Author Topic: [SOLVED?] please help with malware infestation, hjt log  (Read 13041 times)

0 Members and 1 Guest are viewing this topic.

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
[SOLVED?] please help with malware infestation, hjt log
« on: October 21, 2008, 05:47:39 PM »
My daughter's laptop (WinXP Media Center edition, SP3; 1.6 GHz, 1 GB RAM, 105 GB HDD; PC-Cillin Internet Security*, SUPER AntiSpyware, Spyware Blaster, CCleaner), started malfunctioning yesterday.  A toolbar she didn't recognize had appeard in ie and any attempt to visit her usual websites was redirected.  Her computer also kept freezing at apparently random times, and task manager did not work.  Her first thought was virus or spyware, so she tried to run scans with PC-Cillin and SAS, but PC-Cillin wouldn't scan and SAS wouldn't even open.  She also was had a red circle with a big "X" in her system tray, with an info balloon that said Windows had detected spyware, click here to download antispyware, etc.  She also gets a dialog box titled "sh.loader" with the message "failed to extract dump"  every time myspace IM attempts to launch, which is every time the computer starts up--she says it never did that before. 

I was unable to scan with SAS even in safe mode, but I managed to install and scan with a recent copy of MBAM (in safe mode), which I had on a USB stick.  It found and removed a trojan downloader and a few lesser threats.  The fake antispyware download request was still there when I returned to normal mode, and SAS still would not open.  I then installed Spyware Terminator (in safe mode--it wouldn't install in normal mode), scanned in safe mode, and was able to remove KGBkeylogger.  The scan log noted that only parts of the keylogger were there and it had possibly been partially removed.  SAS will now scan, and removed a few more things.  The fake antispyware "ballon" with its red x'ed circle no longer appears, but the sh.loader dialog box still appears.  (I rebooted between scans.)

A friend suggested running RogueRemover (which found nothing) and VundoFix (which also found nothing). 

The computer works almost normally now, but still freezes occasionally, security programs (except Spyware Terminator) are unable to access the internet to update, and attempts to visit security-related websites result in "Internet Explorer cannot display the webpage;" also, attempts to visit other websites are redirected, usually to fake antispyware pages.

I apologize for the length of this post, but I will be going to work for a few hours and wanted to include everything.  Her HJT log is attached. 

Thanks in advance for any helpful replies.

P.S.  I have downloaded avast! install and update files, and looked up PC-Cillin removal instructions in preparation for a much-needed change.  My daughter's father had purchased a 2-year subscription nearly two years ago when he gave her the laptop as a gift, and she didn't want to switch to avast! until the subscription ran out.  She will be switching ASAP.   
« Last Edit: October 26, 2008, 03:50:28 PM by t l s »
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80674
  • No support PMs thanks
Re: please help with malware infestation, hjt log
« Reply #1 on: October 21, 2008, 06:47:13 PM »

Unknown Fix
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Suspect/Nasty Fix
O20 - AppInit_DLLs: karna.dat

Is this an activeX control you installed (if not fix, if needed the activeX control would be reinstalled the next time you visit the site) ?

O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://www.shockwave.com/content/chocolatier/sis/ChocolatierWeb.1.0.0.13.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader5.cab

Other than that I don't see anything obvious, though there are many who would consider viewpoint stuff undesirable.
http://www.pcpitstop.com/libraries/process/i/ViewpointService.exe.html
http://www.bleepingcomputer.com/forums/topic120989.html.


WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1758
  • Ad-aware orientated Support forum(s)
Spybot
« Reply #2 on: October 21, 2008, 07:05:45 PM »
 :)  Hi :

 Since your daughter's Log indicates she has Spybot, I recommend you ask
 their "Malware Removal Specialists" for help on their Support Forums at
 http://forums.spybot.info  .
For the Best in what counts in Life :
www.tacf.org

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30910
  • malware fighter
Re: please help with malware infestation, hjt log
« Reply #3 on: October 21, 2008, 10:15:13 PM »
Hi DavidR,

Why viewpoint probably undesirable?This adware it is changing the default search page in a browser, enough according to me to not want this questionable software on a computer,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40636
  • Dragons by Sasha
    • Malware fixes
Re: please help with malware infestation, hjt log
« Reply #4 on: October 21, 2008, 10:20:49 PM »
Karna.dat is indicative of the kenny/facebook malware

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #5 on: October 21, 2008, 10:38:37 PM »
Thanks, DavidR.  I'm printing your reply so I'll have a handy reference while I work.  I'll post back with results.

David, Polonus--I'll ask her if the 'viewpoint stuff' is something she thinks is supposed to be there.  Either way, I think it won't be there much longer. ;)

Essexboy, thanks for the additional info.  Kenny/facebook malware makes sense, considering her internet habits.

Incidentally, my daughter doesn't actually 'have' Spybot.  I installed it today hoping for some additional removal, but it says it won't run unless it is updated, and it is unable to update.

Terry
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80674
  • No support PMs thanks
Re: please help with malware infestation, hjt log
« Reply #6 on: October 21, 2008, 11:51:23 PM »
Hi DavidR,

Why viewpoint probably undesirable?This adware it is changing the default search page in a browser, enough according to me to not want this questionable software on a computer,

polonus

Because it is meant to be a legitimate program that comes packaged with some software that the user has effectively agreed to be on their system.

