[moxie47]

Hello, TechPerson,

This is a wonderful service. I don't think I'd be going too far if I said it is a noble endeavor, helping many, many people who are struggling with the criminals who want to cripple our computing power.

I’ve performed all of the recommended steps before posting here, and thanks to those steps, have removed all or most of Trojan.Rootkit.h, Generic Rootkit (aka Backdoor, HaxDrv, sdbot), CoolWebSearch, Aurora and mouse.hs.

Are they really gone? Is there any other malware lurking about? My HJT log is below.
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 11:08:29 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Wacom\TabUserW.exe
C:\Hijack\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink...ton/search.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
02 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
03 – Toolbar: McAfee VirusScan – {BA52B914-B692-46c4-B683-905236F6F655} – c:\progra~1\mcafee.com\vso\mcvsshl.dll
03 – Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
04 = HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
04 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /Sync
04 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
04 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
04 - HKLM\..\Run: [THGuard] “C:\Trojan Hunter 4.2\THGuard.exe”
04 - HKLM\..\Run: [KAV50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe” –run –n PersonalPro –v 5.0.0.0 -chkss
04 - HKLM\..\Run: [VSOCheckTask] “c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe” /checktask
04 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
04 - HKLM\..\Run: [NeroCheck] C:\WINDOWS|system32\NeroCheck.exe
04 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
04 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
04 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
04 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
04 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
04 – Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
04 – Global Startup: TabUserW.lnk = C:\Program Files\wacom\TabUserW.exe
06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
09 – Extra button: (no name) – {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} – (no file}
09 – Extra button: (no name) – {CD67F990-D8E9-11D2-98FE-00C0F0318AFE} – (no file)
016 – DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) – http://download.mcaf...90/mcinsctl.cab
016 – DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) – http://download.mcaf...,23/mcgdmgr.cab
023 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido\security suite\ewidoctrl.exe
023 – Service: Hardware Clock Driver (hwclock) – Unknown owner – C:\WINDOWS\System32\hwclock.exe (file missing)
023 – Service: Kaspersky Anti-Virus Service (KLBLMain) – Kaspersky Lab – C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
023 – Service: McAfee.com McShield (McShield) – Unknown owner – C:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
023 – Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) – Unknown owner - C:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
023 – Service: TabletService – Wacom Technology, Corp. – C:\WINDOWS\System32\Tablet.exe
023 – Service: AntiVir Update Temp (TmpUpSrv) – Unknown owner – C:\DOCUME~1\OWNER~1.DOT\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing)

Thanks for your help,
moxie47

Edited by moxie47, 15 August 2005 - 10:05 AM.

[Advertisements]

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

04 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe

04 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe

06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
09 – Extra button: (no name) – {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} – (no file}
09 – Extra button: (no name) – {CD67F990-D8E9-11D2-98FE-00C0F0318AFE} – (no file)

Reboot and post a new log.

[Metallica]

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

04 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe

04 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe

06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
09 – Extra button: (no name) – {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} – (no file}
09 – Extra button: (no name) – {CD67F990-D8E9-11D2-98FE-00C0F0318AFE} – (no file)

Reboot and post a new log.

[moxie47]

Thanks! I'll do that this weekend and post it on Monday.

[Metallica]

OK. Looking forward to your reply.

Regards,

[moxie47]

Hi Pieter,

The PC has settled down a lot, so I'm able to log on and post the new log. I still have some drivers I deleted that I need to replace so I can stop getting BSODs.

Here's the log and thanks,
Dot
-------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:26:38 PM, on 8/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Metallica]

OK. That looks good now.

Let's start with installing SP2
http://www.microsoft...p2/default.mspx

Then we can tackle what's left to be done.

Regards,

[moxie47]

Hi Pieter,

Just wanted to let you know that I'm still trying to install SP2. I have it on a CD I recently got from Miicrosoft. Six attempts so far, and the computer locks up before completion.

I have a question: I have another hard drive. If I use Windows on my primary drive to format the second drive, will it remove any malware that might be on the second drive?

Best regards,
Dot

[Metallica]

Yes. A format of a slaved drive will remove everything of that drive.

Regards,

[moxie47]

Hi again,

Well, here we go again. I am back to square one. Here's what's going on now.

I couldn't get SP2 to install. It always crashes with a Blue Screen of Death or just reboots randomly. Before doing this, I reinstalled all of the drivers that came with the PC, in case any were missing. But the BSODs haven't stopped. So I ran HijackThis again and found three items that we previously deleted - two unknown buttons and one other item. I deleted them again. I doubt this came from the drivers, since I ran my PC for two years with no problems. The Earthlink software, however, has been a problem in other ways, so perhaps that is the cause of the malware. I haven't installed anything other than the drivers since we cleaned up the last time. I can't investigate, because now I can't get the system to boot up.

Next I tried to run Windows repair. It didn't give me a prompt for repair. It just went straight to a full install. That's fine because all my data is backed up, so I let it run, but that installation failed with an IRQL_NOT_LESS_THAN_OR_EQUAL error. I had already disconnected my two USB devices, so the only peripherals left are the mouse, keyboard, and CD drive which came with the CPU, and the printer. I don't see why I'm getting this error, but I've been getting it a lot lately.

The last time I tried to reinstall Windows, it took about 16 hours, 9 tries, before it was successful because the PC kept locking up or going to a BSOD, as with SP2. The stop codes I've been getting are: 8E, 9C, 0A, 24 and sometimes 50 (MACHINE CHECK ERROR) and 7E. ntfs.sys and win32.sys are mentioned frequently.

One other piece of information is relevant. When I first started trying to fix this problem, I decided to make sure the BIOS was set at its default settings. I had never messed with the BIOS, but just in case, I clicked on "Default Settings" in the BIOS. Instead of doing what I expected, it then said, "Settings have been optimized." From what I've read, optimization is the last thing I need. So perhaps I need to flash the BIOS to get it back to normal. There are too many things going on for me to know what to do next.

I thought most or all of these problems were due to malware, but now it's hard to say. Perhaps I should move this discussion to the Windows XP forum? Or are the problems so complex that I need to hire someone? I'm hoping to avoid that because obviously hours and hours of time would be involved.

Very grateful for your help and suggestions,
Dot

[Metallica]

I think it would be best to start a new thread in the XP forums.

Post a link to this thread for reference.
This one will lead them here:
http://www.geekstogo...showtopic=53933

Regards,

[moxie47]

OK, I will. Thanks again for the great work you're doing here!!

[Metallica]

My pleasure.