I need to get rid of these dll files [!Submit HJT log]

Hello,

A computer on my local small p2p network became infected with a trojan two weeks ago (Phish-Bankfraud1-Troj[htm], also called Trojan-Spy.HTML.Citifraud.ai). After much travail, we managed to delete it, but in the meantime, it ******* up our firewall (ZoneAlarm).

On ZA staff advice, I've tried to uninstall and do a clean reinstall of ZA, but I've got a bevy of dll files sitting in the local temp folder that have somehow become corrupt and refuse to be deleted. Until I can get rid of them, I can't continue with restoring the firewall.

At this time, the problem computer has no internet access d/t the fact that it has no IP address. This seems to have happened while uninstalling ZA. Release and renew functions did not correct this situation. (It's gotta be related to the dlls?) I'm hoping that once I get the dll problem resolved, I can delete the dysfunctional NIC entry in device mgr, reinstall the NIC, and reconfigure the LAN connection to resolve the IP address (or lack of). Would this be correct?

The dlls (according to ProcessExplorer) are associated with explorer.exe. I have tried running regsvr32, renaming the dll file extensions to .old and then deleting them, but they came back immediately (even before rebooting). I've also tried killing the files with KillBox, but that didn't work either. sfc /scannow did not find any problem.

Does anybody know what could be recreating these dll files and how I can permanently get rid of them?

 

Harpo--You could try the following program to delete these .dll files.
http://www.snapfiles.com/get/moveonboot.html

If that is successful but they come back, then you still have the spyware on your PC.
Try the procedure here.
http://www.windowsbbs.com/showthread.php?t=37074

 

!Submit [HJT log]

I forgot to mention when I first posted yesterday that I'd already run Spybot S&D (ver 1.4), Ad-aware, Ewido, CWShredder, and a2. Also, this morning I ran Rootkit Revealer after running MoveOnBoot (no luck), and it came up with over 65,000 discrepancies!!!!! I've got a 1.5MB file of the results. I re-ran KillBox as Admin and found duplicates of the dll files in a folder called !Submit, which also refuses to stay deleted.

I've run HJT three times since this all started, with the most recent being this morning. My own inexpert review only reveals some duplicate entries (another side-effect of the infection), a couple of leftover entries from uninstalled programs, and an entry for PLSRemote.exe, which I've already deleted a couple of times, but isn't of great concern right now. Anyway, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:15 AM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
A:\HijackThis ver1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O3 - Toolbar: (no name) - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - (no file)
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\WINPAT~1\WinPatrol.exe "
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server "
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: MailWasher.exe
O4 - Startup: SoftStuff Wallpaper Changer(2).lnk = C:\Softstuf\softstrt.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Startup: SpywareGuard(2).lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch(2).lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office(2).lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

You say PLSRemote.exe is gone, but have a hard time getting HJT to remove the entry? Try this, go to Start\Run, type in Services.Msc and press Enter. Locate this in the list.

PLSRemote Service

Right click on it, select Properties, and set to Disable.

Rescan with HJT and remove these items. Note; I have some entries for legitimate programs here, they are duplicate startups, and you do not need this.

O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server
O4 - Startup: SoftStuff Wallpaper Changer(2).lnk = C:\Softstuf\softstrt.exe
O4 - Startup: SpywareGuard(2).lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch(2).lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office(2).lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

If you are no longer experiencing crashes, you can remove the following line.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

No need to delete the Support.Com, it was installed by your ISP or the computer manufacturer, it doesn't need to be running. Can be mild spyware, depending on who put it there.

 

NOT !Submit

Hello, Mark -

PLSRemote came back as soon as I rebooted. As far as the dups, I just hadn't gotten around to deleting them, as I've been concentrating on the greater problem of the dlls.

I haven't experienced any crashes at all, so I guess I should go ahead and remove the dumprep entry...

BTW, I found out that the !Submit folder is associated with and was created by KillBox, so I guess my thread title is pretty meaningless.

 

NP - I just didn't want to post a HJT log in an inappropriate forum.

 

The problem is that there is a hidden component which reinstalls the service.
Check to see if you have one of these files RemAdm-RemoteAdmin.dll, RemAdm.dll, RemoteAdmin.dll .

Check your firewall to see if Port 4899 is left open.(Close it)


It is possible you have had a rootkit, but if that is so, generally a clean install is the best solution since the windows kernel has been modified. You could try a repair install first.

 

Neither of those files showed up in a search.

Port 4899 is closed.

 

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

PLSRemote Service

Rightclick and choose "Properties ". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled ". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis

In HijackThis, click on the "Open the Misc Tool Section ".
Look for the delete on reboot option.
Browse to and select
C:\WINDOWS\SYSTEM32\PLSRemote.exe
If it exists.
3 -Click on the Scan button and when complete
4 - Put a check beside
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
5 - Click on the "Fix Checked" button
6 - When complete close the application and restart the computer.


If you have system restore on, you should first disable it, it may think this is a critical system file and service and be restoring it.
Go to control panel / system / system restore check disable system restore on all drives.
Go to start/ run and type cleanmgr and hit enter
choose the additional tasks and clean out restore points.

When you are all clean, you can remove the check and go to start/ programs/ accessories/ system tools/ system restore and create a new restore point that is not infected.

 

oshwyn5,

Disabling PLSRemote using the services.msc command worked great! It did not appear in HJT after using that command.

Now, if I could just get rid of those dll files...

 

Get MoveOnBoot (link and suggestion in post #2) and you can get rid of pretty much any file on your PC.

 

Already tried it.

 

Yes, but before the service was still running. Try move on boot or the delete on boot option in Hijackthis misc tools
Make sure you get the full path correct for each file.

 

Tried again using HJT. Still there.

 

Been away on a trip, so confess to not having read this whole thread and therefore do not know if this is in a home or office evironment.
Here is one view about PLSRemote.
http://castlecops.com/o23list-921.html
It has a link to a McAfee site for removal, but that seems pretty generic info.
Symantec does not seem to offer anything.
Presume you have run AdAware, have an Antivirus installed (with latest updated virus definitions) and have SpyWareBlaster installed (with latest reference files). Or maybe an anti trojan detector
http://www.anti-trojan-software-reviews.com/
I have heard good things about ewido and a².

 

Hello, WeshJim,

Thank you for the links.

PLSRemote seems to have come pre-installed on all the computers in this office at the time of purchase from the manufacturer. We will be disabling and uninstalling it all around.

And yes to all your assumptions about pre-existing software installations. I try to keep us safe around here.

We have resolved the problem, which seems to have been related to a screensaver that was somehow actively maintaining the dlls, which are now gone.

Thanks to all who responded.

 

Harpo--Thanks for posting back. Glad to hear the good news. If I understand, it was a screensaver that caused the problem deleting the .dll files rather than PLSRemote. Or are they connected?

 

Not sure what the screensaver's relation to the problem was (it had been on the computer since it was new two years ago, without any trouble), except that it was maintaining the dll files that I was trying to delete. I don't think PLSRemote had anything to do with it - it was just something that I'd been trying to get rid of for awhile and it was stubbornly hanging on (on all the computers) until oshwyn5 suggested disabling it before deleting it, which worked great!

 

Also note that often when you have a network it is necessary to remove all other computers from the network and clean them one at a time or they may reinfect each other. At a minimum only have one turned on at a time until you verify they are all clean.