TechSpot

SpyFalcon, mssearchnet.exe, etc... Please review my HJT log

By stratus
Feb 24, 2006
  1. Hi,

    This will be my first post here. I am desperately needing to remove several spyware/malware programs on my computer. I have made previous attempts based on information from other parts of this forum (such as the guide to removing Begin2Search/CoolWebSearch and other nasties). I have gone by the book, run aboutbuster, cwshredder, adaware, and spybot (all in safe mode) as well as fixing suspicious processes in HijackThis and manually deleting .exe files in safe mode. After a few hours of normal operation, the spyware programs seem to reinstall themselves.

    I know for sure that I have:
    -SpyFalcon
    -The Zlob Trojan (Norton told me)
    -some kind of browser hijacker

    There may be more. Also. mssearchnet.exe is running in my task manager.

    I have attached a HijackThis log in the hopes that someone can help me with a step-by-step process of systematically removing whatever it is I have. If it doesn't work, I'm not opposed to a fresh re-format, but I would like to avoid that if at all possible to spare myself the hassle of backing everything up.

    Thanks for your help!

    -John
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    You`ve made a good start by reading that thread.

    Go HERE and follow the instructions.

    Then post a fresh HJT log.

    Regards Howard :wave: :wave:
     
  3. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Okay, well, I've tried following the instructions as systematically as possible. Here are all the scans I ran, in the order I ran them, as well as the results I got:

    1. Webroot: The first thing I tried was the Webroot online scan. The following is the error message I got after the scan seemed to run its course:

    “The Webroot Spy Audit has failed to properly connect to Webroot’s servers. Please re-download the audit and run it again at a later time. If the problem persists, please contact Webroot Software.”

    I have attempted the scan multiple times, with this result each time.

    2. Aluria: All the Aluria scan does, after downloading the file, is take me to here: http://www.aluriasoftware.com/index.php?menu=litescan&id=99e9890d446c75f2da8c43e20389a013

    I have also tried this multiple times.

    3. Trojan Hunter: This program found two Trojans, but unfortunately I forgot to log this! It cleaned them, however. I think one of them was in some kind of uninstall directory in my AIM folder. The removal hasn’t taken care of any of the perceivable problems I’ve been having, though. I definitely know that there are more Trojans on this system than TrojanHunter is telling me.

    It also told me that TCP Port 5180 was open.

    4. Panda Active Scan: The plot thickens… I can’t pull up ANYTHING on my IE browser, all I get is about: blank, and then it somehow gets forwarded and is opened up in Firefox. Panda Active Scan seems to require using the IE browser.

    5. Ewido: This program found a bunch of stuff. I have attached the log to my post, see the file attachments.

    You can see all the Trojans/malware that it found. Very ingenious little program. However, upon restarting the computer, msmsgs.exe is still running in the background. Spyfalcon.exe is not running in the background, but it is still in the add/remove programs list and I am afraid to go near that for fear of it re-propagating itself.

    NOTE: Norton is still finding Trojan.Zlob, and insists that it is removing it... over and over. Obviously this means it is NOT being cleaned.


    --------

    Thus far, this is all I can do. Attached are both the Ewido log and the NEW HijackThis log.

    Thanks again for any help you guys can offer, and, thanks for the welcome!

    -John
     
  4. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Update

    See my previous post. This is an update regarding it.

    I am still getting my browser hijacked at random times!

    Here is another HijackThis log. Perhaps there are some new processes that have cropped up - I will also look at them and compare.

    *sigh* I'm about ready to format at this point. My computer has been overrun for days now.
     
  5. stratus

    stratus TS Rookie Topic Starter Posts: 20

    15 new tracking cookies out of nowhere

    Crazy. Where could this be coming from?

    See attached file.
     
  6. Spike

    Spike TS Rookie Posts: 2,371

    That last post of yours is just tracking cookies - nothing to worry about.

    I'm taking a look at your HJT log now.
     
  7. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Thanks Spike, I appreciate it. I will be up for a while longer, take your time :)
     
  8. Spike

    Spike TS Rookie Posts: 2,371

    Here's your culprit as far as I can tell (I'm pretty sure)...

    C:\Documents and Settings\John\My Documents\??sks\?ti2evxx.exe

    http://research.sunbelt-software.com/threat_display.cfm?name=ClickSpring.PuritySCAN&threatid=10115

    Symantec (seems as your using NIS, wich to be perfectly honest isn't all that great, but that's something else entirely.) has a page about purityscan including removal instructions, here... http://securityresponse.symantec.com/avcenter/venc/data/adware.purityscan.html

    Follow symantecs instructions by whichever of their methods you choose, and then run all your scans again (well, ewido and webroot at least). Let us know if it's solved, or on the other hand, let us know if it's not :D
     
  9. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Thanks, I'll try it. Norton honestly hasn't done that much for me; I won't be renewing my subscription when the time comes. Anyway, I'll work at this for a bit and try to put your suggestion to work. Will keep you guys posted...

    Did you notice the problem with webroot I was having in my long long post?
     
  10. Spike

    Spike TS Rookie Posts: 2,371

    I did - but I figured that it was either this spyware or your NIS that was causing the problem :D
     
  11. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Gotcha...

    Let me try disabling Norton. I didn't think of that. It does disagree with a lot of programs. The greedy hog that it is. :slurp:

    Apparently that purityscan software had its own uninstall utility on their site?

    Seemed suspicious, but symantec's "manual removal" instructions were... perform a full scan using our awesome internet security program!

    Anyway, I no longer see the process.

    Any thoughts on msmsgs.exe? This seems to be the topic of some debate regarding whether it is some kind of worm, or simply a process associated with windows messenger.
     
     
  12. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Spike,

    Unfortunately, webroot still does not cooperate with me despite having norton killed in the task manager.
     
  13. Spike

    Spike TS Rookie Posts: 2,371

    you have msmsgs.exe in the correct location. it's MSN messenger, and unlikely to be anything else where it is.

    After doing whatever you did from symantec, did that file I mentioned earlier dissapear?

    If it did, reboot, and if you still have an issue, run HJT and ewido again and post the logs together (rebooting might make all the difference in trying to spot it if you still have something.)

    I did know that they had their own uninstaller, but I was wary of it for much the same reasons as yourself - however they do actally work with no side effects sometimes, so it's up to you.

    If you don't mind my suggesting it, you might consider completely uninstalling Norton for the time being at least. I am of course assuming that you have a disk to re-install it if you so wish. The reason I say this is because Norton is invasive to the point of almost being rediculous, and so simply its presence mght be screwing up a web based scan. I can't say that for 100% certain, but I can't be sure it's not.
     
  14. stratus

    stratus TS Rookie Topic Starter Posts: 20

    I actually don't have a disc to replace norton, I downloaded it online. Sort of a bad idea, I guess...

    And invasive though it may be, it is whining to me continuously about that Zlob trojan, which is associated with msmsgs.exe according to this page. Maybe norton is being stupid, but it seems like an odd coincidence. Maybe I should just uninstall it anyway, though.

    Oddly enough, Norton doesn't seem to make the connection between msmsgs.exe and the above trojan. It complains about the file C:\Windows\system32\1024\ldxxxx.tmp (the xxxx represents a four-digit suffix, it's different every time and I see a LOT of these files in my temp folder . I decided to go ahead and delete all those.)

    Purityscan's automatic uninstall seems to have killed that process, as well as end the popups (for now), but when I rand Ewido again, it found an object:

    HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup

    (I would have posted the log in file form, but that's like the entire thing.)

    The popups haven't been back even though this registry entry (I think that's what it is?) cropped up.

    Well, I'm gonna get some shuteye and leave everything running and open to see how stuff behaves.

    Thanks again for all your help!

    -John
     
  15. Spike

    Spike TS Rookie Posts: 2,371

    The msmsgs that that page is based on would have to reside in either the windows or system32 folder (%system% isn't even a valid environment variable unless it set it itself on XP) the in order for the registry key to run it with the explorer shell on startup. As your copy is in the /program files/messenger folder, this wouldn't be possible, ergo it's incredibly INCREDIBLY unlikely to be anything to do with that page, and very likely to be like the program msn messenger in the exact same location on my computer now :) no worries.

