Jump to content


Photo

Home page still getting hijacked


  • Please log in to reply
26 replies to this topic

#1 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 July 2004 - 10:30 PM

I seemed to have had a number of problems tied to the hijacking of my browser. Most (miscellaneous shortcuts being posted on my desktop, etc.) seem to have been cleaned up when I ran either Spybot S&D, Ad-aware, or CWShredder. However, when SpySweeper or X-Cleaner is run as part of my startup, they detect that my home page is attempting to be switched to http://213.159.117.134/index.php or c:\windows\system32\IEsp.mht. In addition, SpyBot still notes five DSO Exploit problems which I fix everytime I run it.


I have:
-read the FAQ
-run SpySweeper
-run X-Cleaner
-run Sbybot S&D
-run Ad-aware
-run CWShredder
-run HihackThis following re-booting and got this log:



Logfile of HijackThis v1.97.7
Scan saved at 11:02:51 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\WINDOWS\system32\wintime.exe
C:\Documents and Settings\Dad\Application Data\ttuh.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\System32\msadocm32.dll
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {C1513FE9-0A8F-4492-9B36-561C3865E7AC} - C:\WINDOWS\1088489806.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dad\Application Data\ttuh.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.mt-download.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079632654245
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.2333449074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab




Any help would be appreciated.

Thanks

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 05 July 2004 - 07:36 PM

SpyBot still notes five DSO Exploit problems which I fix everytime I run it.


Actually it isn't fixing those. From the Spybot support forum:

"However, the fact that Spybot isn't properly fixing this is just a simple bug that I'm sure will be fixed soon.

Basically what's happening is that Spybot is finding that the security setting for "Download unsigned ActiveX controls" for the (normally) hidden "My Computer" zone in Internet Explorer is not set to disabled.

Given that anyone who is properly patched (via Windows Update) is not vulnerable to this exploit anymore, this is really not a serious issue, so provided your system is patched, you have nothing to worry about and can just ignore this until the fix comes out.


But you really do have a hijacker - a CoolWebSearch variant that CWShredder doesn't target. It doesn't look like one with a hidden DLL file so we may be able to clean it out with HJT.

Run a new HJT scan, and mark these items for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\System32\msadocm32.dll

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {C1513FE9-0A8F-4492-9B36-561C3865E7AC} - C:\WINDOWS\1088489806.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dad\Application Data\ttuh.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O15 - Trusted Zone: *.mt-download.com

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot in SAFE MODE and Show Hidden Files/Folders and delete these files:

C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\system32\wintime.exe
C:\Documents and Settings\Dad\Application Data\ttuh.exe

Reboot normally, run another HJT scan, post it here for further review, and say if your problems persist.

Edited by Fireflyer, 05 July 2004 - 07:37 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 July 2004 - 09:46 AM

Thanks for your help, Fireflyer.

I am currently not on the infected computer but will proceed with your instructions as soon as I return later today.

I do have two questions:

1. Since I had experienced some problems that I had thought I was rid of prior to this post, I had re-run HJT before your response was received and reposted my log, etc. to this thread:

http://www.spywarein...showtopic=13156

All of items that you suggest that I remove are noted in that new log with the exception of one -

02 - BHO: (no name) - {C1513FE9-0A8F-4492-9B36-561C3865E7AC} - C:\WINDOWS\1088489806.dll

However, the following similar line is noted:

02 - BHO: (no name) - {A52BE8ED-6F37-44B7-9342-009B38D23B9D} - C:\WINDOWS\1089037811.dll

Should that line be deleted?


2. I saw your note about Spybot. I have download the patch - but after I had already detected the Spyware. Should I have any concerns regarding those DSO Exploit problems?

Thanks for all of your help. I will post my revised HJT log to this thread.

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 06 July 2004 - 02:31 PM

However, the following similar line is noted:

02 - BHO: (no name) - {A52BE8ED-6F37-44B7-9342-009B38D23B9D} - C:\WINDOWS\1089037811.dll

Should that line be deleted?

Yes.

Should I have any concerns regarding those DSO Exploit problems?

No.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 07:11 AM

I followed the instructions. When I rebooted, I noticed that an icon labeled 'desktop' had been added to my desktop and was also in my My Documents folder. Also, Spysweeper issued a warning that my homepage is attempting to be redirected, so I believe I still have my problem.

Also, I went to post my log to this forum last night and when I logged on to this site, Spysweeper detected Clocksync Adware (which I had never had before) and a search bar appeared at the bottom of my screen (also never had before). Therefore, I ran Spysweeper, Spybot, and AdAware again and cleared out 4-5 Adware problems. I was then unable to re-access this forum.

Here is the log that I ran prior to the Adware problems:

Logfile of HijackThis v1.97.7
Scan saved at 10:06:21 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079632654245
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.2333449074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Any additional help that you could provide would be appreciated.

Thanks!

#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 07 July 2004 - 08:30 AM

The site here was down last night a while with server problems.

Rightclick on the "Desktop" icon and select Properties and check it out. If the icon is a Shortcut then make a note of the contents of the Target: box to see what program it is pointing to.

I see wuauclt.exe present in your log now. This is a valid Windows file (for auto updating Windows) that is sometimes replaced by Troj/Cult-B. I don't see the typical trojan startup command for it so most likely you've set Windows for autoupdating. If not, please let me know.

But, there is a new bit of malware present

Run a new HJT scan and mark these for removal:

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot in SAFE MODE and Show Hidden Files/Folders and delete this folder and all contents:

C:\Program Files\VVSN

Reboot normally, run another HJT scan, post it here for another look.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#7 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 10:45 AM

Still having problems.

The "desktop" icon is not a shortcut. It is a Notepad file with 'Type of File' noted as Configuration Settings.

Yes, I do have Windows set up for auto updating.

When I ran the HJT scan to make the changes, the VVSN.exe line was not there. I did fix the 016 line. Also, when I rebooted in Safe Mode, there was no VVSN folder in C:\Program Files so I was unable to delete that.

Following a reboot, I still received a warning that my home page is attempting to be redirected, so I still have something wrong.

Here is a copy of the HJT log that I ran following all this:

Logfile of HijackThis v1.97.7
Scan saved at 11:36:21 AM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079632654245
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.2333449074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


Any advice?

#8 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 07 July 2004 - 01:25 PM

If you haven't already done so, delete the desktop icon - just to the recycle bin - don't wipe it out completely just yet. Check the My Documents folder too, and if it's still there, do the same.

There doesn't seem to be anything in the log that's popped up to replace the VVSN\VVSN.exe - sometimes these things are renamed but they don't usually just disappear on their own.

The CWS redirect that didn't show up last time is back - and it's one that may not be targeted by CWShredder.

Get the latest Ad-aware update (01R330 07.07.2004) and make sure you have it set up for a Full Scan as per the info here: http://www.spywarein...showtopic=11150

Let's do all this in Safe Mode:

Run a HJT scan and mark this item for removal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Open Windows Explorer and look for these files:
(you won't find them all, but they're all bad if found)

C:\WINDOWS\1088489806.dll
C:\WINDOWS\1088494364.dll
C:\WINDOWS\1088524938.dll
C:\WINDOWS\1088524939.dll
C:\WINDOWS\1089037811.dll
(I'd be suspicious of any .dll with a 10 digit name starting with 1088 or 1089 in the C:\WINDOWS folder)
C:\WINDOWS\System32\IEsp.mht
C:\WINDOWS\System32\msadocm32.dll
C:\WINDOWS\System32\msacrohlp.dll
C:\WINDOWS\System32\sqlpool.dll

and delete them to the Recycle Bin if found.

Delete files/folders from the following directories (But not the directory itself, for example delete all files/folders IN Temp; but not Temp itself!)
  • C:\Windows\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
Run CWShredder.

Now, run Ad-aware, set for Full scan and reboot normally on completion.

Post a new HJT log for another look.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#9 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 09:49 PM

Okay I attempted everything you suggested. Here are my results/comments.

1. Believe it or not, when I ran the initial HJT scan, the R0 - HKCU\......./index.php line was not present so I could not fix it.

2. I found and deleted four of the files that you listed:
C:\WINDOWS\1088489806.dll
C:\WINDOWS\1089037811.dll
C:\WINDOWS\System32\IEsp.mht
C:\WINDOWS\System32\sqlpool.dll

While I was searching for those files, I noticed a file named C:\WINDOWS\dkdial.exe which had a small icon that resembled one of the shortcut icon that I would get on my desktop that would direct me to a porno web site so I deleted that as well.

I also noted the following files that were created within 1-2 minutes of that file. I did not delete them but thought I would pass them along:
C:\WINDOWS\system.exe
C:\WINDOWS\dial32.exe
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstasks3.exe
C:\WINDOWS\mstasks4.exe
C:\WINDOWS\test.
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\xpsp1hfm.txt
C:\WINDOWS\kb835732.txt
C:\WINDOWS\System32\Nfpdfl32.exe
C:\WINDOWS\System32\Nimfom32.dll
C:\WINDOWS\System32\glumx32.dat

3. I deleted the files/folders that you suggested and ran CWShredder (with nothing found)

4. I ran the updated version of Ad-aware set fo Full scan and it listed 5 Registry Keys Identified, 1 Registry Value Identified, and 172 files identified - all of which I quarantined and deleted.

5. Upon rebooting, I ran HJT with the following log (with the R0 line back).



Logfile of HijackThis v1.97.7
Scan saved at 10:32:14 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079632654245
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.2333449074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


Sorry this is taking so many attempts to fix but I REALLY appreciate your help.

Let me know where to go from here.....

#10 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 09 July 2004 - 08:01 AM

Yeah, it's easy to get frustrated when it drags on a while - and when something like the R0 - HKCU\.../index.php line doesn't show up in the log - but you know it's still lurking.

I think you were right in deleting the dkdial.exe file. All of these files you listed look suspicious as well:

C:\WINDOWS\system.exe
C:\WINDOWS\dial32.exe
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstasks3.exe
C:\WINDOWS\mstasks4.exe
C:\WINDOWS\test.
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\xpsp1hfm.txt
C:\WINDOWS\kb835732.txt
C:\WINDOWS\System32\Nfpdfl32.exe
C:\WINDOWS\System32\Nimfom32.dll
C:\WINDOWS\System32\glumx32.dat

If I were troubleshooting this on a computer I had my hands on, I'd be tempted to open the two .txt files in Notepad just to see what was there. For now, just delete them all to the recycle bin - so they can be restored if necessary.

Nothing bad is showing up in the running processes - and none of the above .exe files seems to be running. All of the O4 - HKLM & HKCU Registry Run entries listed in the log are legit too.

But, it seems that something is still hiding and doing some evil. This doesn't appear to be the CWS about:blank exploit, but it's acting very much like there's a hidden dll file. So, let's check it out.

Download Reglite from http://www.resplende...oad/reglite.exe

Install it and run it. Copy this line and paste it in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Click Go. Reglite will search.

Then, double click AppInit_DLLs in the Name column.

If it found one it will display it in the Value window as:

C:\Windows\System32\"Hidden".dll

If it's there, make a note of it and we'll take care of it. If not, having eliminated that possibility, we'll try something else.

Edited by Fireflyer, 09 July 2004 - 10:54 AM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#11 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 July 2004 - 03:53 PM

Sorry for the late reply but I was away for a few days.

I deleted the files that you suggested (I did it in Safe Mode; don't know if that matters).

I downloaded Reglite and ran the search. Unfortunately, the value line was blank.

When I rebooted, X-Cleaner and Spysweeper still detect that my home page is attempting to be redirected.

Any further thoughts?

#12 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 12 July 2004 - 07:46 PM

First download the new 1.98 version of HijackThis - it may show us something the old version is missing. Alternate download site: http://www.downloads.../hijackthis.zip in case Merijn's site doesn't respond.

Now, let's try Ad-aware again - get the newest reference file (01R332 12.07.2004), released today, which includes updates on several CWS variants. Run it in Safe Mode. Stay in Safe Mode and run a HJT scan and delete the

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

line and any others with http://213.159.117.134/index in them.

Reboot normally and post a new log with the new HJT 1.98 - I know it's frustrating but hang in there - we will beat this thing!
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#13 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 July 2004 - 10:11 PM

I downloaded the latest versions of Ad-aware and HJT.

I ran a Full Scan with Ad-aware in Safe Mode and it identified 5 objects - 1 registry value and 4 files - which I quarantined and deleted.

I then ran HJT in Safe Mode and there were no lines that had http://213.159.117.134/index.php in them so I did not delete anything.

Upon rebooting, I ran HJT again and got the following log (with no http://213.159.117.134/index.php in it - yet X-Cleaner and Spysweeper still detect that my home page is attempting to be hicjacked).



Logfile of HijackThis v1.98.0
Scan saved at 10:59:14 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab


A couple of questions:
1. When I am in Safe Mode, I log on to the Administrator user profile. Similarly, when in regular mode, I log onto my user profile. Does that matter?

2. When I try to run Internet Explorer from my wife's user profile, I get the folowing message: "Cannot find 'file:///C:/WINDOWS/System32/IEsp.mht'. Make sure the path or Internet address is correct." When I go to Tools, Internet Options, to change the default home page, I get no response (i.e. no dialog box opens). Any thoughts regarding how to correct this?


Let me know where you think I should go from here.

Thanks again.

#14 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 13 July 2004 - 09:12 AM

Well, the log looks good. But there are still some perplexing things going on. Something hidden is trying to reset your home page. And, SOMETHING is looking for 'file:///C:/WINDOWS/System32/IEsp.mht' - at least under your wife's user profile. So we may have more than one snake still in the woodpile.

Run me a HijackThis scan while logged in under your wife's user profile. (normal mode)

Being unable to reset her home page is probably due to the restrictions you have placed in one or more programs preventing it from being changed. (In example: Spybot -> Advanced Mode -> Tools -> IE tweaks -> "Lock IE start page setting against user changes") - possibly in X-Cleaner or Spysweeper as well.

To continue looking for your home page hijacker, download Process Explorer: http://www.sysintern...s/procexpnt.zip
It doesn't require any installation and can be run from wherever you want to put it - on the Desktop is fine.

Run it and make sure it shows the lower pane View -> Show Lower Pane

Set it to show DLLs in the lower pane View -> Lower Pane View -> DLLs

Now start Internet Explorer - select Internet Explorer in the top pane - DLLs related to IE will appear in the lower pane. Look thru them and note the ones that DO NOT show anything in BOTH the Description and Company Name columns. There shouldn't be too many. If NETBIOS.DLL is there, don't worry about it - it's OK.

Anything else is suspect. You can right click on the DLLs and view properties - when created or modified. See if there's anything suspicious and let me know.

Edited by Fireflyer, 13 July 2004 - 10:54 AM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#15 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 13 July 2004 - 07:40 PM

I downloaded Process Explorer and ran it. I didn't find any DLLs that were blank in both the Description and Company columns while running Internet Explorer. (There were a few files that were blank in those columns but they had extensions of .NLS, .DAT, and .CLB)

Soon after my last post, I ran HJT while in my wife's user profile and deleted three lines that had references to IEsp.mht or 213.159.117.134/index.php and it seems to have corrected the problem that I had mentioned in my previous post. I recently ran HJT again under her profile and here is that log:


Logfile of HijackThis v1.98.0
Scan saved at 7:54:09 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\Mom\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab


Unfortunately, I still get warnings from SpySweeper and X-Cleaner (which are set to auto run when I log onto my profile) saying that my home page is attempting to be changed. This seems to be the only remaining remnent of the infection (at least that I observe).


Two questions/observations:

1. Should I run Spybot, Ad-aware, CWShredder, etc. from all user profiles?

2. I ran a search within Windows Explorer and found multiple folders and hundreds of files that were created around the time that I belive the computer was infected. Specifically, the folders were created in C:\SystemVolumeInformation and C:\WINDOWS\PCHealth\HelpCtr. In addition, a folder named C:\MCADDCO.tmp was created and a few subfolders were created within it. The files that were created include some with .dll, .exe extensions. Should I be concerned about any of these?

#16 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 13 July 2004 - 09:47 PM

I don't see anything wrong in the log you just posted.

1. Should I run Spybot, Ad-aware, CWShredder, etc. from all user profiles?


I honestly don't know if you should - and I'm going to work on getting a definite answer for that. I do know that it won't hurt to do so - and I could see how it might be beneficial. It's definitely more work for you but if you don't mind the extra effort go ahead and do it.

