spiderman strikes...virus???wallpaper change

geronimo171 · September 3rd, 2004, 08:03 AM

hi,
i have the same problem as Lolinza ('wallpaper change' post) who posted here a couple of days ago.
after a minute or so of booting up, my desktop changes to a picture of someones tattooed ****hole with the words 'Spiderman Strikes' written at the top.
i have tried norton anti virus, adaware and housecall but nothing is picked up.
i have run all these programs in safe mode, deleted the image files of 'spiderman' numerous times but it still comes back.
my computer has now become noticeably slower (after about 3 days of being infected) and I.E keeps shutting down.
i have just run hijack this and saved the log file...which, admmittedly, doesn't mean alot to me...and wondered if there was anyone willing to take a look at it.
i will post it here if there is anyone that can offer any help.
thank you in anticipation.
g

Michael Chiew · September 3rd, 2004, 08:15 AM

I'll take a look at it, geronimo171. Be more than happy to do so.

It's possible the registry has been "hijacked" to allow Spiderman's incessant return. Could be there is still a mischievous script in your system, executing itself either from the registry or the start-up folder.

What OS are you running. Did you update your virus extensions before you scan your system for infection.

Michael Chiew

geronimo171 · September 3rd, 2004, 08:47 AM

thanks alot.
i'm on xp using a computer setup for 3 individual log ons, i was networked to a mac which i have since disconnected...just in case. i have updated and re-updated everything. i am emptying out all temp folders and the recycling bin before rebooting and i have system restore turned off.
i have just also run spy doctor which found something called 'clientman' in my registry. anyway i deleted the key, rebooted, found the same key still in the registry, deleted it again...but 'spiderman' is back.
here's the saved log from hijackthis...hope you can help.
thanks.

Logfile of HijackThis v1.97.7
Scan saved at 11:42:44, on 03/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AdwareSpy\AdwareSpy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Janice\Local Settings\Temporary Internet Files\Content.IE5\8HIJ8LI3\HijackThis[1].exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\ADWARE~1\ADWARE~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NAVAPIW32] C:\WINDOWS\SYSTEM32\NAVAPIW32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Adware Spy] C:\Program Files\AdwareSpy\AdwareSpy.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

geronimo171 · September 3rd, 2004, 08:52 AM

hi,
just want to add something which may be of some help.
it is only my desktop that is taken over by the 'spiderman' image, the other two users do have the spiderman jpeg images in their folders both in C: and in their own user folders, but the wallpaper never changes. they have both received popup messages on start up saying that WallChang.bmp cannot be found.
WallChang is the name of the spiderman image.
dunno if this information is relevant.

uethello · September 3rd, 2004, 09:17 AM

erase wallchang.bmp import and rename a more practical image to the same place with the same name. This should provide a temporary fix until you are able to actually repair the computer.

geronimo171 · September 3rd, 2004, 09:20 AM

ok, will do.
i do keep erasing the image all together, but will replace instead this time.
thanks

AzKidd69 · September 3rd, 2004, 09:51 AM

HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

Check out this registry entry found it whiole perusing your HJT log and it looks a bit fishy

AzKidd69 · September 3rd, 2004, 09:54 AM

about that entry that looked fishy....

from http://folding.stanford.edu/faq-uninstall.html

What does Folding@Home do about illegal installations?
We have taken swift action against illegal installations (such as Jethroted and Dales Kid) and are prepared for immediate action in case of other similar infractions. See below for 3rd party uninstallers.

We have remotely terminated any further calculations for these clients so they will no longer use any significant CPU time or bandwidth. In addition, these accounts have been zeroed, no more points will be added, and investigations are on going. One cannot stop someone from installing software in an illegal fashion, but we can and have removed all incentives to do so and are investigating additional prosecution of the offenders.

Has this ever happened to other distributed computing projects?
Yes. SETI@Home has lead the way in many areas of distributed computing, including illegal installations: http://setiathome.ssl.berkeley.edu/virus.html

How do I uninstall Folding@Home?
For the Windows GUI version of Folding@Home, if Folding@Home has been installed using the official installer, there will be an "Uninstall" option available in the Folding@Home tab under the start menu. This will completely uninstall the software.

For the console version of the software, you should be able to search for the FAH binary (called FAHConsole4.exe ) and delete the Folding@Home program.

For the screen saver version, selecting another screen saver will stop Folding@Home from running.

What if the suggestions above do not work?
In this case, you have an unofficial installation of Folding@Home violating our license agreement. Someone has gained access to your machine and decided to run Folding@Home. Hackers hack machines to run tasks they are interested in running (eg web servers, ftp sites, etc) and can make life very difficult for users to remove this hacked software. If your computer has been hacked, please contact your ISP security officials to report this illegal action.

Isn't there some way to automatically delete Folding@Home when it's been installed without the owner's permission?
If our client has been installed on a machine you own, without your authorization, Stanford University had nothing to do with the installation. We will aid the authorities in taking strong action against any hacker that does this without your knowledge or permission.