    Looks like you're reasonably cleaned up. Hope it stays that way for you :D

    It does look like it was indeed that purityscan crap I picked out of your HJT log. I hope that file has gone? (you never said)
     
  16. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Again, thanks for all your help. :)

    Is that process on your computer msmsgs.exe or msnsgs.exe? Just wanted to triple check.
     
  17. Spike

    Spike TS Rookie Posts: 2,371

    God - I'm mistyping now too! lmao

    it's msmsgs.exe. sorry about that. It's legit.
     
  18. stratus

    stratus TS Rookie Topic Starter Posts: 20

    lol I don't think you mistyped it... insanity's just taking me over after all this, coupled by a strong measure of good old fashioned fatigue.

    Time to defrag and run all the standard scans tomorrow to make sure everything's really fine.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE.

    Turn off system restore.(XP/ME only) See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager by pressing the ctrl/alt/delete keys together.

    Click on the processes tab, and end process for(if there).

    ?ti2evxx.exe

    Close task manager.

    Run HJT with no other programmes open, and have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O20 - Winlogon Notify: winrpc32 - winrpc32.dll (file missing)

    O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

    O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

    Now, click on the fix checked button.

    Close HJT.

    Click start/run, and type services.msc into the run box, and press the enter key.

    When the window opens, maximise it.

    Locate the above 023 services. Double click on them, and if they are running select stop. Set the startup type to disabled. Click apply ok.

    Locate and delete the following bold file(if there).

    C:\Documents and Settings\John\My Documents\??sks\?ti2evxx.exe

    Reboot into normal mode, and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)
     
  20. Spike

    Spike TS Rookie Posts: 2,371

    Yea, I guess I probably should have done the cleanup too. Seriously, I always seem to be so much more untider doing this lot - I get ther, but not without a mess. lol Not that it matters too much I suppose, but it looks damned unprofessional of me :D
    *just realised how that may have sounded. please know that it was intended as pretty much matter of fact with nothing between the lines at all - I wouldn't have the rights on experience alone. Got I hope I can sleep soon.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No problem mate. Thanks for the help anyway.

    Regards Howard :)
     
  22. stratus

    stratus TS Rookie Topic Starter Posts: 20

    msmsgs.exe still sort of bugs me. See, I had heard that it could possibly be a part of the Agobot-NL worm, and a few days before I joined this forum I had removed it from my computer.

    However, msmsgs.exe still runs in the background.

    If I try to kill the process, it comes back within seconds.

    Also, after running a search, there is no instance of msmsgs.exe on my computer in system32 or in the windows messenger directories, only MSMSGS.EXE-2B6052DE.pf located in C:Windows/Prefetch.

    Anyway, I just thought it was weird.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    msmsgs.exe is perfectly legit. It is part of msn messenger.

    See HERE for further info.

    Regards Howard :)
     
  24. stratus

    stratus TS Rookie Topic Starter Posts: 20

    Yes, it does seem legit, in which case I regret having deleted those files. :(

    Edit - LOL, the files are there, they're just hidden.

    By the way Howard, I followed that step-by-step procedure that you posted earlier. After doing so I have "before" and "after" HJT logs. Both the "023" services seem to have persisted, but the R3 and 020 are gone.

    I also ran adaware and spybot while I was still in safe mode. Adaware cleaned up 18 leftover registry entries associated with SpyFalcon (which ewido seems to have taken care of once and for all). Spybot cleaned up 1 Pest Trap entry, 1 Smitfraud-C. entry, and two Vcodec entries.

    Anyway, that's the latest. Attached are the HJT logs.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    What have you done with Ewido? The 023 entry for Ewido was fine earlier, and now is showing file missing.

    The below entries are from your after log.

    This is how you fix these 023 entries.

    O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
    O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Security Tools\ewido anti-malware\ewidoctrl.exe (file missing)
    O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)


    Click start/run, and type services.msc into the run box, and press the enter key.

    When the window opens, maximise it.

    Locate the above 023 services. Double click on them, and if they are running select stop. Set the startup type to disabled. Click apply ok.

    Regards Howard :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.