2. Should I be concerned about any of these?

I don't think so. C:\SystemVolumeInformation is your System Restore - we will clear out System Restore and set a new restore point once everything is cleaned up. Things can be detected in the System Restore folder, but they cannot affect your system - UNLESS YOU RESTORE THEM! - they're quite safe where they are.

I'm not very familiar with PCHealth but I believe there's something similar going on with it - and it may need to be cleaned and reset eventually - it's likely anything there is effectively quarantined.

On the resetting the home page, I'm beginning to wonder if this isn't some conflict between the various programs you have. Try disabling the warn/monitor feature in one - say SpySweeper - and see what happens.

Could some program be detecting that the page has been changed and then be attempting to reset it to some preset selection?
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#17 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 14 July 2004 - 11:07 PM

As you suggested, I played around with the SpySweeper and X-Cleaner auto-runs and it appears that my browser-redirecting problem has gone away (at least I am not getting any warnings).


I then wanted some reassurance, so I ran the various programs (in normal mode) from my user profile.

Spybot found a VX2/f problem (plus the typical five DSO Exploits)

Ad-Aware found 3 objects - 1 registry key and 2 registry values (although looking at the log, it appears that these were tied to concerns that my start page is set to about:blank - which is what I want)


Prior to posting this, I decided to run HJT from each of the user profiles to see if I notice anything different among the logs - which I didn't. But when I returned to my user profile there was a dialog box labeled NotifyAlert.exe - Common Language Runtime Debugging Services. The contents said "Application has generated an exception that could not be handled. Process id=0x12c(300), Thread id=0x1b0(432) Click OK to terminate the application. Click CANCEL to debug the application." I clicked OK. Any idea what this was all about??


I'm still concerned that I may have something. Any thoughts??

#18 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 15 July 2004 - 03:48 PM

I didn't recognize anything in your logs that looked like a VX2 problem - but it certainly won't hurt to check.

Download VX2 finder from http://downloads.sub...Finder(126).exe to your Desktop.

Run Vx2Finder, click on the *click to find VX2.BetterInternet* button. Then click *make log*. Copy and paste the contents of the log into your next reply.

Some random notes:

I'm still concerned that you may have something, also.

The key to needing to take corrective action in different user profiles is if an infection shows up under HKCU - H_Key Current User - then it will likely need cleaning for each user.

Unfortunately, I'm at a loss about the error you mentioned.

I'm getting conflicting info on the PCHealth issue thru internet research - with nothing much being offered by the experts here at SWI. It does seem that there was a buffer overflow vulnerability associated with it and an exploit based on that a while back - MS issued a patch which I presume would have been incorporated into the critical updates. I'll be researching this further.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#19 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 16 July 2004 - 06:40 PM

I downloaded and ran VX2 Finder. Here is my log:


Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---


Let me know if there is anything that I should do.


I am now going to run the various programs that I have downloaded in each of my user profiles. I will let you know what I find.

Also, when I went to post this reply initially, I got a NotifyAlert.exe dialog box that was similar to the last one but which referenced the "JIT debugger" attempting to be launched and saying that the computer settings should be checked. Any further insight?

Also, regading PCHealth, I noticed that a number of XML Documents named CollectedData_xxxx have been stored recently in the C:
WINDOWS\PCHealth\HelpCtr\DataColl folder. Have you been able to get an additional insight into this??

#20 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 July 2004 - 08:39 AM

Yikes! More problems!

Now my home page (which I have set to about:blank) is being directed to msn.com. I have run Spybot and Ad-aware on all user profiles but got some errors on some of the attempts. The problems found seem to be the basics - Adwrae, DSO Exploit, etc.

The NotifyAlert.exe alerts have happened 3-4 more times as well.

Two observations:

1. Now when I run HJT, in the area above the screen where the description is, for a split second there is a blue background with red lettering. I can make out what I think is "015 - Trusted........" (can't make out balance because it happens too quickly).

2. Right after my home page got directed to msn.com the first time, I ran HJT and it had a line that began with "017 -". Unforutnatley, I didn't save the log, closed the program and later learned that indicates a domain hijacker. 5-6 runs of HJT after that have not given me that line.


Help!

#21 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 17 July 2004 - 03:35 PM

Well, the good news is that the VX2finder didn't find a VX2 infection - so, I'm not sure why Spybot gave an indication of VX2. You might want to try VX2finder under each user configuration.

