Malware issue: please review this CWShredder log

[Ike_Witt]

A coworker has had his computer infected with some bad malware. I’ve run both adaware (found 570 objects) and Spybot S&D (about 30 objects) and the problem is still as bad as it ever was. I have now run CWShredder and would like somebody to review the log and make some recommendations for me. Also, should I try running hijack this, or will the problem be found here?

CWShredder v1.57.0 scan only report
Please understand that a CWShredder ‘Scan only’ report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://server224.smartbotpro.net/7search/?hkcu
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://server224.smartbotpro.net/7search/?hkcu
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://default-homepage-network.com/start.cgi?hkcu
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://server224.smartbotpro.net/7search/?hklm
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://server224.smartbotpro.net/7search/?hklm
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://default-homepage-network.com/start.cgi?hklm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http://www.couldnotfind.com/search_page.html?&account_id=146156
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (204 bytes, A)
Shell Registry value: HKLM…\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM…\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (568 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

• END OF REPORT -

[RealityChuck]

Since CWShredder has found problems, run it again to clean them. Just click on the “fix” button and it will remove all the stuff it found.

Then run hijackthis and post the log to see if there are other problems.

[Ike_Witt]

Okay, I ran the fix and then ran HJT. Here is the log file, and I can already see a few things that can probably go…

Logfile of HijackThis v1.97.7
Scan saved at 11:10:15 AM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\documents and settings\owner\local settings emp\9uFX5I9.exe
C:\WINDOWS\System32\kddykd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\hadows.exe
C:\WINDOWS\System32\JwseWV1.exe
C:\WINDOWS\System32\JwseWV1.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS waintec.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM…\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM…\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM…\Run: [9uFX5I9] C:\documents and settings\owner\local settings emp\9uFX5I9.exe
O4 - HKLM…\Run: [gasfthgyfkiqf] C:\WINDOWS\System32\kddykd.exe
O4 - HKLM…\Run: [3Z8QBM65QW4GFC] C:\WINDOWS\System32\XlwA.exe
O4 - HKLM…\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM…\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM…\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM…\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM…\Run: [hadows] C:\WINDOWS\System32\hadows.exe
O4 - HKLM…\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKCU…\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU…\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU…\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 “C:\Program Files\ISTbar\istbar.dll”
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthsmakamai/systemsoappro.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/racing/dodgespeedway/microsoft/wtinst.cab

[RealityChuck]

adam yax:

Okay, I ran the fix and then ran HJT. Here is the log file, and I can already see a few things that can probably go…

You’re correct.

First of all, you have the Peper trojan, which requires special treatment

Go to this page and download the Peper uninstaller.

You must be connected to the Internet while running the program. If you have a firewall, disable it during the process.
Close Internet Explorer, run Hijackthis again, and scan the computer. Put a check mark by the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS waintec.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM…\Run: [9uFX5I9] C:\documents and settings\owner\local settings emp\9uFX5I9.exe
O4 - HKLM…\Run: [gasfthgyfkiqf] C:\WINDOWS\System32\kddykd.exe
O4 - HKLM…\Run: [3Z8QBM65QW4GFC] C:\WINDOWS\System32\XlwA.exe This is Peper. The removal tool should have removed it.
O4 - HKLM…\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM…\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM…\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM…\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM…\Run: [hadows] C:\WINDOWS\System32\hadows.exe I’m not 100% sure of this, but it’s extremely suspicious. If you haven’t installed anything named “hadows.exe,” delete it.
O4 - HKLM…\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKCU…\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU…\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe (This purports to sync your clock, but it’s loaded with spyware)
O4 - HKCU…\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 “C:\Program Files\ISTbar\istbar.dll”
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/s...stemsoappro.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

Click on “Fixed Checked” and delete the items.

Restart your computer. Search for the following and, if they exist, delete:

9uFX5I9.exe
kddykd.exe
XlwA.exe (should already be gone)
TV Media (entire folder)
fash.exe
STsvc (entire folder)
hadows.exe (note my comment above)
Loader.exe
soap.exe
ClockSync (Remove the program using Add/Remove Programs, then delete the entire folder)
ISTbar (entire folder)

See if all that helps.

[RealityChuck]

Just to clarify, don’t run hijackthis until after you finished running the Peper installer.

[Ike_Witt]

Okay, I have done everything that you outlined and it seems to have done the trick. I do have a couple of follow up questions though.

1. I can’t delete the ISTsvc folder. It tells me that access is denied to ISTsvc.exe.
2. The Norton definitions were last updated (prior to today) on 5/26, any idea of how that peper virus may have gotten through?
   I owe you one. Thanks very much.

[RealityChuck]

1. It means the program is running. The software may reinstall itself if deleted, so you should boot in safe mode. Then check your hijackthis log for any entry with a file running in the ISTsvce folder (especially in the O4 - HKLM entries) and remove it. After that, you should be able to delete.

2. Most antivirus software doesn’t notice the peper trojan. I have no idea why.