cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Malware; Appologies if this is the wrong forum.

N/A

Problem with Malware; Appologies if this is the wrong forum.

Hello all.

Before I start, the reason I'm posting this here is that Support team and I were at a loss regarding how to deal with my Malware problem, and they suggested I asked in the Forum.

I'm running Windows XP on an AMD Athalon 1.26GHz, with IE as my browser.

For several weeks now my computer has been infected with some Malware that I can't find or remove. The program hasn' t been found by AdAware, Spybot S&D or SmitFraudFix. It is generating files in my Local Settings--> Temp folder which are (usually) identified by AVG immediately after their creation as 'Trojan Proxy EOD' or 'EOB's

These proxies are easily removed, but as soon as I log onto the Internet, they are generated again. Also the Malware attempts to log into the internet automatically whenever I log onto my computer.

At the same time, the malware is creating and sending out Spam through Microsoft Outlook, this isn't a huge problem for us as we all use hotmail and various other forms of Email, but we do want it to stop, especially as it's sending the Spam here.

The files created int he Temp folder take a form unlike any I've seen before; rather than try and explain, I'll just post up a screenshot:

Image Link Here

Just so you know how quickly the Items are created, I logged onto the Internet at about 9.03,

Also, here is the HijackThis log for my computer:

Logfile of HijackThis v1.99.1
Scan saved at 09:14:47, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Updater.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Realtek\Rtl8180\RtlWake.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\John\LOCALS~1\Temp\83exinjs.6.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\DOCUME~1\John\LOCALS~1\Temp\78exmodul32s.7.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB002" /M "Stylus DX3800"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200201...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/eng/billard8UK_2_0_0_21.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB3620A-22E0-4464-97A3-7B8F1F824093}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9703D49C-6BB6-4960-AAE0-0E5AAEDA7CE4}: NameServer = 212.159.6.9 212.159.6.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE80CC9-26D2-4F5C-BD24-FC59A1A88668}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stoke.ramesys.com,crick.ramesys.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

I hope this is of use to you!

Thanks.

[Moderator's note by Tom (tomspcs) : I have changed the image to a link as it was stretching the page and simply too large.]
20 REPLIES
N/A

Problem with Malware; Appologies if this is the wrong forum.

Try Spyware Doctor. It's always caught/got rid of stuff for me. You will need to purchase it for it do a removal.

Tip: Before running it Go to Internet Properties and Click "Delete Files..." and "Delete Cookies..." it can give false positives i.e. warns you about something that isnt realy a threat. I've informed them.
N/A

Problem with Malware; Appologies if this is the wrong forum.

I won't pretend to know what is causing the problem but you could try
Are all the Microsoft security patches up to date? Go to Microsoft Update
Apologies if you've already tried some / all of these
N/A

Problem with Malware; Appologies if this is the wrong forum.

I would also run CCleaner to clean out the registry. It could be something in there triggering the rest.

Ian
Cat
Dabbler
Posts: 18
Registered: 30-07-2007

Problem with Malware; Appologies if this is the wrong forum.

Unholytrinity ,
firstly I am not an expert but I believe I know whats wrong.........

the first entry in your hijackthis log is genuine and part of your windows system

Running processes:
C:\WINDOWS\System32\smss.exe

HOWEVER...

This may be the culprit................

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Name W32/Brontok-W
Type Worm

Affected operating systems Windows

Side effects Sends itself to email addresses found on the infected computer
Forges the sender's email address
Uses its own emailing engine
Installs itself in the Registry

Aliases Email-Worm.Win32.Brontok.c
W32/Rontokbro.gen@MM
W32/Brontok-Fam
W32.Rontokbro@mm
WORM_RONTKBR.GEN

regards Distorteddreams
N/A

Problem with Malware; Appologies if this is the wrong forum.

Quote
Unholytrinity ,
firstly I am not an expert but I believe I know whats wrong.........

This may be the culprit................

Name W32/Brontok-W
...
Aliases ...
W32.Rontokbro@mm ....

Removal instructions from Symantec are here
N/A

Re: Problem with Malware; Appologies if this is the wrong fo

Quote
the reason I'm posting this here is that Support team and I were at a loss regarding how to deal with my Malware problem, and they suggested I asked in the Forum

Is this the business of your ISP? I think not and this just makes them busier and even more unavailable for customers with real problems.

When I say real I mean no offence and I realise you have problems but they are self-inflicted.

Anyway, do as the people say above. You have loads of rubbish running so stopping that would be a start.


Quote
At the same time, the malware is creating and sending out Spam through Microsoft Outlook, this isn't a huge problem for us

For 'us'? And what do you think that's sending out? You are perhaps spreading viruses and trojans (or much worse). If you don't use Outlook go into the Outlook folder and select all and delete. It'll destroy anything that's running (and the program).

You might want to have more than 1 PC in the house (you may already do) so you can spread the chance of infection and limit who uses what PC.

PC secuirty is the user's responsibility and there's no end of great free applications out there that can make your PC secure and make everyone's life a bit easier. People will always help but you have to help yourself too.
Njal
Grafter
Posts: 290
Registered: 30-07-2007

Problem with Malware; Appologies if this is the wrong forum.