On the PCHealth program:

Windows XP's System Information tool takes a daily snapshot of your system's configuration, and it records all changes to key elements. In fact, System Information compiles and stores a month's worth of data in its history file. As such, System Information provides a beneficial troubleshooting database. History Information is stored in the Extensible Markup Language (XML) data files located in Windows\PCHealth\HelpCtr\Datacoll. It takes snapshots of the System Info whenever changes to it have been detected. It checks for those changes on a schedule of anywhere from 10 minutes to 6 hours depending on how it's set.

I'm still sifting thru lots of info and opinions on it - it seems lots of people prefer to disable it.

NotifyAlert.exe is a Dell support file. See this thread for some opinions of it:

http://delltalk.us.d...message.id=1038

It may be related to things being directed to msn - read that and see what you think.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#22 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 July 2004 - 08:38 PM

Here's an update on my end:

Good news:

- No home page redirects (either to search pages or msn) for about 20-25 logons on various user profiles
- I ran HJT numerous times in the various user profiles over the past few days and they are all very similar (and consistent) and appear clean (I guess I feel I am becoming an expert.....)
- I have not had any icons placed on the desktop in days
- CWShredder has been run with no problems on all user profiles

Concerns:

- Spybot detected the DSO Exploits on both my wife and my profiles and I "fixed" them but when running it under my kid's profiles, it detects three DSO Exploits but when I request to "fix" them, it responds that it can only fix one since the other two may be running in memory. (Not sure if this is a concern.)
- AdAware ran detecting no problems on both my wife and my profiles but when running it under my kids' profiles, it "encounters a problem" and needs to close so the scan is never fully completed. (Once, again, not sure if this is a concern.)
- For some reason, the "flash" that I mentioned in a previous post when running HJT still occurs and I don't know if it had always done it and/or if it should be a concern.
- I mentioned that I once saw an 017 line in my HJT log but have not seen it since and I wonder if something might still be hiding.
- Lastly, I checked out the link to the Dell forum that you provided and I feel pretty sure that the NotifyAlert.exe errors are a Dell issue but it does seem to be an odd coincidence that it started when we were attempting to fix my problems.

If you are not cocernred about the above issues (as wll as the PCHealth issue that you were looking into), maybe I'm clean.....

What do you think?? What should I do??

Once again, I really appreciate your help!!

#23 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 21 July 2004 - 08:22 AM

I'm glad to hear the good news. Sorry you had to become an expert at running HJT - but it's always good to have a bit of a feeling for what's going on in your computer.

There does seem to still be something a little strange, but it's difficult to say if it's malware related, or not, at this point.

Even though you have McAfee AV, it might be worthwhile to visit one or more of the online virus scanners linked in my Sig for a 2nd (or even 3rd) opinion. Different AVs somtimes detect things others miss. Be sure to temporarily disable your McAfee while running online scans so they don't conflict.

We can probably take care of the DSO exploit messages if you feel up to doing a little Registry editing - and it's fairly simple - interested?

EDIT - Check out this link for DSOstop2, a program designed to do this for you:

http://www.nsclean.com/dsostop.html

I haven't use it, and can't vouch for it, but I've seen a lot of people posting that it solved the problem for them.

Edited by Fireflyer, 21 July 2004 - 12:06 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#24 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 31 July 2004 - 09:45 AM

Finally had a chance to attempt some things....

I have downloaded updates for all the software that I have been running. Following the update of McAfee, it found multiple trojans including 'StartPage', 'Multidropper', and 'BackDoor' which were deleted. They were all found in either the C:\RECYCLER or C:\SystemVolumeInformation folders.

As you suggested, I also ran a few of the virus scans on your signature.

Trojan Scan found 0 infected files but it was unable to scan C:\e634c\sp2 - access was denied. Don't know if this is a problem.

PandaActiveScan found 6 infected files and noted that ActiveScan could not disinfect them. I viewed the report and 5 files were in C:\RECYCLER folder (four .exe and one .dll). The sixth was was a .dll file in folder C:\HJT\hijackthis. (Is this a concern??) Should I do anything with these 6 files?


Also, over the past week, I have run the various scans, etc. dozens of times in the various user profiles and they are mostly clean (I have not yet run DSOstop2 yet but will this weekend. Only other problem is Adaware detecting 1 or 2 tracking cookies which I deleted and tighted my security settings.) However, two times when I ran HJT, I had scans that had the same 017 line. I'm not sure if this is a problem but I deleted it both times. Here is that line that I deleted:

O17 - HKLM\System\CCS\Services\Tcpip\..\{C7603505-5988-407E-806E-34904C33623D}: NameServer = 151.197.0.38 151.197.0.39



Finally, here is the latest HJT log from my user profile:

Logfile of HijackThis v1.98.0
Scan saved at 10:27:06 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab



Big question....what should I do to be sure that I am 100% clean??

Thanks again for all of your help over the oast 2-3 weeks!

#25 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 01 August 2004 - 07:18 PM

The O17 IP# 151.197.0.38 is related to Verizon Internet Services - should be no problem there.

Empty your Recycle Bin - C:\RECYCLER is related to it.

C:\SystemVolumeInformation is the System Restore folder - nothing in there can affect you system unless you do a restore - it would probably be a good idea to go ahead and clean out System Restore and set a new Restore Point - you likely know how to do that, but just in case:
  • Click Start > Control Panel > System
  • Under the System Restore tab, place a check mark in the box next to "Turn off System Restore on all drives" and click Apply
  • Reboot the computer
  • Repeat step A and uncheck the box selected in step B, click Apply, a clean restore point will be created automatically (no need to reboot again)
The C:\e634c\sp2 does concern me - e634c doesn't seem like any normal folder I'm aware of and I can't find any info on it either. Go to it in Windows Explorer and right click on it and check out its Properties. If it isn't recognizable you might go ahead and delete it - to the recycle bin. Let me know what you find.

I'm not sure there is any way to be sure you're 100% clean (other than reformatting) - if we can get all the scans to come up clean repetitively, that might be the best we can hope for.

As far as what shows up in the HJT log you posted - it's clean, nothing bad there.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#26 FrustratedinPA

FrustratedinPA

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 08 August 2004 - 11:55 AM

Over the past 4-5 days, I have done the following:

1. Cleaned out the Recycle Bins in all user profiles.

2. Deleted/uninstalled HJT (As I mentioned in my last post, PandaActiveScan noted a trojan in a .dll file in that folder, so I though I best get rid of it.)

3. Reinstalled the latest version of HJT

4. Cleaned out System Restore and set a new Restore Point.

5. Downloaded and ran DSOstop2

6. Checked out the C:\e634c\sp2 folder. It is a read-only file that was created on 8/8/03 - shortly after I purchased this computer. I'm not an expert, put it doesn't seem as though that is an issue. (What do you think?)

7. Ran Adaware, McAfee AV, PandaActiveScan, and Spybot multiple times on multiple user profiles. They all have come up clean other than Spybot which shows 4 DSO Exploits even after I ran DSOstop2. (It had been showing 5 prior to DSOstop2.)

8. Ran HJT once again and here is my log. (There appears to be 1 or 2 new lines - don't recall seeing DLG.exe before - probably due to all the resetting that I have done. But tell me what you think.)


Logfile of HijackThis v1.98.2
Scan saved at 12:39:20 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.co..._full_setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab


Your thoughts????

#27 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 11 August 2004 - 09:15 AM

The only new items in the last log are the Digital Line Detect\DLG.exe and a McAfee registration wizard.

DLG.exe - Application that comes with Connexant V.92 and Broadcom modems and is used to check whether you are connected with a digital telephone line or not. If you are connected, the application displays the information graphically.

So, everything still looks clean.

It might help to run Dsostop2 in all user profiles. Again, if your Windows updates are current, you are not vulnerable to the DSO exploit. Spybot is continually reporting it because of a minor bug that causes it to write a text value instead of a number when it "fixes" the problem. Of course, since it "fixes" it incorrectly, it keeps finding it. You can also tell Spybot to ignore it if you wish. Or, you can edit the Registry and put the correct value in each location where it now detects an error.

My main concern with the C:\e634\sp2 folder is my inability to find any info on it. I take it that there was no Manufacturer info in the file Properties. Nothing is running a file from there at startup, and none of your multitude of virus/malware scans has flagged it, so it's probably OK.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button