SpyFalcon, mssearchnet.exe, etc... Please review my HJT log

Status
Not open for further replies.
S

stratus

Posts: 20   +0
Hi,

This will be my first post here. I am desperately needing to remove several spyware/malware programs on my computer. I have made previous attempts based on information from other parts of this forum (such as the guide to removing Begin2Search/CoolWebSearch and other nasties). I have gone by the book, run aboutbuster, cwshredder, adaware, and spybot (all in safe mode) as well as fixing suspicious processes in HijackThis and manually deleting .exe files in safe mode. After a few hours of normal operation, the spyware programs seem to reinstall themselves.

I know for sure that I have:
-SpyFalcon
-The Zlob Trojan (Norton told me)
-some kind of browser hijacker

There may be more. Also. mssearchnet.exe is running in my task manager.

I have attached a HijackThis log in the hopes that someone can help me with a step-by-step process of systematically removing whatever it is I have. If it doesn't work, I'm not opposed to a fresh re-format, but I would like to avoid that if at all possible to spare myself the hassle of backing everything up.

Thanks for your help!

-John
 

Attachments

  • hijackthis.txt
    5 KB · Views: 9
Hello and welcome to Techspot.

You`ve made a good start by reading that thread.

Go HERE and follow the instructions.

Then post a fresh HJT log.

Regards Howard :wave: :wave:
 
Okay, well, I've tried following the instructions as systematically as possible. Here are all the scans I ran, in the order I ran them, as well as the results I got:

1. Webroot: The first thing I tried was the Webroot online scan. The following is the error message I got after the scan seemed to run its course:

“The Webroot Spy Audit has failed to properly connect to Webroot’s servers. Please re-download the audit and run it again at a later time. If the problem persists, please contact Webroot Software.”

I have attempted the scan multiple times, with this result each time.

2. Aluria: All the Aluria scan does, after downloading the file, is take me to here: http://www.aluriasoftware.com/index.php?menu=litescan&id=99e9890d446c75f2da8c43e20389a013

I have also tried this multiple times.

3. Trojan Hunter: This program found two Trojans, but unfortunately I forgot to log this! It cleaned them, however. I think one of them was in some kind of uninstall directory in my AIM folder. The removal hasn’t taken care of any of the perceivable problems I’ve been having, though. I definitely know that there are more Trojans on this system than TrojanHunter is telling me.

It also told me that TCP Port 5180 was open.

4. Panda Active Scan: The plot thickens… I can’t pull up ANYTHING on my IE browser, all I get is about: blank, and then it somehow gets forwarded and is opened up in Firefox. Panda Active Scan seems to require using the IE browser.

5. Ewido: This program found a bunch of stuff. I have attached the log to my post, see the file attachments.

You can see all the Trojans/malware that it found. Very ingenious little program. However, upon restarting the computer, msmsgs.exe is still running in the background. Spyfalcon.exe is not running in the background, but it is still in the add/remove programs list and I am afraid to go near that for fear of it re-propagating itself.

NOTE: Norton is still finding Trojan.Zlob, and insists that it is removing it... over and over. Obviously this means it is NOT being cleaned.

--------

Thus far, this is all I can do. Attached are both the Ewido log and the NEW HijackThis log.

Thanks again for any help you guys can offer, and, thanks for the welcome!

-John
 
Update

See my previous post. This is an update regarding it.

I am still getting my browser hijacked at random times!

Here is another HijackThis log. Perhaps there are some new processes that have cropped up - I will also look at them and compare.

*sigh* I'm about ready to format at this point. My computer has been overrun for days now.
 
That last post of yours is just tracking cookies - nothing to worry about.

I'm taking a look at your HJT log now.
 
Spike said:
That last post of yours is just tracking cookies - nothing to worry about.

I'm taking a look at your HJT log now.
Click to expand...

Thanks Spike, I appreciate it. I will be up for a while longer, take your time :)
 
Here's your culprit as far as I can tell (I'm pretty sure)...