Try the good people at:

http://www.malwareremoval.com/

They may be able to help you.

Regards,

Neil
N/A

Problem with Malware; Appologies if this is the wrong forum.

@ distorteddreams & baytrees. Thanks very much for your help. I'll try that now and see if it works. With any luck this should solve all our problems. What I want to know is why didn't AdAware pick it up?

@dslweb. I'm not sure what the problem is regarding working with PlusNet to solve the problem; We talked to them about it after they informed us of the problem, we attempted to clear the problem using various measures as I already stated, when this didn't work we went back to them. When we found what the problem was we informed them and they suggested we tried their forums to see if anyone else had any advice on removing the malware. What's wrong with that?

As for sending out Trojans etc. the only email address stored on the computer is the PlusNet one from when they send out info. I know that doesn't make it right, but you seem to be implying that we're spreading the infection to many other machines, which as far as I understand isn't the case.

Quote
You have loads of rubbish running so stopping that would be a start.


Since you obviously know what you're talking about (And this isn't sarcasm) could you inform me as to what you consider 'rubbish', please?
Community Veteran
Posts: 38,209
Thanks: 906
Fixes: 54
Registered: 15-06-2007

Problem with Malware; Appologies if this is the wrong forum.

There are a number of forums which specialise in this sort of problem
Try this one as they helped a colleague
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
N/A

Problem with Malware; Appologies if this is the wrong forum.

Quote
We talked to them about it after they informed us of the problem


That's because your PC must be up to all sorts of nastiness and part of what it is doing is dragging Plusnet into it. You must take responsibility for your security or the situation you are in at the moment will happen again very soon. It could be the police at your door though and not a polite message from an overworked small company like PN.

PN (no ISP in fact) can be expected to wrap people in cotton wool. When trojans affect PCs, banks always pay back the money to customers because they are frightened to aportion blame (and have it in the 'papers').

As I've said the Web from top to bottom is full of extremely helpful people who will sort your problem by either giving advice or producing free apllications.

As for your HiJackthis file you can copy/paste into here You can then tick and 'fix' all items it shows up. Then install Ewido

Turn off System Restore and restart and run HiJackThis again. Turn System Restore back on. Paste that HijackThis file again and see what else is running. If you are unsure what an item is then put it into Google in quotes (eg "nasty_mo_fo.worm") and see what comes up. Try and read 3-4 comments and not the first one because that could be put there by some scumbag trying to get you to install something you shouldn't.

This all takes time and if you learn a little bit it'll stay with you.


Have a look here www.getsafeonline.org

And don't buy anything. Good luck and if you get stuck just post and someone will try to help.
JJ
Grafter
Posts: 229
Registered: 12-08-2007

Problem with Malware; Appologies if this is the wrong forum.

Although ‘dslweb’ comes across a little angry, it may not have been intentional but that’s how it reads, I agree with him 100%.

Even if you pay for anti virus software it doesn’t always work as you would expect. I have ‘bloated’ Norton which identified some malware but couldn’t do anything about it. It took me 4 hours to get rid of some junk I, YES I, introduced to my system. Despite knowing the exe file I had just downloaded might be a risk I stupidly went and clicked on it. Yes it worked fine, unfortunately so did all the hidden programmes.

We can all do silly things !!!

John H
Community Veteran
Posts: 2,829
Thanks: 153
Fixes: 2
Registered: 05-04-2007

Problem with Malware; Appologies if this is the wrong forum.

Yep I agree. Problem is there is so much of it about and is so easily caught nowadays, if everyone with problems were to go to their ISP the extra support cost would be significant.

Not that we can't try and give a hand here - this is Community Support after all Smiley

I've had a similar experience with my work PC. Needed a ulility for splitting files, so typed 'file splitter' into download.com and got the first one I came across. It installed a load of other junk as well, the corporate AV went mental and the IS team where not best impressed. Teach me not to read the disclaimer and the user reviews. Had about 5 variants of spyware, managed to somehow clean it up in about 45 minutes by manually uninstalling and changing the registry.

Anyway back OT, I'd also recommend Cool Web Shredder in your arsenal of removal utilites as I've used to remove stuff before which nothing else has picked up. Google 'cwshredder.exe' for links.
shellsong
Grafter
Posts: 2,191
Registered: 03-08-2007

Problem with Malware; Appologies if this is the wrong forum.

I've found that a lot of the malware that hides itself and has to be killed on reboot can be cleaned out using a Linux live CD and a copy of ClamAV (you can make sure its fully updated once the Linux temporary install connects to the internet)
Community Veteran
Posts: 38,209
Thanks: 906
Fixes: 54
Registered: 15-06-2007

Problem with Malware; Appologies if this is the wrong forum.

A word of warning.
If you aren't an expert on malware removal go to one of the sites above and let the experts guide you.
I have seen many malwares which are extremely difficult to remove.
Look at some of the people being helped and the steps they needed to go through to clean their PC.