stuborn virus

Computing.Net > Forums > Security and Virus > stuborn virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

stuborn virus

Name: nocturnal
Date: December 9, 2003 at 16:08:00 Pacific
OS: Win 98se
CPU/Ram: pII - 233mhz

Comment:

I'm sure the answer to what i'm going to ask is here somewhere, but for the life of me I can't locate it.
So, heres the problem ... I had bigger problems, but i've narrowed them down to this. Every time I run Spybot - Search and Destroy (other than the fact it freaks out because I also have Bulletproof - copyright infringement etc.) it (Spybot) finds coolWWWsearch. Bulletproof does not, although it removed 9 spyware related and 2 infected files. I have used cws and it does its job, but once I run spybot again it comes back with the same coolWWWsearch.
Heres a copy of hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 6:58:52 PM, on 12/9/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\GOOGLE\GGVIEWER67-70.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\LXSUPMON.exe
C:\WINDOWS\SYSTEM32\MSUPDATE.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\MY DOCUMENTS\JASON\SOFTWARE\TR\HJT\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.exe
O4 - HKLM\..\Run: [LexStart] LexStart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.exe RUN
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ADHKNRUXG] C:\WINDOWS\ADHKNRUXG.exe
O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe"
O4 - HKCU\..\Run: [Lsei] C:\WINDOWS\Application Data\haet.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37924.8897106481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
---
Any help would be greatly appreciated
thanks in advance, noc

Sponsored Link

Ads by Google

Response Number 1

Name: sxshep
Date: December 9, 2003 at 16:28:01 Pacific

Reply:

Try this program CoolWebShredder and repost your log
hth
shep

Response Number 2

Name: nocturnal
Date: December 9, 2003 at 16:39:46 Pacific

Reply:

Thank you for the reply.
I used CoolWebShredder prior to the post. That log was ran after I used it.
noc

Response Number 3

Name: sxshep
Date: December 9, 2003 at 17:25:54 Pacific

Reply:

You can try having HjT fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
These guys look suspicious:
O4 - HKLM\..\Run: [ADHKNRUXG] C:\WINDOWS\ADHKNRUXG.exe
O4 - HKCU\..\Run: [Lsei] C:\WINDOWS\Application Data\haet.exe
More help will come I'm sure
shep

Response Number 4

Name: sxshep
Date: December 9, 2003 at 17:29:03 Pacific

Reply:

PS
Sorry I missed this "I have used cws"
shep

Response Number 5

Name: Abnormal
Date: December 9, 2003 at 20:17:47 Pacific

Reply:

You need to press the next button after
you close open windows.
Run cwshredder again.
Possibly the most simple CWS variant since CWS.Datanotary, this hijack only does the basic stuff: changes your IE homepage and search pages, adds porn bookmarks, and pops up a bogus error message at startup.
Deleting MSupdate.exe from the All Users Startup group, deleting the porn bookmarks and resetting the IE homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing a hosts file hijack as well, but doesn't seem to do this.
Bulletproof is a bottom feeder, just
as bad as toe jam.
BPS is a SpyBot ripoff.
http://spybot.eon.net.au/index.php?lang=en&page=news/news20030805

infostealer virus grokster virus x tube virus	hacktool virus drwatson virus hacktool virus removal
See More

Response Number 6

Name: nocturnal
Date: December 9, 2003 at 22:49:25 Pacific

Reply:

Ok, I've done all that fun stuff. But I'm still having the same problem (spybot, when ran comes back with 5 seperate coolWWWsearch files)
Also, when I try to remove MSupadate, it says "currently in use by windows" making removal a problem.
If any more infromation is needed to help resolve issue, please let me know.
Thanks, noc
By the way, some of the files fixed by hijack returned once rebooted.
Here's the current hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 1:48:29 AM, on 12/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\GOOGLE\GGVIEWER67-70.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\LXSUPMON.exe
C:\WINDOWS\SYSTEM32\MSUPDATE.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\PROGRAM FILES\INCREDIBLE TECHNOLOGIES\GOLDEN TEE GOLF\GTGOLF.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\MY DOCUMENTS\JASON\SOFTWARE\TR\HJT\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.exe
O4 - HKLM\..\Run: [LexStart] LexStart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.exe RUN
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37924.8897106481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab

Response Number 7

Name: Abnormal
Date: December 9, 2003 at 23:12:13 Pacific

Reply:

Have hijackthis fix these
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet
Have hijackthis fix these
Explorer\Main,Default_Search_URL = http://search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
Reboot into safe mode
and delete MSUPDATE.exe

Response Number 8

Name: nocturnal
Date: December 10, 2003 at 00:11:52 Pacific

Reply:

Peace at last.
Abnormal, Sxshep, you guys are awesome, thank you very much for your help and patience. I'm indebted to you guys.
It was that damn msupdate, once removed in safe mode (doh) and HiJack and CWS did thier thing, all is well.
Thanks again, noc

Response Number 9

Name: Abnormal
Date: December 10, 2003 at 00:33:04 Pacific

Reply:

Glad it worked out for you, I now know
thats what caused your problem with
running the tools.
Here is a post I put together, to stay clean.
Hijack prevention tips
Take care because we care.
Abnormal

Sponsored Link

Ads by Google

System Cleanup

worm virus...who knows? ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: stuborn virus

Trojan Horse: BackDoor.Agent.BA

Summary

www.computing.net/answers/security/trojan-horse-backdooragentba/12291.html

google redirect virus removed but

Summary

www.computing.net/answers/security/google-redirect-virus-removed-but-/26942.html

avg anti-virus 7.1

Summary

www.computing.net/answers/security/avg-antivirus-71/27523.html

From the Geek Dictionary
Extensible Markup Language - Extensible Markup Language (XML) is a W3C open standard that is used to des...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
emachine mobo replacement

How to prevent a CMD Window from being closed

D link network problems

error message

GPU on a trip, help please!

All Awaiting Reply

Tom's News
Verizon Calls the iPhone a "Misfit Toy"

Modern Warfare 2 for PC Locked Until Tomorrow

First iPhone Virus Rick Rolls Your Phone

GameStop: MW2 Release Was Corporate Decision

Nokia Recalls 14M Chargers Over Shock Hazard

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE