Melcosoft adware/spyware

[drew00]

I have PC that's infected with spyware/adware from melcosoft/melkosoft...places file 'n8413fihtx.dll' in windows system folder...can't delete through virus software (norton's) or spybot...access violation occurs, that windows' is using file. Also writes registry entries, which after deleting, just recreates itself.

[wenwilder]

This one is going to be fun :)

One suggestion is downloading and running Ad-aware if you haven't already. I noticed you ran spybot otherwise I'd suggest it too ;) Ad-aware probably won't remove it but it could pick up 'back-up' files that keep bringing it back.

Now, if you are ready to get rid of it there is a way - download HiJackThis. Unzip it and run it. Once it has ran save the 'log' and post it in this thread. If you have any questions on how there is step by step explanation here.

Do NOT have hijackthis fix anything!

I'll keep an eye on your post. Once you post the log file it'll be an easy matter to find a solution. ;)

Look forward to your log file.

[mikmik]

Adware.SuperSpider

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer

It is a CWS

When Adware.SuperSpider is executed, it performs the following actions:

1. Adds the value:

"Network Security Guard" = <Path to file>

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that the Adware runs when you start Windows.

2. Adds the following registry keys:

HKEY_CLASSES_ROOT\bjmwk.iaoi
HKEY_CLASSES_ROOT\bjmwk.iaoi.328
HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft
HKEY_CLASSES_ROOT\hwohn.cdddwx.579
HKEY_CLASSES_ROOT\hwohn.cdddwx
HKEY_CLASSES_ROOT\redalert.here.1
HKEY_CLASSES_ROOT\redalert.here
HKEY_CLASSES_ROOT\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}
HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1

3. Adds the value:

"{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" = ""

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects

so that the Adware loads with the browser.

4. Modifies Internet Explorer settings, such as the home page and search page, to point to super-spider.com.

5. May download and execute files from t34rulit.com.

6. May display ads.

7. Modifies search behavior if it finds one of the following keywords in the domain:
o *my-finder.com*
etc...

The link again for the Symantec removal page

Anytime you cannot delete a process or file because it is in use, boot to safe mode and delete it.
And remember to shut off system restore as well.

[mikmik]

Giant Labs

Known as: Network Security Guard, Melcosoft
Description: SuperSpider is an Internet Explorer toolbar, which modifies search requests and downloads files.
Author: Melcosoft Corporation

Giant Labs

SuperSpider Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with SuperSpider, you can clean your machine of this spyware threat for free by downloading GIANT Antispyware now (Download the GIANT AntiSpyware Free trial).


File Signatures:
>> : MD5 hash: ccbf08de679dcd0f4b2...


[These programs run inside the Internet Explorer web browser process. Programs such as these that run within IE have the ability to add toolbars, capture/hijack web browsing data, as well as modify your web searching.] Internet Explorer Integration:
>> Browser Helper Object: {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}


[These are registry keys and values that this spyware threat has been known to install or modify. This includes sub keys as well.] Registry Signatures:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run Network Security Guard
HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft
HKEY_CLASSES_ROOT\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

*The signatures in the files list above includes standard MD5 hashed signatures. The GIANT AntiSpyware proprietary signatures, known as a Genetic Fingerprints and LSH signatures, are not included in the list above.

[drew00]

MikMik:
Tried running in safemode first to delete...no good..says still in use by windows. I can't figure out which service is using it...tried to terminating ALL running services one at time, and no good. Must be being used by system service that i can not stop through task manager (running on windows 2k PC by the way). Will try the other options posted by you & others. Thanks.

[drew00]

Tried following the symantec removal instructions. Only some of the reg entries in reg file...deleted ones listed, exited regedit, rebooted in safe mode, tried to delete file (n8413fihtx.dll)...still no go.(also removed this from my registry, under LM/software/microsoft/winnt/currentversion/window/Appint_dlls, though it did not call to do this).

Here's log from hijack this (nothing looks bad to me, except maybe the DPF entry pointing to recycled, or the 2nd to last entry showing a name server, but what do i know):

Logfile of HijackThis v1.97.7
Scan saved at 10:09:49 AM, on 11/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Program Files\eRoom 6\ERClient.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\SYSTEM32\MMC.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\CENTURY\WTERM\WTERM32.EXE
C:\Avn\P\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ramtechnologiesinc.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\avnelson\Application Data\Mozilla\Profiles\default\usrtam6r.slt\prefs.j s)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [eRoom 6] C:\Program Files\eRoom 5\erclient.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [PPUpdater] C:\PROGRA~1\PESTPA~1\PPUPDA~1.EXE /onceaday
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: delcrown.bat
O4 - Startup: Fax Queue.lnk = C:\WINNT\SYSTEM32\FAXQUEUE.EXE
O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: delcrown.bat
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: http://*.NFCPMAIN
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/096acd4bb6893a2...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...028.2522685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://e6.ford.com/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B162F7-4957-4276-B573-E2CEB4466215}: NameServer = 216.234.97.2 216.234.97.3
O19 - User stylesheet: C:\WINNT\Web\oslogo.bmp (file missing)

Thanks for any help

[wenwilder]

Right off - the computer is pretty clean but, the 015's need to be removed. Run hijackthis while in safe mode, select and fix the following:

O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: http://*.NFCPMAIN
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/096acd4bb6893a2...p/RdxIE601.cab


Once that is done, one more program to download and run, CWShredder.

You should be good to go ;)

[drew00]

still no luck.
The n8413fihtx.dll file still can't be deleted. Even in safe mode...tried using the hijachthis & cwshredder tools...takes care of the files you indicated, but not registry entries for melkosoft or the n8413fihtx.dll file.

i'll delete those entries while in safe mode, exit registry, go back into registry right afterwards, and they're there again.

how can i determine what windows source is using this file, and how can stop that from running, so i can delete the file? then i'll modify the registry.

[wenwilder]

Quick question:

Do you use wterm v6.2.7?

I haven't abandoned you ;)

Mikmik, ideas?

[wenwilder]

If I wasn't a blonde I might have thought of this sooner lol DLLinformant is a great program for finding out what programs are associated with what .dll's. It would be just a matter of running it to locate the file using it and then deleting it and the .dll. Even if you have to use killbox to do it.

There is one.....problem...with dllinformant. It doesn't have a 'find' or search function so,....you actually have to go through all the .dll's it finds. (takes 20-30 minutes to find all the .dll's on your system) It is worth it in the end but, it depends on how much time you want to devote to finding it. Meanwhile, I haven't given up on a quicker way. :)

If you do download and run dllinformant run the collector first, when it is done then open the viewer and click no not yes or you'll wait another 20-30 minutes while it scans for all the .dll's.