Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CWS Malware/Faststart infection [RESOLVED]

Started by drfathom , Jul 10 2005 08:20 AM

  • This topic is locked This topic is locked

#1
drfathom
Posted 10 July 2005 - 08:20 AM

drfathom

    Member

  • Member
  • PipPip
  • 14 posts
I have recently been attacked by a CWS malware program and a virus file called Faststart. I believe I have gotten rid of the CWS program itself, but the Faststart virus thingy remains. Unfortunately, it has also managed to somehow cause my main anti-spyware program, SpySweeper, to seize up. Can someone look at this please, and tell me where to go from here?

----------------

Logfile of HijackThis v1.99.1
Scan saved at 10:17:14 AM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svcnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Brian\Desktop\Computer Stuff\NEW HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://go.microsoft....link/?LinkId=17
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series"

/O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

/disabled
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN

Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money

Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online

9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Tegrity-WebLearner-2436 -

http://tegrity.csee....class/TWebS.CAB
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) -

http://invite.mshow..../ShowSetup5.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -

http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...ousecall/xscan5

3.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -

http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display

Control) - http://www.workathom...hostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://anu.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4545829-9D84-4FF1-A1FB-6857F3E3B349}:

NameServer = 151.199.0.39 199.45.32.43
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner -

C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

------------

Please help, o wise ones.

---Brian, aka DrFathom
  • 0

Advertisements

#2
tampabelle
Posted 10 July 2005 - 09:44 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian,

Can you post back the Hijack This log again ?? The current formatting makes it very difficult to read.

When the log file opens in Notepad, Please click on Format ----> Word Wrap in the main toolbar. Then copy and paste the log in your reply.
  • 0

#3
drfathom
Posted 10 July 2005 - 11:29 PM

drfathom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Oops, sorry. Here it is again. I went ahead and did a new scan, but I have not done anything with the system since the first.

Logfile of HijackThis v1.99.1
Scan saved at 1:25:15 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svcnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\Computer Stuff\NEW HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....link/?LinkId=17
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Tegrity-WebLearner-2436 - http://tegrity.csee....class/TWebS.CAB
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow..../ShowSetup5.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - http://www.workathom...hostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4545829-9D84-4FF1-A1FB-6857F3E3B349}: NameServer = 151.199.0.39 199.45.32.43
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Brian
  • 0

#4
tampabelle
Posted 11 July 2005 - 06:44 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - Startup: netdb.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

4. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\system32\shdocsv.dll
netdb.exe

Please use the Windows Search Command to locate this file


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#5
drfathom
Posted 11 July 2005 - 10:15 AM

drfathom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Okay. After all that, here's the requested results.

Hijack log first...

---------

Logfile of HijackThis v1.99.1
Scan saved at 12:11:28 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brian\Desktop\Computer Stuff\NEW HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....link/?LinkId=17
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Tegrity-WebLearner-2436 - http://tegrity.csee....class/TWebS.CAB
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow..../ShowSetup5.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - http://www.workathom...hostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4545829-9D84-4FF1-A1FB-6857F3E3B349}: NameServer = 151.199.0.39 199.45.32.43
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

------------

And now the Panda report:

------------------


Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-189c33ca.RB0[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-189c33ca.RB0[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-189c33ca.RB0[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-189c33ca.RB0[Installer.class]
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Brian\Favorites\security iguard - ultimate pc protection.url
Adware:Adware/SuperSpider No disinfected C:\m.exe
Adware:Adware/SuperSpider No disinfected C:\mssys.com
Adware:Adware/SuperSpider No disinfected C:\Program Files\q330994.exe
Adware:Adware/SuperSpider No disinfected C:\q250204.exe
Spyware:Spyware/XXXToolbar No disinfected C:\unzipped\hijackthis\backups\backup-20050513-083046-898
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\cvchost.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/SearchExe No disinfected C:\WINDOWS\ipbl.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msstasks.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mssys.com
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mstaskss.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Virus:Bck/Dumador.O Renamed C:\WINDOWS\prntc.log
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\rocky.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\runwin32.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM\wmscrop.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\a.exe
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\SYSTEM32\bridge.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\d2kpax.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\d2kpax.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\jac.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\mcc.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\msbb.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\msxslab.dll
Virus:Trj/Trexe.A Renamed C:\WINDOWS\SYSTEM32\netda.exe
Virus:Trj/Trexe.A Renamed C:\WINDOWS\SYSTEM32\netdc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\services
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\wininet32.exe
Adware:Adware/SuperSpider No disinfected C:\winspec.dat
---------

Whoa...that's a lot of adware in there. What next?

Brian
  • 0

#6
tampabelle
Posted 11 July 2005 - 10:52 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian,

Copy the following in a new text file in Notepad and save it as Delfiles.bat (make sure that the Save as Type is set as All Files) -

@echo off

attrib -a -r -h -s C:\m.exe
attrib -a -r -h -s C:\mssys.com
attrib -a -r -h -s C:\Program Files\q330994.exe
attrib -a -r -h -s C:\q250204.exe
attrib -a -r -h -s C:\WINDOWS\cvchost.exe
attrib -a -r -h -s C:\WINDOWS\ipbl.dll
attrib -a -r -h -s C:\WINDOWS\msstasks.exe
attrib -a -r -h -s C:\WINDOWS\mssys.com
attrib -a -r -h -s C:\WINDOWS\mstasks1.exe
attrib -a -r -h -s C:\WINDOWS\mstaskss.exe
attrib -a -r -h -s C:\WINDOWS\msxmidi.exe
attrib -a -r -h -s C:\WINDOWS\prntc.log
attrib -a -r -h -s C:\WINDOWS\rocky.exe
attrib -a -r -h -s C:\WINDOWS\runwin32.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM\system.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM\wmscrop.exe
attrib -a -r -h -s C:\WINDOWS\system.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\a.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\bridge.dll
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\d2kpax.dll
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\d2kpax.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\jac.dll
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\mcc.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\msbb.dll
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\msxslab.dll
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\netda.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\netdc.exe
attrib -a -r -h -s C:\WINDOWS\SYSTEM32\services
attrib -a -r -h -s C:\WINDOWS\wininet32.exe
attrib -a -r -h -s C:\winspec.dat



del /q C:\m.exe
del /q C:\mssys.com
del /q C:\Program Files\q330994.exe
del /q C:\q250204.exe
del /q C:\WINDOWS\cvchost.exe
del /q C:\WINDOWS\ipbl.dll
del /q C:\WINDOWS\msstasks.exe
del /q C:\WINDOWS\mssys.com
del /q C:\WINDOWS\mstasks1.exe
del /q C:\WINDOWS\mstaskss.exe
del /q C:\WINDOWS\msxmidi.exe
del /q C:\WINDOWS\prntc.log
del /q C:\WINDOWS\rocky.exe
del /q C:\WINDOWS\runwin32.exe
del /q C:\WINDOWS\SYSTEM\system.exe
del /q C:\WINDOWS\SYSTEM\wmscrop.exe
del /q C:\WINDOWS\system.exe
del /q C:\WINDOWS\SYSTEM32\a.exe
del /q C:\WINDOWS\SYSTEM32\bridge.dll
del /q C:\WINDOWS\SYSTEM32\d2kpax.dll
del /q C:\WINDOWS\SYSTEM32\d2kpax.exe
del /q C:\WINDOWS\SYSTEM32\jac.dll
del /q C:\WINDOWS\SYSTEM32\mcc.exe
del /q C:\WINDOWS\SYSTEM32\msbb.dll
del /q C:\WINDOWS\SYSTEM32\msxslab.dll
del /q C:\WINDOWS\SYSTEM32\netda.exe
del /q C:\WINDOWS\SYSTEM32\netdc.exe
del /q C:\WINDOWS\SYSTEM32\services
del /q C:\WINDOWS\wininet32.exe
del /q C:\winspec.dat


Run Delfiles.bat


We need to get another scan to ensure that everything is fine.

Please download tds-3 and install it on your PC. Update the definitions file and then run a scan. Let it fix anything it finds.

Post back the scan report from tds-3
  • 0

#7
drfathom
Posted 13 July 2005 - 10:17 AM

drfathom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry for the late come-back. Had some things to take care of elsewhere.

I ran the delfiles.bat as instructed, and downloaded the TDS3 and updated the database. But to be perfectly honest, this program is rather confusing. I ran what the program called a Full Systen Scan. This is the logfile that came back. Does this look like the report you were looking for?

-----------------

10:59:06 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:59:06 [Init] Started 13-07-05 10:59:06 Eastern Standard Time (UTC: 5), Internet Time @666.04
10:59:06 [Init] Loading TDS-3 Systems ...
10:59:06 [Init] Token successfully adjusted.
10:59:06 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:59:06 [Init] • Plugins : OK. Loaded 13
10:59:06 [Init] • Exec Protection : Not Installed
10:59:06 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:59:06 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:59:06 [Init] Licensed users can use the Update facility from the TDS menu
10:59:07 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:59:12 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:59:12 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
10:59:12 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
10:59:13 [Init] TDS-3 Ready. <[email protected], 169.254.73.27, 127.0.0.1 - United States>
10:59:13 [Tip Of The Day] Press F5 to join licensed TDS-3 Operators and DiamondCS staff in the DiamondCS Discussion Forum!
10:59:13 [TDS] Good morning Brian.
10:59:19 [Mutex Memory Scan] Started...
10:59:21 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:59:21 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
11:05:40 [Quit] Unloading ...
11:06:15 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
11:06:15 [Init] Started 13-07-05 11:06:15 Eastern Standard Time (UTC: 5), Internet Time @671.01
11:06:15 [Init] Loading TDS-3 Systems ...
11:06:15 [Init] Token successfully adjusted.
11:06:15 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
11:06:15 [Init] • Plugins : OK. Loaded 13
11:06:15 [Init] • Exec Protection : Not Installed
11:06:15 [Init] WARNING: Your Radius.TD3 database needs to be updated!
11:06:15 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
11:06:15 [Init] Licensed users can use the Update facility from the TDS menu
11:06:15 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
11:06:19 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
11:06:20 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
11:06:20 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
11:06:20 [Init] TDS-3 Ready. <[email protected], 169.254.73.27, 127.0.0.1 - United States>
11:06:20 [Tip Of The Day] Did you know? - You can use DiamondCS Port Explorer to see which ports are being used by which processes, and even packet-sniff processes and sockets! See http://www.diamondcs...u/portexplorer/
11:06:20 [TDS] Good morning Brian.
11:06:25 [Mutex Memory Scan] Started...
11:06:26 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:06:26 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
11:08:35 [CRC32] Started - verifying 29 files ...
11:08:40 [CRC32] Test finished.
11:10:00 [Memory Scan] Memory scan started, please wait a moment ...
11:10:02 [Memory Scan] Memory scan complete.
11:10:02 [Mutex Memory Scan] Started...
11:10:04 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:10:04 [Trace Scan] Started...
11:10:21 [Trace Scan] Finished.
11:10:21 [Service\Driver Scan] Scanning for services and drivers ...
11:10:27 [Service\Driver Scan] Scanned 311 services and drivers.
11:10:27 [File Scan] Scanning in A:\ ...
11:10:29 [File Scan] Scanned 0 files: 0 alarms in 1.234375 seconds (Avg 1. files/sec)
11:10:29 [File Scan] Scanning in C:\ ...
12:03:56 [File Scan] Scanned 71246 files: 2 alarms in 3206.875 seconds (Avg 23.22 files/sec)
12:03:56 [File Scan] Scanning in D:\ ...
12:03:56 [File Scan] Scanned 0 files: 2 alarms in 0.0625 seconds (Avg 1. files/sec)
12:03:56 [File Scan] Scanning in E:\ ...
12:03:56 [File Scan] Scanned 0 files: 2 alarms in 0.265625 seconds (Avg 1. files/sec)
12:03:56 [Scan] Finished.

The only things it actually flagged were two Microsoft Word documents, which were emailed to my wife while she was employed as a medical transcriptionist. They are templates for a certain doctor's style of reports, and the only reason it suspected these files was because of "dual extensions" it found in the files' names. I have no reason to suspect these files of any wrongdoing, as we received them directly from her employer.

-Brian
  • 0

#8
tampabelle
Posted 13 July 2005 - 10:37 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian,

Can you post a fresh HJT log and let me know how your PC is behaving ???
  • 0

#9
drfathom
Posted 15 July 2005 - 06:12 AM

drfathom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here's a fresh HJT log...So far, I have not noticed anything untoward since the last posting. Things are moving a little slow, but not so much that it is anything more than a small nuisance.

------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:08:44 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\Computer Stuff\NEW HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....link/?LinkId=17
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Tegrity-WebLearner-2436 - http://tegrity.csee....class/TWebS.CAB
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow..../ShowSetup5.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - http://www.workathom...hostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4545829-9D84-4FF1-A1FB-6857F3E3B349}: NameServer = 151.199.0.39 199.45.32.43
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-------

How's it look?

-Brian
  • 0

#10
tampabelle
Posted 15 July 2005 - 07:15 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian,


Your logs look good. Lets us fix a few entries to speed up your PC.

I am going to fix a few entires in Hijack This. Fixing these entries wont delete the files from your PC. Fixing the entries would only prevent them from running at start up. You can manually run them whenever you want by clicking on the appropriate Menu item / short cut or the program file itself.


Run Hijack This and click on scan. The following items need to be fixed -

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC and let me know how it is behaving now !!!!!
  • 0

#11
drfathom
Posted 17 July 2005 - 07:10 AM

drfathom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Things do seem to be running a bit more smoothly and a bit faster.

Thanks for all your help, Tampa. Greatly appreciated.

---Brian
  • 0

#12
tampabelle
Posted 17 July 2005 - 07:38 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Brian can you post a fresh HJT log ???
  • 0

#13
tampabelle
Posted 26 July 2005 - 12:43 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP