[shauns1]

Hi

I believe I've been infected with something but cant bring up regedit in the normal way. I can by typing in the address to the location bar, but not using Run. Also, Task Manager wont come up with Cntrl Alt Del and Windows wont show my System32 folder. I have Hidden files on show. Again, I can get to it typing it directly into the location bar.

Here is my Hijack Report:

Logfile of HijackThis v1.99.1
Scan saved at 13:03:33, on 10/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MsConfigs\MsConfigs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScannerU\KYESCAN.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
c:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
\Rickxp\shareddocs\FxIstbar.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Royston Simpson\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell...gen/default.htm
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Royston Simpson\Application Data\Mozilla\Profiles\default\8pddfjr9.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {25535BA3-29F2-4AFA-8938-01FEC191E0ED} - C:\WINDOWS\lbbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB002" /M "Stylus C46"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.166.137.2...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.aspupload...oad/XUpload.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Is this typical? I've got McAfee chugging away in the background and it's come up with two Exploit-ByteVerify in my AppData\Sun\Java\Deployment\Cache\javpi\v1.0\jar\

I have run the online scans and they come up clean. Any suggestions gratefully received.

Thank you for your time.

Regards

Shaun

[Advertisements]

Shawn,

Without even looking hard at your log I see at least one spyware program, so please go to MALWARE forum in my link and follow the instructions at the top of the page.

If the problem persists after you have been given a clean bill of health, please return and post again (no logs here unless asked)

[gerryf]

Shawn,

Without even looking hard at your log I see at least one spyware program, so please go to MALWARE forum in my link and follow the instructions at the top of the page.

If the problem persists after you have been given a clean bill of health, please return and post again (no logs here unless asked)

[errol.p]

Hi Shaun,

I have also been suffering from this pain in the neck trojan. I have managed got rid of most of the problems, but am still stuggling to fix my installer. I don't claim to be an expert by any means, but thought that I'd let you know how I fixed the problem to date. After spending many hours over this this is the best sequence of events that I can remember doing.


Anyway before you do anything I would make sure that you have a recent backup of all your data and system files. I was "infected" with MSConfigs.exe & P2PNetwork.exe which I have seen appearing in your logs.


Firstly I managed to get Taskmanager loaded by logging on as per normal, and pressing CTRL-ALt-DEL as soon as I had selected my user id, before the machine had finished loading up the desktop etc.

Then I checked the running processes and ended any p2pnetwork.exe and MSConfigs.exe processes that were running.

Next I browsed using 'My Computer' to 'Program Files' on my C: drive and deleted the 'MSConfigs' directory and it's contents.

I then browsed to my main windows directory "C:\Windows" and found the Regedit.exe file that is located there and double clicked it to start the Regedit program.

Ensuring that I was at the top of the tree, I selected 'Edit' from the menu bar and then choose 'Find'. I entered 'p2pnetwork.exe' and pressed [Enter]. Any occurances that I came across I deleted and then pressed F3 to continue the search until it had gone through the whole registry. I did the same thing for 'MSConfigs.exe' and deleted all those entries as well. I do remember redoing this a couple of times to make sure all the entries were finally removed.


My system file is on a Fat32 partition, so I was able to boot up to a dos prompt using a dos command that was within my Windows directory, however you should be able to do the following with a with a boot disk.

I then navigated to the Windows directory by typing:

C:
cd windows

Then I checked the attributes of the system32 directory that I knew was there but couldn't see:

attrib system32

This came back with the result of "SH C:\Windows\System32" which means that it had been set as a hidden system directory. I corrected this by typing:

attrib -s -h system32

Now if you type "dir syst*" you should now be able to see the system32 directory as one of the displayed results.

Then I navigated into system32 by typing:

cd System32

Then I looked for any hidden system files:

dir /ahs

This showed me yet another version of p2pnetwork.exe, and dummy entries for cmd.com, ping.com, tasklist.com, taskkill.com, tracert.com, regedit.com & ?????.com {this could have been pathping.com, but I am at work and won't be able to get back to my notes for a few days}.

With the exception of the P2pnetwork.exe all were created at exactly the same time and were only 2bytes in size. I had to individually change each file's attributes before I could delete them:

attrib -h -s p2pnetwork.exe
del p2pnetwork.exe
attrib -h -s cmd.com
del cmd.com
attrib -h -s ping.com
del ping.com
attrib -h -s tasklist.com
del tasklist.com
attrib -h -s taskkill.com
del taskkill.com
attrib -h -s tracert.com
del tracert.com
attrib -h -s regedit.com
del regedit.com
attrib -h -s ????.com {I can't remember what this file's name was, but it
would have been listed within the dir /ahs result}
del ????.com


That's it! I then rebooted my PC.

This is got me to the position that I am in now where my cmd prompt, regedit etc are now all working again and I don't get that window opening that wants to install something. However I am still having problems with my Windows installer programs because the Trojan seems to have done something to it and I can't uninstall the Microsoft Spyware program. I have now also installed and run Spybot S&D to remove and block any other spyware on my machine.

I will post an update if I manage to fix it. I hope some of this helps you.


Errol

[Metallica]

Erroll,

See if this helps find the Windows Installer problem:
Description of the Windows Installer CleanUp Utility
http://support.microsoft.com/kb/290301

Keep us posted,

[shauns1]

many thanks for your help so far. That's really good of you to share it with us. I'll run through that procedure now and see how I get on.

I didn't mention the fact that I get some Setup Wizard everytime I start Windows, but you mentioned it (I think) so I assume it's all part of this Trojan?? And I found a name that keeps popping up: mugly.exe..

Anyway, please do let me know how you get on.

Many thanks

Shaun

[shauns1]

Errol

I'm in the DOS Command Prompt window and it tells me that File Not Found when I type attrib system32

I have also tried attrib System32 with an uppercase S but with no luck. Any thoughts??

[errol.p]

Are you in the windows directory?
Type the following :
C: [Enter]
CD\ [Enter]
CD Windows [Enter]
attrib system32 [Enter]

Hopefully that should work. If it doesn't then you should still be able to get into the system32 directory by typing:

CD system32

I just remembered that when you are trying to get rid f the 'p2pnetwork.exe' file you need to also remove it's read only attribute {attrib -h -s -r p2pnetwork.exe}

[shauns1]

Hi Errol

You were right. I wasn't in the windows directory.

No I've got my list of hidden files in the system32 dir and I'm trying to delete them.

I've got as far as trying to delete p2pnetwork.exe.

I've changed the attrib -h -s p2pnetwork.exe

But when I type del p2pnetwork.exe I get Access Denied

Am I doing something wrong somewhere? I have checked and it's not running in the task manager.

Shaun

[shauns1]

I just browsed to the system32 folder which is now visible and found the p2pnetworking.exe file and deleted from there. Will it have done the same job?

[errol.p]

Yes that should have done the same thing. You can always double check by running dir in dos again.
Remember to look for those hidden .com files (Regedit,cmd etc)

[shauns1]

OK, I've done all the .com files.

The only hidden items in there now are:

access.ctl
and the DLLCACHE directory. I presume they're very important and friendly??!

[errol.p]

I think so. If in doubt search for the file on the net to see what other users say about them. For example I found a file called bszip.dll in my system32 directory which seems was not ment to be there. If your regedit is still running remember to do one more sweep for those 2 files to make sure that they have all gone and I would advise that you download something like spybot to make sure the machine is clean from any other nasties. Hopefully when you reboot it should be working again.

[shauns1]

Errol

Thank you.

This problem seems to be fixed as far as I can tell so far.

To recap:

My system32 folder was hidden and is now showing - wasnt before

Ctrl Alt Del now brings up the task manager - it didnt before

Typing REGEDIT into the Run command now brings up the registry editor - didnt before

I don't get a Setup Wizard window when I start Windows - I did before

And mugly.exe has gone - it was related to bszip.dll in System32

So far so good!

What was the Windows Installer problem you mentioned?

Thanks again.

Shaun

[simhogbin]

I also had this problem with my pc in the past few days.

I have taken all the steps that have been posted in this thread and the problems seem to have been fixed for me.

Someone mentioned they were having problems with windowsinstaller, could you explain in a bit more detail what the problems were?

[errol.p]

The Windows installer problem was that when I tried to uninstall Microsoft Spyware and also tried to install the Windows Installer CleanUp Utility I got the following message:

"The Windows Installer service could not be access.You may be running in safe mode or windows installer may not be correctly installed."

I have now sorted this though, I did find a MSIEXEC.EXE...PF file in my Windows\Prefetch directory which had almost exactly the same creation date to the dummy .com files that I mentioned earlier. I deleted this as I believe that Windows would recreate it if required.

Then I loaded up Services through the control panel and discovered that the Windows Installer services had been set to Manual and therefore had not started. After I started the service I tried the uninstall process again which now worked fine! I have therefore changed the service to Automatic to start it on demand.

I don't know if this was as a result of these Trojans but I never had the problem before it struck.

Anyway I am glad that I've helped out a few people with this as it makes the effort worth while.

PS.The ????.com file that I couldn't remember above was Netstat.com