C:\Documents and Settings\John\My Documents\??sks\?ti2evxx.exe

http://research.sunbelt-software.com/threat_display.cfm?name=ClickSpring.PuritySCAN&threatid=10115

Symantec (seems as your using NIS, wich to be perfectly honest isn't all that great, but that's something else entirely.) has a page about purityscan including removal instructions, here... http://securityresponse.symantec.com/avcenter/venc/data/adware.purityscan.html

Follow symantecs instructions by whichever of their methods you choose, and then run all your scans again (well, ewido and webroot at least). Let us know if it's solved, or on the other hand, let us know if it's not :D
 
Spike said:
Here's your culprit as far as I can tell (I'm pretty sure)...

C:\Documents and Settings\John\My Documents\??sks\?ti2evxx.exe

http://research.sunbelt-software.com/threat_display.cfm?name=ClickSpring.PuritySCAN&threatid=10115

Symantec (seems as your using NIS, wich to be perfectly honest isn't all that great, but that's something else entirely.) has a page about purityscan including removal instructions, here... http://securityresponse.symantec.com/avcenter/venc/data/adware.purityscan.html

Follow symantecs instructions by whichever of their methods you choose, and then run all your scans again (well, ewido and webroot at least). Let us know if it's solved, or on the other hand, let us know if it's not :D
Click to expand...

Thanks, I'll try it. Norton honestly hasn't done that much for me; I won't be renewing my subscription when the time comes. Anyway, I'll work at this for a bit and try to put your suggestion to work. Will keep you guys posted...

Did you notice the problem with webroot I was having in my long long post?
 
I did - but I figured that it was either this spyware or your NIS that was causing the problem :D
 
Gotcha...

Let me try disabling Norton. I didn't think of that. It does disagree with a lot of programs. The greedy hog that it is. :slurp:

Apparently that purityscan software had its own uninstall utility on their site?

Seemed suspicious, but symantec's "manual removal" instructions were... perform a full scan using our awesome internet security program!

Anyway, I no longer see the process.

Any thoughts on msmsgs.exe? This seems to be the topic of some debate regarding whether it is some kind of worm, or simply a process associated with windows messenger.
 
Spike,

Unfortunately, webroot still does not cooperate with me despite having norton killed in the task manager.
 
you have msmsgs.exe in the correct location. it's MSN messenger, and unlikely to be anything else where it is.

After doing whatever you did from symantec, did that file I mentioned earlier dissapear?

If it did, reboot, and if you still have an issue, run HJT and ewido again and post the logs together (rebooting might make all the difference in trying to spot it if you still have something.)

I did know that they had their own uninstaller, but I was wary of it for much the same reasons as yourself - however they do actally work with no side effects sometimes, so it's up to you.

If you don't mind my suggesting it, you might consider completely uninstalling Norton for the time being at least. I am of course assuming that you have a disk to re-install it if you so wish. The reason I say this is because Norton is invasive to the point of almost being rediculous, and so simply its presence mght be screwing up a web based scan. I can't say that for 100% certain, but I can't be sure it's not.
 
I actually don't have a disc to replace norton, I downloaded it online. Sort of a bad idea, I guess...

And invasive though it may be, it is whining to me continuously about that Zlob trojan, which is associated with msmsgs.exe according to this page. Maybe norton is being stupid, but it seems like an odd coincidence. Maybe I should just uninstall it anyway, though.

Oddly enough, Norton doesn't seem to make the connection between msmsgs.exe and the above trojan. It complains about the file C:\Windows\system32\1024\ldxxxx.tmp (the xxxx represents a four-digit suffix, it's different every time and I see a LOT of these files in my temp folder . I decided to go ahead and delete all those.)

Purityscan's automatic uninstall seems to have killed that process, as well as end the popups (for now), but when I rand Ewido again, it found an object:

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup

(I would have posted the log in file form, but that's like the entire thing.)

The popups haven't been back even though this registry entry (I think that's what it is?) cropped up.

Well, I'm gonna get some shuteye and leave everything running and open to see how stuff behaves.

Thanks again for all your help!

-John
 
The msmsgs that that page is based on would have to reside in either the windows or system32 folder (%system% isn't even a valid environment variable unless it set it itself on XP) the in order for the registry key to run it with the explorer shell on startup. As your copy is in the /program files/messenger folder, this wouldn't be possible, ergo it's incredibly INCREDIBLY unlikely to be anything to do with that page, and very likely to be like the program msn messenger in the exact same location on my computer now :) no worries.

Looks like you're reasonably cleaned up. Hope it stays that way for you :D

It does look like it was indeed that purityscan crap I picked out of your HJT log. I hope that file has gone? (you never said)
 
Again, thanks for all your help. :)

Is that process on your computer msmsgs.exe or msnsgs.exe? Just wanted to triple check.
 
lol I don't think you mistyped it... insanity's just taking me over after all this, coupled by a strong measure of good old fashioned fatigue.

Time to defrag and run all the standard scans tomorrow to make sure everything's really fine.
 
Boot into safe mode. See how HERE.

Turn off system restore.(XP/ME only) See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager by pressing the ctrl/alt/delete keys together.

Click on the processes tab, and end process for(if there).

?ti2evxx.exe

Close task manager.

Run HJT with no other programmes open, and have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O20 - Winlogon Notify: winrpc32 - winrpc32.dll (file missing)

O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

Now, click on the fix checked button.

Close HJT.

Click start/run, and type services.msc into the run box, and press the enter key.

When the window opens, maximise it.

Locate the above 023 services. Double click on them, and if they are running select stop. Set the startup type to disabled. Click apply ok.

Locate and delete the following bold file(if there).

C:\Documents and Settings\John\My Documents\??sks\?ti2evxx.exe

Reboot into normal mode, and turn system restore back on.

Post a fresh HJT log.

Regards Howard :)
 
Yea, I guess I probably should have done the cleanup too. Seriously, I always seem to be so much more untider doing this lot - I get ther, but not without a mess. lol Not that it matters too much I suppose, but it looks damned unprofessional of me :D
*just realised how that may have sounded. please know that it was intended as pretty much matter of fact with nothing between the lines at all - I wouldn't have the rights on experience alone. Got I hope I can sleep soon.
 
Spike said:
Yea, I guess I probably should have done the cleanup too. Seriously, I always seem to be so much more untider doing this lot - I get ther, but not without a mess. lol
Click to expand...

No problem mate. Thanks for the help anyway.

Regards Howard :)
 
msmsgs.exe still sort of bugs me. See, I had heard that it could possibly be a part of the Agobot-NL worm, and a few days before I joined this forum I had removed it from my computer.

However, msmsgs.exe still runs in the background.

If I try to kill the process, it comes back within seconds.

Also, after running a search, there is no instance of msmsgs.exe on my computer in system32 or in the windows messenger directories, only MSMSGS.EXE-2B6052DE.pf located in C:Windows/Prefetch.

Anyway, I just thought it was weird.
 
Yes, it does seem legit, in which case I regret having deleted those files. :(

Edit - LOL, the files are there, they're just hidden.

By the way Howard, I followed that step-by-step procedure that you posted earlier. After doing so I have "before" and "after" HJT logs. Both the "023" services seem to have persisted, but the R3 and 020 are gone.

I also ran adaware and spybot while I was still in safe mode. Adaware cleaned up 18 leftover registry entries associated with SpyFalcon (which ewido seems to have taken care of once and for all). Spybot cleaned up 1 Pest Trap entry, 1 Smitfraud-C. entry, and two Vcodec entries.

Anyway, that's the latest. Attached are the HJT logs.
 
What have you done with Ewido? The 023 entry for Ewido was fine earlier, and now is showing file missing.

The below entries are from your after log.

This is how you fix these 023 entries.

O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Security Tools\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)


Click start/run, and type services.msc into the run box, and press the enter key.

When the window opens, maximise it.

Locate the above 023 services. Double click on them, and if they are running select stop. Set the startup type to disabled. Click apply ok.

Regards Howard :)
 
Status
Not open for further replies.

Similar threads

Scorpus
Nvidia app launches in beta: Nvidia's new GPU control panel is much faster, no log in...
2
Replies
28
Views
624
RaXelliX
R
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
C
Why does The Sapphire 6700XT Only Use 170 Watts Max in My Games?
Replies
0
Views
2K
Critical Thinker
C

Latest posts

Back