Unfortunately, unauthorized installations intentionally make it difficult to uninstall software and install in new and different ways every day. Thus, there is no way to automatically account for this, just as one must update virus filters frequently for each new virus. The best defense to any hacking is strong computer security.

However, here are some suggestions for thwarting those who have tried to obscure a Folding@Home installation:

1. Use your OS's file search utilities to look for files with filenames like "FAHlog.txt" or "FAHCore_*.exe".

2. If you find these files, look for executables in the same directory that look unusual and delete them

While this is a cumbersome process, this will remove the files involved and thus stop Folding@Home from running.

What can I do to improve my computer security?
The first step for computer security is to consider anyone who might have used your machine. Most installations are done by someone with physical access to your machine. We strongly suggest that you use a firewall (such as Zone Alarm's free firewall for Windows PCs) and anti-virus software. Also, it is important to keep your machine patched to the latest OS version (especially for Windows machines).

I am very familiar with Windows. Can you give me more specific, technical information on how to remove Folding@Home?
There are basically three things to remove, assuming there isn't some underlying virus which will try to rebuild them:

1. Executable and work files. Use Windows Explorer to look for a directory containing files beginning FAH or Fah. Other files in that directory might be WinFAH, MyFolding, client, queue, and unitinfo. There should also be a subdirectory named work containing files with names beginning wudata, wuinfo, wuresults, logfile, current, and core78. Any such files can be deleted, and if deleting them all leaves a directory substantially empty, that is, with nothing remaining which looks useful, then those remaining files and the directory itself should be deleted too.
2. Scheduling and startup files. Remove shortcuts in any startup folders or desktops which refer to files deleted in step 1.
3. System information. Use regedit to remove the PandeGroup keys in the HKEY_LOCAL_MACHINE>Software group.

This might fail to remove the main executable file if its name has been changed to make it hard to find, but most likely it will be in the same directory as the other files. This procedure also might still leave behind a few icons and other display information, and potentially some third-party software, but it should substantially eliminate the Folding@home client from the machine. Thanks to Richard Howell for the part of the FAQ.

Where can I learn more?
Please check out our main web site as well as our main FAQ. Also, you can post questions at the official discussion forum.

There are 3rd party removal tools for unauthorized installer versions as well (these links are provided for completeness, and Stanford University does not provide any warranty for these removal tools):

http://www.buzoo.co.uk/folding/index.html
http://www.vendomar.ee/~ivo/ufold/

uethello · September 3rd, 2004, 09:56 AM

Wtf? That's odd.

Always remember, when trying to repair an infected rig, make absolutely sure you're disconnected from the internet. I would go so far as to physically remove the line to the internet.

Michael Chiew · September 3rd, 2004, 11:38 PM

Thanks for sharing, geronimo171.

Have gone through the log. Does not appear to have anything questionable in there. Spiderman isn't there either, in my opinion.

Delete WallChang, folders and files. The pop-up message is a ruse, more likely scripted to pull the wool over your eyes. So you may be looking at a script somewhere with code to "hide" WallChang from predators going after its "hide".

Yes, the little item pointed out by Azkiddt69 is fishy - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local. But sometimes the STARTHIDE command does have its legitimate uses. However, a simpler way to find out whether Win32k.exe and Win32.exe are "safe" items is to go direct to the directory C:\Win32\dll where they both reside.

Right-click on Win32K.exe and Win32.exe respectively and select PROPERTIES. You should find information on these two files. Who do they belong to. Is it Microsoft, or some third-party. If they are MS files, leave them alone. If third-party, are their functions described in the PROPERTIES. If they are unknown, delete.

Clientman is also a suspicious little item, the fact that it re-writes itself in the registry even after you've deleted it unless of course it is a system component. I doubt it is one.

Why does Clientman repeat itself in the registry? Generally, this would happen if the program is still in your system, and activated at start-up when the registry is re-written. That's why it keeps coming back to the registry.

There are a few places these things can hide themselves (including Spiderman) and get themselves re-wound again and again at start-up even after you've deleted their entries in the registry.

They could be in .PIF, .INI files, or in the START-UP folder. Try the START-UP folder first. To fire up START-UP, click START > RUN. In the RUN dialog box, type MSCONFIG.

Select the START-UP tab. Go through it slow-like. Can you see anything suspicious here. Anything remotely related to Clientman, or Spiderman, any image files, etc. Uncheck the stuff you think might cause these annoying items to repeat themselves. Re-start your computer. Is Spiderman still there. Is Clientman still in the registry.

If they is, check out the WIN.INI tap. What's in there? Anything suspicious.

Nothing suspicious. Okay, let's have a look at Task Manager.

Right-click the Task Bar. Go through the APPLICATIONS tab. Anything? Nothing?

Okay. Start a search for what files contain scripts we might find suspicious. Search for files with these file extensions: bat, .js, .vbs.

Click START > FIND. In the FIND dialog, type: *.bat. Do the same later on with: *.js, etc.

This is where you are in the best position to determine what is and what isn't suspect.

Michael Chiew