Identify this spyware/virus

Discussion in 'Computers' started by Jay H, Apr 25, 2005.

  1. Jay H

    Jay H Producer

    Joined:
    Mar 22, 1999
    Messages:
    5,654
    Likes Received:
    33
    Trophy Points:
    0
    Location:
    Pittsfield, MA
    Real Name:
    Jay
    OK, an ongoing battle with a good friend of mine, who unfortunately is far away such that I can't get access to it so we have to do this by phone. She isn't terribly computer literate so it's kind of hard. I removed a ton of spyware and virus/worms already using a combo of Ad-Aware, Spybot, AVG Free, and Hijackthis. I was able to get her to remove a bunch of stuff manually through killing the process, deleting the file/folder and then cleaning the registry through HJT.

    She's got one spyware/virus thing still on it MediaAccess, and MediaAccK which run as processes which her system isn't allowing her to delete as per my instructions. So I can get her to delete that in safe mode. (I told her how to delete processes, then delete files in Normal mode, which for the most part tends to work OK).

    However, there are a couple of nagging issues that raised questions for me:

    1)She seems to have some kind of virus/spyware that can create random lettered files XXXXXX.exe in the c:windowssystem32 directory (She's running Win XP). I'm not sure if it actually creates the file permanently or on the fly. I can see entries using HJT as O4 HKLM..Run entries but it always seems to be 6 random characters and she said she could not find the files to delete so I'm wondering if this is something that is running and then creating random filenames on the fly. Anybody recognize a virus like this. Right now, the HJT log file she sent me has the following O4 Run entry for "rgafqq.exe" in the windowsSystem32rgafqq.exe location. The others I told her to delete seem to have successfully been deleted from her registry and the file doesn't exist.

    I had her delete a bunch of random lettered stuff in HJT but she says she can't find the file there. (Going to tell her to do a global search soon).

    Things that I know she had (That I have removed previously)

    myDoom (don't know what variant)
    W32.Bloodhound (again, don't know what variant)
    1800SeachAssistant
    Cashback.exe
    Navisearch
    Toolbar
    Some kind of trojan downloader I forget now, but is gone.


    Is there any reason why the System32 folder is NOT write protected? If she isn't installing anything, I'm afraid of some virus overwriting say services.exe or svchost.exe or some other program. Shouldn't a virus scanner detect this?
    I figure if she wants to install something OS related, she can always just unwrite protect it.

    My next move would be for her to remove an old copy of NAV 2002 and install the new NAV2005 I sent to her. Even if it's trialware, I can get her to delete it after the 15 days. AVG Free didn't seem to find anything that she still has.

    She also seems to have a process that shouldn't be there:

    "c:windowsexplorer.EXE"

    The above is a direct quote with the capital EXE from using HJT.

    explorer.exe should be in system32 directory and I can tell her to kill that. I don't see where that is being run though...

    Her only visual problems right now is that she has popup windows (not the Windows messenger service which is disabled) that appears when she is connected to the internet. It might be that explorer.EXE that is running...who knows.

    Jay
     
  2. Don Giro

    Don Giro Supporting Actor

    Joined:
    Jan 22, 2004
    Messages:
    848
    Likes Received:
    19
    Trophy Points:
    610
    Location:
    New Jersey
    Real Name:
    Don
    My advice is to call on the big dogs over at the SpywareInfo website. You can post log files from HijackThis and your XP system, and one of their experts will help you out. Check out SpywareWarrior, too. These are the sites I use when I'm stumped...
     
  3. Jay H

    Jay H Producer

    Joined:
    Mar 22, 1999
    Messages:
    5,654
    Likes Received:
    33
    Trophy Points:
    0
    Location:
    Pittsfield, MA
    Real Name:
    Jay
    Hey, thanks for the info Don, I have tracked it down to

    Adware.Neededware

    I was on the phone with her again for 2 hours last night, just confirming things and helping her update NAV to NAV 2005.

    She sent me the latest HJT log and the only two objects that I recognized as problemsome was

    an

    O15 Trusted Zone: www. neededware .com
    C;windowssystem32.[6 random characters].exe

    Well, since i told her to delete those previously, yet they still came back, I figured something else was resident on her laptop that is messing up her registry every time she logs in.

