email.

This mailing worm sends itself to mail recipients when ordinary mail is sent out via Microsoft Outlook . Upon sending an email message with no attachments, the worm attaches itself using a random 8 character name and an .EXE extension (15KB). If an attachment is present, the worm replaces that attachment with itself, using the same name and the .EXE extension in place of the current extension. When a recipient executes this attachment, their machine is then used to propagate the virus, often without their knowledge. All new and sent mail items that contain the worm attachment are deleted by the worm.

source:

*vil.nai.com/vil/content/v_99108.htm

After you get rid of msserv.exe(and its associated registry keys & files), if System Restore is still on, turn off and then turn on System Restore. This deletes all the restore points which may include some that had been created when your system was infected.