Quote
Viewpoint Media Player is a web browser plug-in that enables users to view 3D content and other media. It is bundled with AOL, AIM, versions of Netscape, certain Adobe products and sometimes not mentioned in the license agreement. Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications.

Personally I wouldn't have it on my system, that is a choice for the user, but in the greater scheme of things it is way down and probly not implicated in the more serious problem 'malware infestation.' Nor did viewpoint get taken out by MBAM or rogueremover, etc.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30910
  • malware fighter
Re: please help with malware infestation, hjt log
« Reply #7 on: October 21, 2008, 11:55:42 PM »
Hi t l s,

Considering: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
Winsock Hijacker  At times I've seen this has been a bad thing
Download this free program, lspfix, to fix this from here: http://www.cexx.org/lspfix.htm
Here you can establish whether your version of nwprovau.dll is malware:
http://www.spywaredata.com/spyware/malware/nwprovau.dll.php
Before making the fix, upload your version of nwprovau.dll to virustotal com

And indeed O20 - AppInit_DLLs: karna.dat          Extremely nasty
For removal instructions see here:
http://www.bleepingcomputer.com/startups/karna.dat-24101.html

Also scan with MBAM from here: http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste and attach the entire Malwarebytes' Anti-Malware report to your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

polonus
« Last Edit: October 22, 2008, 12:13:27 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80674
  • No support PMs thanks
Re: please help with malware infestation, hjt log
« Reply #8 on: October 22, 2008, 12:11:48 AM »
There are some that say it is a legit file so care needs to be exercised, as suggested virustotal, check if the associated program is present, etc.

http://www.pchell.com/support/nwprovau_dll_file.shtml
Quote
The file nwprovau.dll is a legitimate file installed by Client Service for NetWare. Its usually installed for the IPX/SPX protocol that is rarely used anymore. This is why it doesn't show up in EVERY hijackthis log file. However, the question remains: is the file needed if Client Service for Netware is not running on the computer? In my testing, the entry in the Hijackthis log is not needed if you are not using Netware and the IPX/SPX protocol is not installed on your computer. Since most networks now have standardized on using the TCP/IP protocol, this shouldn't be a problem if its removed.

And http://www.bleepingcomputer.com/startups/nwprovau.dll-13129.html and http://www.castlecops.com/lsp-255.html.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30910
  • malware fighter
Re: please help with malware infestation, hjt log
« Reply #9 on: October 22, 2008, 12:19:13 AM »
Hi DavidR,

We try to establish the file is legit or not, a fix of Winsock LSp can be necessary in view of the update problems encountered. I would not say this file could NOT be totally legit, that is why I gave the links to assure that once and for all, but I want to make absolutely certain the file on that machine there is the legit version,

polonus

P.S. T L S should fully understand what she is doing there, so she can make a well documented decision,

Damian
« Last Edit: October 22, 2008, 12:24:50 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #10 on: October 22, 2008, 05:58:27 AM »
Again, thank you!  It seems to be getting better, but there is obviously more to be done.  The computer seems to have stopped freezing, but I still can't update and can't access security related websites.  So I'm printing instructions, following links, reading information....but it's past my bedtime now, and I'll be at work tomorrow.  But I'll be back.

Terry
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline peln2000

  • Newbie
  • *
  • Posts: 12
Re: please help with malware infestation, hjt log
« Reply #11 on: October 22, 2008, 05:59:53 AM »
You can try a rescue CD, i posted some rescue cd's in the forum. Rescue CD's scans windows like in boot mode, so the virus is fully detected and fixed.

here is the link to the post
http://forum.avast.com/index.php?topic=39521.0

Take care!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80674
  • No support PMs thanks
Re: please help with malware infestation, hjt log
« Reply #12 on: October 22, 2008, 01:58:01 PM »
Again, thank you!  It seems to be getting better, but there is obviously more to be done.  The computer seems to have stopped freezing, but I still can't update and can't access security related websites.  So I'm printing instructions, following links, reading information....but it's past my bedtime now, and I'll be at work tomorrow.  But I'll be back.

You're welcome.

If you are having problems accessing security sites it is possible the HOSTS file has been modified to block this.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice (and report the findings), C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #13 on: October 23, 2008, 04:14:17 AM »
After I posted last, I uninstalled my daughter's now crippled internet security app according to the instructions I found on their website, booted, and installed avast, then updated offline.  After a boot time scan found 15 things to quarantine, I am happy to say I can now access security websites; and everything updates nicely.  Three cheers for avast!

I installed and updated the current version of MBAM, which found and removed a few more items.  Yes, some of them required a reboot to remove.  I am following with another boot time scan to see if anything else has crawled out of the woodwork.

VirusTotal didn't have anything scary to say about c:\windows\system32\nwprovau.dll.

DavidR, thanks for the HOSTS file reminder--believe it or not, that is one of the first things I checked; nothing was amiss, and I just forgot to mention it.

It's bedtime again.  I'll post the last MBAM report and a new HJT log tomorrow.

Thanks, guys!  You're the best!
Terry

Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80674
  • No support PMs thanks
Re: please help with malware infestation, hjt log
« Reply #14 on: October 23, 2008, 02:49:58 PM »
You're welcome, looks like a good start.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/