• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
blue sky

oslogo and msconfig remenants?

15 posts in this topic

HELLO, may I ask for insight on the following problem:

 

I have run and fixed problems with Ad-aware, Spybot and AVG

 

I ran TDS and found eleven system files missing (but no positive IDs):

cmd

netstat

drwatson

drwtsn32

rundll32

taskman

taskmgr

winlogon

regedt32

netmsg

winsock

 

I ran xoftspy and found several references to CWS:

cws.oslogo malware in registry key

cws.msconfig malware in c:\windows\system\msconfig.exe.

 

I thought msconfig.exe should reside in the windows folder but I could very well be wrong. There is only one copy in the computer (in the systems subfolder) 108kb. When I delete this it comes right back even though there is a copy in the recycle bin. CWS Shredder detects no problem!

 

I removed the registry reference to oslogo and cool website. But in a subsequent scan Xoftspy still finds c:\windows\system\msconfig.exe as malware. I am short some system files and I suspect the regeditor now as well. Thanks and best regards ===SEAN

Edited by blue sky

Share this post


Link to post
Share on other sites

Here is the first HJT log (not configured):

 

Logfile of HijackThis v1.97.7

Scan saved at 11:42:12 PM, on 5/20/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\LTSMMSG.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\HJT\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: (no name) - {0A4DC360-26A5-4FC1-8FB2-ADD00738A99B} - (no file)

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\SMUtilityBar.exe"

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe

O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - User Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8030.7398611111

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

Share this post


Link to post
Share on other sites

Update: Now (again with Xoftspy) I find cws.msconfig on my other computer along with three cookies (hitbox[1], bluestreak[1], ehg-space.hitbox) and 2 reference keys each to Winpup32 and WildTangent. There were many noxious elements in this second computer (desktop) before I fixed/ removed them, and so some or all of these latter encroachers may be unrelated to the CWS problem as far as I know. The performance of this desktop computer was severely compromised, unlike in the case of my laptop which also happens to have this malware msconfig.exe file (original problem posted above). In fact, I was just trying some of the software I was using (to attempt fixing this desktop pc) out on my laptop when I unexpectedly found the two cws variants or traces of them with Xoftspy, thus inspiring me to come to the forum . . .

Share this post


Link to post
Share on other sites

***09:41 AM 05/23/2004

Well it seems similar contamination/destruction is found on both computers which I henceforth distinguish as LT (laptop) and DT (desktop), including cws.oslogo and cws.msconfig. Well my business has been down for a week now so I am taking matters into my own hands at this point. My background is in environmental protection services and I do not have much of a programming background other than self-exposure to computers and the internet. In the past I have been able to "fix" some problems but I've also destroyed my own operating system more than once. That's history. I've been reading information from various sites in the last 36 hours until I now know less about computers, the web and electronic malice than I thought I knew last week. Well, let the games begin. . .

 

My strategy is to fix DT first, then LT. Both OSs are Windows Me, fully updated and now using Sun java. Please disregard the HJT log first posted above until a later date when (iff) I fix the desktop. Before running HJT on this desktop computer (DT) I am assuming I will need to restore system files. Like LT, the DT system folder is also missing eleven files (according to TDS) but the list of file names varies slightly:

cmd.exe

netstat.exe

drwatson.exe

drwtsn32.exe

rundll32.exe

taskman.exe

taskmgr.exe

winlogon.exe

regedt32.exe

netmsg.dll

winsock.dll

 

The computer runs without these files, however perhaps slugglishly and there is a hesitation whenever I open a program (cursor and display freezes for about ten seconds) and the mouse doesn't move the cursor around very adeptly (could be a bad mouse, planning to pick up a new one today).

 

This morning I ran Xsoftspy and found I had two Winpup32 register keys return after deletion yesterday, and a fresh reference to cws.ologo under HKey_Current_User\software\microsoft\windows\current version\internet settings\zonemap\domains\coolwwwsearch.com. (I will try to attach a screen picture below). Even before rebooting, my home page (space.com) main add now says "action cancelled". several other differences in internet behavior now. I am guessing this is a good thing.

 

QUESTION 1: I deleted the above keys. Under domains I noticed a long sultry list of adult and gaming sites. Can I selectively delete these from the registry. If I delete a website that I later wish to visit, will the deletion from the registry prevent this?

 

I successfully deleted the 108kb msconfig.exe file with the help of KillBox. I assume that the first course of action should be to recover the missing system files. Also, since I have no msconfig capability at the moment, the only way I can control startup programs right now is through the program options themselves (actually haven't tried this yet) or through System Mechanic 4. So I am thinking without the system files above and now msconf.exe, HJT may not run properly.

 

QUESTION 2: How can I be sure that the above list of files is needed by Windows Me in the systems subfolder?

 

QUESTION 3: Is there a good source on the internet for replenishing these files with the most updated files, or should I stick with my original CD and search for those files?

 

I will post again when I have made further progress, or not, in case this may be of help to someone or possibly generate suggestions. Thank you readers for your time ===SEAN

Share this post


Link to post
Share on other sites

Prior to an attempt to recover msconfig.exe and the other eleven missing system files I ran CWShredder (FIX button) and it noted msconfig.exe as missing but reported that the system was clean. However, upon running CWShredder (SCAN ONLY button) I got the following result:

 

CWShredder v1.57.0 scan only report

Please understand that a CWShredder 'Scan only' report

might not be sufficient to troubleshoot an infected system.

You can use HijackThis for that:

http://www.merijn.org/files/hijackthis.zip

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Windows ME (4.90.3000 )

Windows dir: C:\WINDOWS

Windows system dir: C:\WINDOWS\system

AppData folder: C:\WINDOWS\Profiles\TATAY\Application Data

Username: TATAY

 

Hosts file not present

Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)

CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4

CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4

CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4

Registry value: DefaultPrefix (should be http://) [] http://

Registry value: WWW Prefix (should be http://) [www] http://

Registry value: Mosaic Prefix (should be http://) [mosaic] http://

Registry value: Home Prefix (should be http://) [home] http://

Found Win.ini file: C:\WINDOWS\win.ini (8806 bytes, A)

Found line in Win.ini: load=

Found line in Win.ini: run=

Found System.ini file: C:\WINDOWS\system.ini (2838 bytes, A)

Found line in System.ini: shell=Explorer.exe

Found CWS.Aff.Madfinder file: C:\WINDOWS\BrowserHelper.dll (599552 bytes, A)

 

- END OF REPORT -

 

What does this mean? Note that my control.exe file is currently 2.09 kb and browserhelper.dll is located at c: and at c:\windows directories (both 585 kb). How about the statements regarding registry values, win.ini and system.ini above?

Share this post


Link to post
Share on other sites

HELLO, I'm back. mouse trouble seems to be related to cpu activity but still plan to replace it today.

 

I lost contact with the internet for awhile and had to delete all cookies and temporary files to get back to this forum.

 

I was able to find the following windows me system files from my CD:

drwatson.exe 136 kb

msconfig.exe 108 kb (same size as the file I deleted)

msconfig.exe 108 kb (from merijn)

netstat.exe 32kb

rundll32.exe 24kb

rundll32.exe 24kb (from merijn)

taskman.exe 48kb

 

In the mean time Panda is alerting me to repeated spoofing (for example by UDP 209.133.47.222 and 66.81.0.252), then now for the first time a port scan TCP 158.109.91.107. THEN NOW, A red flag message from Panda, to the best of my memory, RESPONDING TO INTRUSION! RESPONSE TYPE INITIATED. BLOCKING ATTACK SENT BY IP AGAINST THIS COMPUTER. It spent ten minutes finalizing a defense during which time I shut down the dialup connection, probably impacting panda's defense.

 

I'm back online now. files still missing:

drwtsn32.exe

taskmgr.exe

winlogon.exe

regedt32.exe

netmsg.dll

 

QUESTION: how critical are the above files? where my I find these if needed or desirable?

 

I'm going to restore the files I did find in dos mode now and see what happens. . .

Share this post


Link to post
Share on other sites

OK ran AVG, cleaned up register, caches and several programs.

 

Here is the HJT log (reboot, all startup programs enabled, but normally I run with selected startup) then I turned off System Mechanic 4 Memory Defragger, Panda firewall, AVG antivirus and Spy Robot Teatimer before executing HJT:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:27:20 PM, on 05/24/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\WINDOWS\PCTVOICE.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE

C:\WINDOWS\WEBSHOTS.SCR

C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

C:\WINDOWS\DRWATSON.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE

C:\HJT\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.space.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Home-sweet-Home

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [screenPrint32] C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.exe -startup

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [sRP Startup] C:\WINDOWS\SYSTEM\SRP\SRRPRO.EXE /startup

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\SMUtilityBar.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [system Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE"

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE

O4 - Startup: PUP STOPPER.lnk = C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - User Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE

O4 - User Startup: PUP STOPPER.lnk = C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe

O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8022.4287962963

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

Share this post


Link to post
Share on other sites

I removed two RO items and a few 04 startup instructions, with the resultant HJT log given below.

 

The computer is running slightly faster now and starts much faster, but there is still a 3-5 second hesitation (cursor and screen freeze) when I open a program. I guess at this point I am going to have to call this desktop unit good, however, I believe a format would produce better results. I cannot do that right now as I need this DT computer to transfer data files from my lap top and burn some backup CDs. I will proceed next post with fixing the laptop. One final note on this desktop, in the absense of any comments, the task manager hangs everytime on shut down caused by centinel.vxd. I don't know what this means. The last HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:38:20 PM, on 05/24/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

C:\WINDOWS\WEBSHOTS.SCR

C:\WINDOWS\DRWATSON.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\HJT\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.space.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Home-sweet-Home

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE

O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - User Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8022.4287962963

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

Share this post


Link to post
Share on other sites

I have gone back to fixing the lap top (LT) now that I have a more stable desktop onto which to unload my user files. I have checked with the latest antivirus definitions and executed general maintenance including deletion of cookies, temp files and defrag and now ready to run HJT (log to be posted next). Three questions:

 

1) I am aware that it is a bad idea to run two resident antivirus programs. I am now running Panda (firewall protection only), AVG AV and Spybot teatimer at startup. Whether I run all or none of these at startup has little apparent effect on performance. Is this likely to be a compatible configuration?

 

2) Using Panda I am often blocking spoofing (what is this?) from UDP 209.133.47.222 and UDP 66.81.0.252; and TCP 158.109.91.107 both port scanned me and attempted an intrusion. Is there a list of "bad boys" that I can look up or is there a way to trace these parties?

 

3) Has anyone written about or characterized the nature and extent of WinMe OS damage caused by the above pests and/or suggestions on how to revitalize performance other than by reformatting? Is there any kind of system analysis available along this vain in addition to SFP?

Share this post


Link to post
Share on other sites

OK, with LT (laptop) WinMe startup in normal mode, after startup manually shutting down AVG AV, ZoneAlarm and Cachemem, then running HJT scan with the resulting log:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:06:36 PM, on 5/25/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\LTSMMSG.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\PROGRAM FILES\ACER INC\POWERKEY\POWERKEY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\ACER INC\INDICATOR V1.2\INDICATOR.EXE

C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE

C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

C:\ARCHIVE\DEVICES\FLASH\SDSTAT.EXE

C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE

C:\HJT\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: (no name) - {0A4DC360-26A5-4FC1-8FB2-ADD00738A99B} - (no file)

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [AcerPowerkey] "C:\Program Files\Acer Inc\Powerkey\Powerkey.exe"

O4 - HKLM\..\Run: [screenPrint32] C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.exe -startup

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [TweakDUN] C:\PROGRAM FILES\TWEAKDUN\tweakdun.exe splash

O4 - HKLM\..\Run: [Pcc] c:\windows\pcc.exe

O4 - HKLM\..\Run: [indicator] "C:\Program Files\Acer Inc\Indicator v1.2\d_indicator.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\SMUtilityBar.exe"

O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\CACHEMAN\Cacheman.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe

O4 - Startup: FlashPath Status.lnk = C:\Archive\devices\flash\SDSTAT.exe

O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Startup: CacheSentry.exe.lnk = C:\Program Files\CacheSentry\CacheSentry.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe

O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - User Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe

O4 - User Startup: FlashPath Status.lnk = C:\Archive\devices\flash\SDSTAT.exe

O4 - User Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - User Startup: CacheSentry.exe.lnk = C:\Program Files\CacheSentry\CacheSentry.exe

O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8030.7398611111

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

Share this post


Link to post
Share on other sites

I have weeded the startup garden with the resulting new HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:12:12 PM, on 5/26/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\LTSMMSG.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE

C:\PROGRAM FILES\ACER INC\POWERKEY\POWERKEY.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\HJT\HIJACKTHIS.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [AcerPowerkey] "C:\Program Files\Acer Inc\Powerkey\Powerkey.exe"

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [TweakDUN] C:\PROGRAM FILES\TWEAKDUN\tweakdun.exe splash

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8030.7398611111

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0