    She told me she was successfully able to remove Media Access via booting up in safe mode, so that is now gone.

    I did a google search on the remaining item that seems to reappear and that was the neededware and I found this:

    http://sarc.com/avcenter/venc/data/a...eededware.html

    That's exactly what her problem is, she has the 6 random letter executable in the system32, she has that O15 in her registry that HJT picks up AND she gets all these stupid popups when she is connected to the internet.

    Apparently, Spybot, Adaware, HJT, AVG, do not detect the registry items in

    Adds the values:

    "ID"="[Random CLSID]"
    "LastAdShownDate"="[Initially blank]"
    "LastAppInstalled"="[Initially blank]"
    "LastUpdateCheck"="[Initially blank]"
    "Version"="[Adware version number]"

    to the registry key:

    HKEY_LOCAL_MACHINESoftwarewserv

    So, they weren't deleted and it seems to come back everytime.

    Going to call her tonight with my results and help her clean the registry and then also help her delete the files that NAV finds..

    Jay
     
  4. Jeff Blair

    Jeff Blair Second Unit

    Joined:
    Apr 30, 2000
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    0
    Nice to see that you have it fixed. Did you ever think about installing VNC on her PC. That way, you can do it over the net, and not have to try to talk her thru it. But, if she has a dial-up (what's that word mean again?? [​IMG] ) I wouldn't think about it. You could drive there quicker.
     
  5. Jay H

    Jay H Producer

    Joined:
    Mar 22, 1999
    Messages:
    5,654
    Likes Received:
    33
    Trophy Points:
    0
    Location:
    Pittsfield, MA
    Real Name:
    Jay
    We both have dialup..[​IMG] Neither of us are online too much too. I am a software engineer but I don't browse the net that much at home. I can do it at work and anything large, I can just use a flash drive to bring home. We have a fast connection at work. Since I don't have cable nor even a hookup, the only thing I could go with is DSL anyway which is good in my area from what I hear, but like I said, I don't need to pay anything more than what I pay for dialup for what I use the internet for.

    Jay
     
  6. Ian-Fl

    Ian-Fl Second Unit

    Joined:
    Jul 13, 2003
    Messages:
    281
    Likes Received:
    0
    Trophy Points:
    0
    I found the latest NAV Professional did well with spyware as well as not using IE Explorer.
    I set all my IE Explorer settings to the highest and only drop them when I update XP.
    I use the latest version of Firefox and don't enable anything when I browse. When I use Google I'm very carefull with what I click.
     
  7. MikeH1

    MikeH1 Screenwriter

    Joined:
    Oct 25, 2000
    Messages:
    1,492
    Likes Received:
    0
    Trophy Points:
    0
  8. Jay H

    Jay H Producer

    Joined:
    Mar 22, 1999
    Messages:
    5,654
    Likes Received:
    33
    Trophy Points:
    0
    Location:
    Pittsfield, MA
    Real Name:
    Jay
    Thanks guys, I haven't had time to help her since the last update, but I did have time to download some little apps that I can send her to run. NAV '05 found other crap too like
    Adware.binet
    Adware.180search
    Adware.EliteToolbar

    and although Nav was able to remove a bunch and I was able to help her remove the rest, Symantic makes some little apps to detect a specific adware so I downloaded them and sent them to her last night to run. But we didn't get a chance to work on it last night.

    I'm just going to get her to delete every stinkin temp file in all the temp directories, and the ActiveX program files in c:windows.

    The first things she did was stop using Outlook and IE, she is now using Eudora 6.2.1 and Firefox.

    I searched the forums at spywareinfo.com for Neededware and found some more useful info. I think since NAV '05 didn't detect it, it's probably a variant. Especially since their SARC website says to delete HKLMSoftwarewserv whereas I had her delete HKLMSoftwarendwserv which is not the same registry key that SARC or TrendMicro says it is (trendmicro says it should be HKLMSoftwarenwserv)

    Jay
     

Share This Page