Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Calling All Cyber-Altruists!


  • This topic is locked This topic is locked

#1
Sardonicus

Sardonicus

    Member

  • Member
  • PipPip
  • 39 posts
Greetings to all,

A while ago, I managed to contract the spyware trio of terror; namely the CWS, About: Blank, and Winshow malware programs. All that I was unable to remove was seemingly destroyed by the folks at Best Buy. I have never had to deal with pop-ups or a hijacked homepage again. Recently, however, I have had some difficulties with my dialer, and what's more, Adaware, RAV and McAfee have detected some malicious files that must have survived the counter assault (I think the Best Buyers used the phony host file trick) and have been unable to delete them automatically. I have successfully removed some of those files myself by tracing their paths and erasing them from the registry, but at least two still remain, (they haven't replicated or changed their file names, fortunately). Now, I have tried the classic step-by-step approach of deleting the CWS/Winshow virus from my CPU, (running Spybot, Adaware and Hijackthis in safe mode, exposing hidden files, etc.) but to no avail. What's even more frustrating is the fact that RAV and the rest claim the evil program is still in the Windows ODBC.INI file, even though I have already (supposedly) purged the offenders from that very hiding spot. Here are my computer's current symptoms:

- Occasionally, I will remain online after I have supposedly disconnected from the net.
- I will receive a script error upon disconnecting.
- The header on my ISP window will momentarily open back up after disconnecting, displaying pure emptiness before the Peoplepc logo changes to the dreaded About: Blank, and then proceeds to close.

Below is not only my Hijackthis Log, but also the infected files as exposed by RAV and McAfee.
I deeply appreciate any and all advice you fellas can give me! Many thanks!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:29:36 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\Dialer\Dialer.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA6D605A-4526-424B-8638-1ECAA5026BEA}: NameServer = 66.81.0.251 66.81.0.252
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

RAV Scan:
C:\WINDOWS\ODBC.INI->ADS:fimbx - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\SETUPLOG.TXT->ADS:udrkp - TrojanDownloader:Win32/Agent.AP -> Infected

McAfee catches the above files, as well as:
C:\WINDOWS\uninst.exe:bajxe
  • 0

Advertisements


#2
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hello Sardonicus and welcome to the GTG forums. Interesting information. Your log is fairly clean, there isn't any sign of infection other than a question about the 017 line for NameServers. Let's try this.

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Make sure that all other windows are closed, start CWShredder and choose FIX.

Reboot your computer.

Download and install the Microsoft AntiSpyware Beta. Update the program and let it do a complete scan. This may take a little while so be patient. Perform the fixes that it suggests.

Reboot your computer.

Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Run on-line virus scans

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Run an on-line trojan scan.

Click on the link below and follow the directions on the webpage to run an online trojan scan:

WindowSecurity online trojan scan

Ok, let me know how many of these other products picked up those particular infections and what they did about them. Post that information back here along with a new HijackThis log and I will review the material when it comes in.

Cheers.

OT
  • 0

#3
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hello again,

I tried all of your suggestions and, unfortunately, received little in
the way of results. The CW Shredder, (which I had tried previously)
detected nothing. Clean Up managed to delete a fair amount of garbage
temp folders and such, but nothing in the way of spyware. To my
astonishment, Trend Micro, Bit Defender, Anti-Spyware Beta and the Windows Trojan Scan detected nothing! I didn't attempt the Panda soft scan as it appears to be a subscription service only. So naturally, my next step was to run the RAV and AdAware scans again, just to double check. Sure enough, they detected the same infected files!
Most of the original symptoms continue to occur, with the exception of
the script (mismatch) errors now appearing when I initially connect. Also, I
received a message, (only once) claiming that the Generic Host Process 32 had to close. I didn't check to see what the svc was running at the time, but it didn't affect my browser. Since RAV continues to point to the ODBC.INI file, (which I thought I cleaned via the regedit) and the setuplog text in Windows, I was curious as to whether or not I could purge these two via a command prompt, or perhaps delete them (if possible) and then reinstall the components (if possible.) I also forgot to mention that McAfee picked up on the scumware as well, (also dubbing it Winshow) and delivered some generalized advice referring to registry keys that I can't seem to find. Once again, I appreciate any help you'll supply.

P.S. - I also failed to inform you that the Hijack This config window states that my startup page is "About:Blank", even though it isn't.

Here's my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:23:49 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\Dialer\Dialer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\MozillaFirebird\MozillaFirebird.exe
C:\WINDOWS\System32\wisptis.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA6D605A-4526-424B-8638-1ECAA5026BEA}: NameServer = 66.81.0.251 66.81.0.252
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

#4
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Ok, let's do this. Can you copy/paste the information in these 2 files back here so I can see what's in them:C:\WINDOWS\ODBC.INI
C:\WINDOWS\SETUPLOG.TXT

Also, please go to Jotti's malware scan and submit the C:\WINDOWS\uninst.exe file for a scan there. Post the results back from that file also.

I'll review the information when it comes in.

Cheers.

OT
  • 0

#5
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Some mistake occured with this post. Please ignore it.

Sardonicus

Edited by Sardonicus, 18 April 2005 - 12:37 PM.

  • 0

#6
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Sorry for the delay, work and school have been devestating recently....
Jotti's didn't detect anything. I even threw the ODBC file in there just for kicks, but got squat for results. I've posted the ODBC.INI data source log located in the Windows folder. Due to the excessive length of the Windows set up log, however, I was unable to add it as an attachment, (which could have posed a security threat anyway I suppose.) Any ideas what to do with it? The "uninst" executable refers to an uninstall shield program that I think I picked up when I downloaded the radio@netscape program. I seem to have managed to delete it without an issue, however.

Thanks,
Sardonicus

ODBC.INI Log
[ODBC 32 bit Data Sources]
MS Access Database=Microsoft Access Driver (*.mdb) (32 bit)
Excel Files=Microsoft Excel Driver (*.xls) (32 bit)
dBASE Files=Microsoft dBase Driver (*.dbf) (32 bit)
[MS Access Database]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[Excel Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[dBASE Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
  • 0

#7
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. There is nothing in the ODBC.INI file that I see as unusuall. It is a normal file. There are some new infections going around that do not show up in a HijackThis log because they do not have registry entries. Let's check for some of those.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

OT
  • 0

#8
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Howdy,

Seems the RK program detected some nasty little nuggets. Here's the log.

C:\Documents and Settings\Brian\My Documents\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#9
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Yup, there it is! Let's take care of it.

Step #1

Navigate to c:\winnt\system32\ and search for these files (they might or might not be there):vsapi32.da0
vsapi32.cfg

If you find them we will take care of them in Step #5.

Step #2
Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Step #3

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:C:\WINDOWS\tsc.exe
C:\WINDOWS\vsapi32.dll

Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.

Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

You system will reboot now.

After rebooting, you could get alot of error messages when applications start because these files were linked to Explorer.exe. That is normal.

Step #4

Now open Internet Explorer and go to the eTrust Antivirus Web Scanner and perform a scan. This will repair the applicaiton errors that you are receiving and clean up the rest of the infection.

Step #5

If you found any of the files listed in Step #1 then do the following, otherwise skip to Step #6.
  • Type or copy/paste each file into the top Full Path of File to Delete field one at a time.
  • Click the Delete File button which looks like a red stop sign with a white 'X' in it.
  • If you have not entered the last file click No at the Pending Operations prompt; after the last file is entered click Yes and allow your computer to reboot.
Step #6

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of the new C:\log.txt file back here in the next step.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file and a new log from rkfiles.bat back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
  • 0

#10
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I finally found some spare time!

You know, I'm startin' to think that I'm not gonna beat this thing. E-Trust and the Pocket Kill Box programs deleted those files+1, but apparently they're only offspring of the beast. Even if you don't have any remaining cards up your sleeves, I still appreciate the help. Here're the logs:


Logfile of HijackThis v1.99.1
Scan saved at 7:47:28 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\Dialer\Dialer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\XAUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA6D605A-4526-424B-8638-1ECAA5026BEA}: NameServer = 66.81.0.251 66.81.0.252
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe




C:\Documents and Settings\Brian\Desktop\Scumware Assassins\RK Files

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

Advertisements


#11
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Everything looks clean in both logs. Are you still having any reports of infections? If so, we have a couple of other scans that we can run.

Cheres.

OT
  • 0

#12
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Unfortunatley, yes. In fact, my computer seems to freeze upon starting up more often now. All of the aforementioned problems persist as well. The only virus/malware programs that continue to report a Winshow infection are McAfee, Rav, and Adaware. The others find nothing. God I hope I won't have to reformat!
  • 0

#13
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Well I am beginning to think that RAV is just having a bad day. The files it points to are simply text files and are not infected.

Let's do some more looking. If you really have a winshow infection then there are some specific places that it will be located.

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now, navigate to C:\Documents and Settings\Brian\Application Data\ and see if there is a folder named winshow or winlink and if so, delete it. If not, look in all other profile's Application Data folders for a winshow or winlink folder and delete any found.

Next, look for any of the following files in the c:\windows and the c:\windows\system32 folders and if found, delete them:winshow.dll
winlink.dll

Now let's remove any winshow registry keys if they exist. Open Notepad and copy/paste the text in the quotebox below into the new document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}]

[-HKEY_CLASSES_ROOT\CLSID\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}]

[-HKEY_CLASSES_ROOT\WinShow.ViewSourcev]

[-HKEY_CLASSES_ROOT\WinShow.ViewSource.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinShow.ViewSource]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinShow.ViewSource.1]


Save the document to your desktop as fixwinshow.reg and close Notepad. Locate the fixwinshow.reg on your desktop and right-click on it. Choose Merge from the popup menu and answer Yes or Ok to any further prompts.

Ok. Reboot your computer and run whatever scans you want.

Let me know what happens.

Cheers.

OT
  • 0

#14
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Well, unfortunately the regedit script doc didn't do anything. I did, however, get a bit of a clue as to what might be the culprit. For some reason, I could never find the path of the beast in my Adaware log files. I think I didn't look hard enough. To further complicate matters, the ID that turned up might be part of another reg key fix, but I'm not positive. I decided to punch it in to Google, and sure enough, there it was in a Castle Cops post. I'm also starting to think that the title of "Winshow" is actually a misnomer for another CWS strain, because (as previously stated) my People PC disconnect window title will convert to About:Blank before closing, (occasionally eliciting a smart dialer error message) and no Winshow or Winlink files were discovered. I also ran HijackThis and found a WINLOGON dll file that matched one of the previous files detected by RAV a while back. I reluctantly deleted it, wondering if it was attached to anything vital....Here's the root key from the Adaware log, and the reg fix (from Castle Cops) below it. Tell me what 'ya think.

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment : CWS.FullSearch
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_o?*001e*2019*017drt*00f1*00e5*00c8*00b2$*000e*00d3


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$\Enum]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
  • 0

#15
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Have you checked your registry to see if those keys are present? If so then that would work. If not, they may be there under different names. If yours are the same then a fix like that would work. If not, then it won't.

Let's do this. Download StartDreck.zip and unzip it to its own folder. Start StartDreck and click the Config button. Put a checkmark in each entry under the Registry section and leave all the other sections at their default levels. Make sure that a checkmark is in the refresh on exiting config dialo and clickthe Ok button.

Copy/paste the information back here and I will take a look at it.

Cheers.

OT
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP