View Full Version : Trojan horse Downloader.agent.BF
allthatglitters
24th Jun 2004, 19:27
I have some how managed to download some sort of trojan. AVG reports regular that there is a problem, identified by Trojan horse Downloader.Agent.BF
also comes up with a file it is in eg C:\WINDOWS\system\msxr32.exe
to many others to list over the 24 hours since it started. Several sweeps with the restore switched off, with updated AVG 6 and Ad-aware 6.0 and it still keeps poping up, I have even run AVG from the command prompt but the programme didn't kill it. Also my Internet explorer home page will not change from res://rcvki.dll/index.html
no matter what I do.
Also while doing searches with google.co.uk for clues another, american based search engine pops up with it's list of results.
I have run Norton Antivirus Trojan finder from the web site and it found nothing.
Currently running AVG 6 again, part way thru and reporting 34 and going up files, Downloader Agent.
Help I feel a total cleansing of the hard drive coming on....
Naples Air Center, Inc.
24th Jun 2004, 20:19
allthatglitters,
It sounds like the file has been executed. :(
I would try scanning in Safe Mode, since that will give you a better chance of removing the pests from your computer.
Take Care,
Richard
allthatglitters
25th Jun 2004, 18:11
I have already tried with the computer in safe mode. But it still continues, looks like I'll just have to reformat the hard drive.
Done Deed, Just finishing of updates to XP and office, drivers.
E-Liam
26th Jun 2004, 09:21
Hi allthatglitters,
Glad you're sorted out.
res://rcvki.dll/index.html
This is one of the latest variants of CoolWebSearch. Without more detail, I couldn't say for sure which one, but most use a super-hidden file with locked permissions, which makes it both difficult to find and to delete. If you have a look around the security forums, you will see many people in the same boat as you were. :ugh:
Cheers
Liam
Naples Air Center, Inc.
27th Jun 2004, 14:42
allthatglitters,
It is a little late now, but for the future. If your Hard Drive have a Virus that has executed its payload, you can do a fresh install of WinXP on top of itself. This will let you keep all the data on the drive and severs the link between the Virus and the OS. You just cannot access any infected files still on the Hard Drive until you run an Antivirus program. :ok:
Take Care,
Richard
noblues
28th Jun 2004, 11:29
I have had this Trojan from CWS, its proved very irritating and all normal methods off deleting it have failed (ie. deleting the hacks its makes to the Registry etc, CWShredder etc ... it kept returning when I though I had killed it.
BUT ... finally yesterday it I am pretty sure I have clean system.
Ad-ware and Housecall have in the last 24 hours issued updates which seem to be on the case .... run both off these and they should get rid off it for you ....
http://housecall.trendmicro.com/housecall/start_corp.asp
Addware link (Lavasoft) download (http://www.lavasoftusa.com/) (check for updates when loaded).
Also use...... to make sure ....
Spybot (http://www.safer-networking.org/index.php?page=download)
Hope this works .....
PS : This forum is very useful and helpfull for this sort of stuff ..
http://www.techsupportforum.com/ (http://www.techsupportforum.com/forumdisplay.php?forumid=50)
Good luck !
Guys,
Im in deep stuff here, Ive tried all of the above, and still have this re-direct problem. I do a full adaware scan which invariably finds a possible browser hijack and a registry value problem .. I delete the files, do a spybot scan which invariably finds 5 DSO exploits, again I remove them and ensure Im immunised. If I do another adaware scan straight away I have the same infected files again ... what the hell is happening ??? I have downloaded the latest plug in for the VX2 variant from adaware and it tells me my system is clean !!! Help !! :*
Naples Air Center, Inc.
30th Jun 2004, 14:35
whiz,
Did you follow the guide in the thread:
Guide for Eliminating Spyware, Adware, and Random Popups (http://www.pprune.org/forums/showthread.php?s=&threadid=117136)
Take Care,
Richard
Richard,
Yes, Ive followed that guide to the letter. After doing as asked I performed an adaware scan and got 6 problems.... one of which was the possible browser hijack. Since my first post I have also downloaded zonealarm, I was hoping that would sort the buggas, but to no avail. :mad:
E-Liam
30th Jun 2004, 17:33
Hi Whiz,
There are quite a few variants of this now. When I came here I was asked (nicely, don't anyone get me wrong) :) that this forum didn't really want to get into more complex security issues, which I fully respect. :ok:
You would be better off going to one of the dedicated security forums, such as...
http://computercops.biz/forum67.html
http://forums.techguy.org/f54-s.html
or
http://www.techsupportforum.com/forumdisplay.php?s=&daysprune=&forumid=50
You'll get all the help you need.. and you might even get me.. :) (how much more bad luck could you have in one day.. :D:D)
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals (http://asap.maddoktor2.com/) since 2004.
Naples Air Center, Inc.
1st Jul 2004, 15:45
whiz,
I wanted to make sure all of the main options were covered before we continue to troubleshoot.
It might be worth tossing the:
McAfee AVERT Stinger (http://us.mcafee.com/virusInfo/?id=stinger)
At the problem.
Now a little details about your computer would be helpful, as in which OS you are using and basic hardware specs.
Take Care,
Richard
Hi Richard,
Operating system Windows XP Pro service pack 1
hardware as follows :
AMD Athlon XP 2.8+ processor
512mb DDR
80 Gb HDD @ 7200 rpm
Zone alarm has picked up nothing. Spybot repeatedly finds 5 DSO Exploits, I delete them and I do another spybot scan and they are back .. how the hell can the things be re-installing themselves ? Adaware also finds a possible browser hijack which I delete, but as soon as I connect to the internet its back :mad:
When I came here I was asked (nicely, don't anyone get me wrong) that this forum didn't really want to get into more complex security issues, which I fully respect.
Liam, there's no problem getting technical if it's helping someone out. For general interest stuff it's good to try and keep it simple and step by step, so that it's useful for others - remember the target audience is non-technical. There are probably better places elsewhere for deep discussion on security issues (just like other topics like hardware, flight sims or whatever else), but still, if it's useful or important then why not? You aren't going to get booted off for it by me :ok:
E-Liam
1st Jul 2004, 17:35
Hi Evo,
Thanks for that.. :ok:
It's just that in the first instance I always ask for a Hijack This log.. and so will any Security Forum worth it's salt. For any nerds they make great reading (who, me?) :8, but for general interest I would think that most don't want to see more than one or two. :)
The other problem is attaching files to the posts. Most tools get out on the web pretty quickly, but others are written and uploaded straight to posts for use by the patient. It just means that sometimes scripts will have to be C&P'd into people's registries. All good stuff, and it works elsewhere.. :uhoh:
I'm happy to do this if anyone wants though.. :) The site wouldn't get swamped in them, as there aren't many security problems arising. (Relative to TSG, TSF or CC) Certainly though, this latest batch of CWS variants would be nigh on impossible to fix otherwise.
We could trial run Whiz's HJT, and if you think it detracts from the general ethos of the site, then we can leave it out.
Your call Evo, and I'll agree whichever way. :ok:
HJT. Yes or No?
Cheers
Liam
Naples Air Center, Inc.
1st Jul 2004, 18:03
whiz,
Do let Stinger try to remove the pests. If that does not help resolve the situation, it is time to use Liam's "Hijack This!" so we can see where the problem is located in your system.
If we do not find it there, it is time to do a fresh install of WinXP on top of itself to sever the ties of the Malware with WinXP. (Then we can run all the programs, i.e. HouseCall, Ad-Aware, Spybot, Stinger, etc. and remove every pest in your system.) :ok:
Take Care,
Richard
Richard, E-Liam
Many thanks for taking the time and effort to help, much appreciated.
Evo,
I fully understand and will comply with whatever you decide regarding HJT
Richard,
I tried the stinger, but it found nothing :confused:
Awaiting instructions for the next move, oh and can someone please tell me what a hijack is ? :rolleyes:
Edited to say I have downloaded the latest adaware update and scanned the system. 3 problems found, one of which was the usual possible browser hijack ... deleted 3 items and redid scan, possible browser hijack still there :*
HJT. Yes or No?
Sure, go for it. I don't really see a problem, but if there is we'll think again next time :)
E-Liam
2nd Jul 2004, 09:46
Here goes then.. :)
Hi Whiz,
Please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
A new version has just been released, so once you've got the program opened up, click on config | Misc Tools | Check for updates on line and follow the prompts.
Cheers
Liam
E-Liam,
Ive done as asked but for some reason it wont let me post the reply here, its telling me I am using too many images, but all Im doing is pasting the file directly from the notepad :confused:
I think that's all the URLs - PPRuNe thinks they're images or something. Try mangling them (ht tp, for example), should still be easy enough to read.
E-Liam
2nd Jul 2004, 11:08
Hi Whiz,
Disable smileys before posting.
C: \Windows
for instance comes out as
C:\Windows
With so many file paths in the log, that's makes a lot of images (smileys)
Cheers
Liam
E-Liam
Here we go, I tried the on line update, but got a server is down message, so Ive scanned with the downloaded version
cheers
Whiz
Logfile of HijackThis v1.98.0
Scan saved at 11:19:06, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\radlicence2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SLOWHE~1\window mfcd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\loguin.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\loguin.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\POUTPUT.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\POUTPUT.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: store title - {80ADFA92-EC2C-4FD5-30CC-ACA4E4DD39FC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: dalesend - {16C2A31F-F4F5-A78F-9652-F14F747883CC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [grimsafe] C:\PROGRA~1\SLOWHE~1\window mfcd.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: dnc_manager.lnk = C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b9f79af6fb59bbb505/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06B03560-1269-46E0-A604-F2119B89962D}: NameServer = 213.1.119.100 213.1.119.99
O17 - HKLM\System\CS1\Services\Tcpip\..\{06B03560-1269-46E0-A604-F2119B89962D}: NameServer = 213.1.119.100 213.1.119.99
E-Liam
2nd Jul 2004, 11:59
Hi Whiz,
No problem with the update.. Derek (who's site you downloaded it from) has got the latest version up now, and that's what you got.. :ok: :)
I'm just off back to work, but it's definitely one of the latest CWS variants.. about:blank in the first entry is the give away. It's difficult to tell exactly which variant, but this should help me determine it.
Please do this:
Copy the contents of the bold text to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt
Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Please copy and paste the contents of the Windows.txt file into your next reply. It will look strange but please paste it anyway.
Also, could you let me know wheteher you are running XP home or Pro, and if it's on NTFS or FAT32.
Cheers
Liam
Back in around 3 1/2 - 4 hours.
E-Liam
Its all yours :D
Im running XP Pro and NTFS file system
regf� � � � � � � Pugf hbin � ¨ÿÿÿnk, œò_Wì�Ä� ÿÿÿÿ ÿÿÿÿÿÿÿÿ� ø� x ÿÿÿÿ 0 � ‘%¯á� WindowsáÈþÿÿsk x x � �� � �” � �� � � ì
� � � �� � !�
� €�� � !� � � � �� � #�
� €�� � #� � ? � �� � �
� ��� � � � ? � �� ��
� ��� �� � ? � �� � �
� ��� � �� � � �� �� Øÿÿÿvk� � € � � fùAppInit_DLLsÖ?æG� °� Ðÿÿÿvk� � �� � � ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 � ð�� ðÿÿÿ9 0 � àN� Ðÿÿÿvk� � €�' � � �zGDIProcessHandleQuota"�þàÿÿÿvk� � €� � � °ºSpooler2ðÿÿÿy e s
Ñ_å� °� à� 0� `� ¨� àÿÿÿvk� � € � � �5swapdiskÐÿÿÿvk� � � � � . TransmissionRetryTimeoutàÿÿÿ°� à� 0� `� ¨� È� �� Ðÿÿÿvk� � €�' � � ?áUSERProcessHandleQuotaƒá¸�
Wing Commander Fowler
2nd Jul 2004, 15:18
Aah! There's ya problem......... :O
E-Liam
2nd Jul 2004, 16:37
Hi Whiz,
Okay, it's not that one. (I went for the easiest one to spot.. that script shows a file name and path right after fùAppInit_DLLsÖ but that isn't the one.) Let's try and chase it out and clear up a couple of other problems in the meantime..
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: store title - {80ADFA92-EC2C-4FD5-30CC-ACA4E4DD39FC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll
O3 - Toolbar: dalesend - {16C2A31F-F4F5-A78F-9652-F14F747883CC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe See here (http://securityresponse.symantec.com/avcenter/venc/data/w32.francette.worm.html)
O4 - HKLM\..\Run: [grimsafe] C:\PROGRA~1\SLOWHE~1\window mfcd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded file...
C:\WINDOWS\system32\syshost.exe
..and these folders...
C:\PROGRA~1\FIRSTM~1
C:\PROGRA~1\SLOWHE~1
Then please boot back into normal mode and download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy, from here (http://security.kolla.de): if you haven't already got the program.
Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.
Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
. Please go here (http://www.thepykiller.co.uk) and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.
CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here (http://v4.windowsupdate.microsoft.com/en/default.asp), click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
Also, a couple of queries...
O4 - Global Startup: dnc_manager.lnk = C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe
Is the above [Radan 03] CadCam software, or something else legit that you know you have..??
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
And with reference to Messenger+3, you might want to read this... (http://www.spywareinfo.com/newsletter/archives/june-2003/3.php)
Once you've done all this lot, we'll see if that's got the bugger, so could you please post a new HJT log.
One of the benefits of using HJT is that it can pick up things that get left out by the various scanning programs, such as that worm.
Cheers
Liam
E-Liam,
Once again thanks a lot for taking the time and effort. Re your queries, yes radan is cadcam and the dnc manager is part of the system. I have uninstalled messenger+3 !
After the initial HJT scan and boot into safe mode I could not locate the file...
C:\WINDOWS\system32\syshost.exe
nor the folders...
C:\PROGRA~1\FIRSTM~1
C:\PROGRA~1\SLOWHE~1
Below is todays HJT scan after carrying out the rest of your instructions
Logfile of HijackThis v1.98.0
Scan saved at 10:10:17, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\radlicence2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\loguin.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Radan Software\Radan 03\radan\bin\loguin.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: dnc_manager.lnk = C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b9f79af6fb59bbb505/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06B03560-1269-46E0-A604-F2119B89962D}: NameServer = 213.1.119.98 213.1.119.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{06B03560-1269-46E0-A604-F2119B89962D}: NameServer = 213.1.119.98 213.1.119.97
cheers
Whiz
E-Liam
3rd Jul 2004, 10:18
Hi Whiz,
Looking good.
Messenger still seems to be running at start up. Please fix the following line...
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
..and then look for and delete this folder if it's still there (the above may just be an orphaned registry entry)...
C:\Program Files\Messenger Plus! 3
Re the other files/folders you couldn't find, once HJT had fixed them Adaware probably was able to atke them out. :ok:
Your log is clean. Any more problems?
Cheers
Liam
E-Liam,
No more problems. Once again a very big thanks for your help. If you're ever in the Cardiff area the beers are on me ... Cheers !!
Whiz
E-Liam
3rd Jul 2004, 11:01
You're welcome Whiz.. :)
Cheers
Liam
Naples Air Center, Inc.
3rd Jul 2004, 15:17
whiz,
Glad to see you are all set now.
Looks like once again, Liam to the rescue! ;)
Take Care,
Richard
E-Liam if you are not too busy could you have a look at this please. I too have the dreaded DSO problem.
Logfile of HijackThis v1.98.0
Scan saved at 16:17:10, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
L:\djinn\gsyno.exe
H:\Grisoft\avgcc32.exe
W:\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
L:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\spoolsv.exe
H:\Naviscope\naviscope.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\Grisoft\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
l:\djinn\vstartx.exe
W:\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
l:\djinn\gisdnlog.exe
V:\Nero\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
W:\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
K:\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - w:\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GazelDisplay] "l:\djinn\gsyno.exe" -h
O4 - HKLM\..\Run: [SmcService] H:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] H:\Grisoft\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] W:\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: naviscope.lnk = H:\Naviscope\naviscope.exe
O4 - Startup: Shortcut to Reminder.lnk = L:\Anniversary\Reminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = W:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://W:\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - W:\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
Thanks in advance
Shack
Help.
To avoid this falling off the bottom.
Shack
E-Liam
5th Jul 2004, 12:22
Hi Shack,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Then please reboot and post a new log.
Cheers
Liam
Hi Liam
Herewith the new log. Thanks for you help.
Cheers
Shack
Logfile of HijackThis v1.98.0
Scan saved at 10:59:32, on 06/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
L:\djinn\gsyno.exe
H:\Grisoft\avgcc32.exe
W:\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
L:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\Naviscope\naviscope.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\Grisoft\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
l:\djinn\vstartx.exe
W:\Norton Ghost 2003\GhostStartService.exe
l:\djinn\gisdnlog.exe
V:\Nero\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
K:\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - w:\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GazelDisplay] "l:\djinn\gsyno.exe" -h
O4 - HKLM\..\Run: [SmcService] H:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] H:\Grisoft\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] W:\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: naviscope.lnk = H:\Naviscope\naviscope.exe
O4 - Startup: Shortcut to Reminder.lnk = L:\Anniversary\Reminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = W:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://W:\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - W:\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
E-Liam
6th Jul 2004, 17:17
Hi Shack,
That's a clean log, so the next thing to is to download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy, from here (http://security.kolla.de): if you haven't already got the program.
Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.
Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button.
Then could you please let me know if you are still having problems.
Cheers
Liam
Hi Liam
I followed your instructions, adaware found the usual couple of ad type cookies and Spybot once more found DSO Exploit with 5 parts. It then removes them but the next time I run Spybot either with or without a reboot it once more finds them. The housecall scan was clean.
This is the latest log.
Logfile of HijackThis v1.98.0
Scan saved at 15:28:31, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
L:\djinn\gsyno.exe
H:\Grisoft\avgcc32.exe
W:\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
L:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\Naviscope\naviscope.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\Grisoft\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
l:\djinn\vstartx.exe
W:\Norton Ghost 2003\GhostStartService.exe
l:\djinn\gisdnlog.exe
V:\Nero\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
K:\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - w:\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GazelDisplay] "l:\djinn\gsyno.exe" -h
O4 - HKLM\..\Run: [SmcService] H:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] H:\Grisoft\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] W:\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: naviscope.lnk = H:\Naviscope\naviscope.exe
O4 - Startup: Shortcut to Reminder.lnk = L:\Anniversary\Reminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = W:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://W:\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - W:\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
Sorry to be a pain.
Shack
E-Liam
7th Jul 2004, 18:11
Hi Shack,
The DSO exploits are showing because of a bug in Spybot. This will be fixed in the one of the next updates. It's happening to a lot of people at the moment.
Other than that, you're squeaky clean.. :ok: :)
BTW, you're not a pain.. :D this is my hobby.. :D
Cheers
Liam
Hi Liam
Thanks for all your help, I was getting really bothered to have something that appeared to be un-deletable.
It's my hobby as well but I am not as clever as you that's for sure.
Thanks again
Shack