[coachwife6]

Open task manager (control>>alt>>delete) and stop this process.

wintask.exe

Run hijack this and put check marks next to these:


O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O23 - Service: CWShredder Service - Unknown owner - \\daum_la\install\CWShredder.exe (file missing)

Reboot into safe mode and find these files and delete them.

C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe

Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.


Post back here with a fresh log using HijackThis and both of the scan results.

[Advertisements]

I did as directed in running HJT and fixing those entries and deleting the files specified.

(Didn't find the C:\windows\system32\exp.exe file to delete however.)

Expected an online scan at www.ewido.net from your description, but appears to be a download. Downloaded and installed and scanned C:\.

Progressing now.. will report further. However, let me know if I missed something about the online scan if I interpretted your comments incorrectly.

[JSchneider]

I did as directed in running HJT and fixing those entries and deleting the files specified.

(Didn't find the C:\windows\system32\exp.exe file to delete however.)

Expected an online scan at www.ewido.net from your description, but appears to be a download. Downloaded and installed and scanned C:\.

Progressing now.. will report further. However, let me know if I missed something about the online scan if I interpretted your comments incorrectly.

[JSchneider]

Here is the log after the first scan of ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:18:26 PM, 6/17/2005
+ Report-Checksum: D41F4805

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 22 min
+ Scanned Files: 68222
+ Speed: 50.82 Files/Second
+ Infected files: 32
+ Removed files: 31
+ Files put in quarantine: 31
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\DMuir\Cookies\dmuir@7035776[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Local Settings\Temp\b.com -> TrojanDownloader.VB.ft -> Cleaned with backup
C:\Documents and Settings\DMuir\Local Settings\Temporary Internet Files\Content.IE5\69KJUZAP\AppWrap[1].exe -> TrojanDownloader.VB.ft -> Cleaned with backup
C:\Program Files\TightVNC\VNCHooks.dll -> Backdoor.WinVNC-based.b -> Cleaned with backup
C:\Program Files\TightVNC\WinVNC.exe -> Backdoor.WinVNC-based.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.ocx -> Spyware.MediaTickets -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.ocx -> Spyware.MediaTickets -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0011.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0019.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0025.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!cxdxregt.exe -> Trojan.Zx.12 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!nsnBF.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!qrdxregu.exe -> Trojan.Zx.12 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hzixbd.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hzixbf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDownloader.VB.ft -> Cleaned with backup


::Report End

Here is the scan after the second run of ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:51:51 PM, 6/17/2005
+ Report-Checksum: 7DBD26F8

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 25 min
+ Scanned Files: 68391
+ Speed: 44.92 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

===========

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:04:31 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

BTW, WinVNC is our own software.

[coachwife6]

How is it running?

[JSchneider]

Well...I'm not sure how to answer that. This is a system of an associate, so I'm not the one that get's to check it out. If it was my system, I doubt it would ever had gotten this much cr*p on it anyway. I've never had a spyware problem, but somehow others tend to get them...

It seems like from the HJT logs and other indicators that it is possibly cleaned. But, it was so bad before and the popups have raised their ugly heads so many times, I'm cautious to pronounce it "clean".

I'll let him use it for a day or so starting Monday, then run HJT and post the logs and we can see if it remains clean. Does that sound like a good plan?

What do you think it had on it?

[coachwife6]

You need to update it to sp2 and Microsoft just released 10 patches last week. Play with it for a couple of days. Make sure your virus scan is up to date. Also, download spyware blaster.

We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

[JSchneider]

System seems to be cleaned. The user doesn't experience popups anymore. The only damage seems to be that WINDOWS UPDATE (website) won't work, but automatic updates do. Haven't delved into this much yet, however.


Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:35 AM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daumcomme...l.com/intranet/
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.daumcommercial.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


*******************************

Does everything look ok?

[coachwife6]

What's this daumcommercial? I don't ever put anything in my trusted zone, but that's me.
The log looks fine otherwise, and you're not having any troubles besides the windows updates page? But you can download them, right?

[JSchneider]

daumcommercial.com is our corporate domain.

The updates work through the WINXP automatic updates, but not from TOOLS | WINDOWS UPDATE from IE.

[coachwife6]

Let me do some more searching and see if I can find anything out. Are you getting an error message?

[coachwife6]

Maybe this will help. Kind of like changing the oil every 3,000 miles. Just a shot in the dark.

Download and install EasyCleaner:
http://personal.inet...rts/ecleane.htm

After installing it check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click OK and click Registry
Then click Search. When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Reboot when you are done and let us know how it goes.