Jump to content


Photo

oslogo and msconfig remenants?


  • Please log in to reply
14 replies to this topic

#1 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 12:06 AM

HELLO, may I ask for insight on the following problem:

I have run and fixed problems with Ad-aware, Spybot and AVG

I ran TDS and found eleven system files missing (but no positive IDs):
cmd
netstat
drwatson
drwtsn32
rundll32
taskman
taskmgr
winlogon
regedt32
netmsg
winsock

I ran xoftspy and found several references to CWS:
cws.oslogo malware in registry key
cws.msconfig malware in c:\windows\system\msconfig.exe.

I thought msconfig.exe should reside in the windows folder but I could very well be wrong. There is only one copy in the computer (in the systems subfolder) 108kb. When I delete this it comes right back even though there is a copy in the recycle bin. CWS Shredder detects no problem!

I removed the registry reference to oslogo and cool website. But in a subsequent scan Xoftspy still finds c:\windows\system\msconfig.exe as malware. I am short some system files and I suspect the regeditor now as well. Thanks and best regards ===SEAN

Edited by blue sky, 23 May 2004 - 01:17 PM.


#2 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 02:17 AM

Here is the first HJT log (not configured):

Logfile of HijackThis v1.97.7
Scan saved at 11:42:12 PM, on 5/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: (no name) - {0A4DC360-26A5-4FC1-8FB2-ADD00738A99B} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\SMUtilityBar.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe
O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - User Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8030.7398611111
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab

#3 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 01:13 PM

bump (oslogo and msconfig remnants)

#4 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 02:08 PM

Update: Now (again with Xoftspy) I find cws.msconfig on my other computer along with three cookies (hitbox[1], bluestreak[1], ehg-space.hitbox) and 2 reference keys each to Winpup32 and WildTangent. There were many noxious elements in this second computer (desktop) before I fixed/ removed them, and so some or all of these latter encroachers may be unrelated to the CWS problem as far as I know. The performance of this desktop computer was severely compromised, unlike in the case of my laptop which also happens to have this malware msconfig.exe file (original problem posted above). In fact, I was just trying some of the software I was using (to attempt fixing this desktop pc) out on my laptop when I unexpectedly found the two cws variants or traces of them with Xoftspy, thus inspiring me to come to the forum . . .

#5 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 04:11 PM

bump. . .

#6 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 06:47 PM

bump

#7 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 May 2004 - 10:57 PM

bump

#8 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 May 2004 - 12:29 PM

***09:41 AM 05/23/2004
Well it seems similar contamination/destruction is found on both computers which I henceforth distinguish as LT (laptop) and DT (desktop), including cws.oslogo and cws.msconfig. Well my business has been down for a week now so I am taking matters into my own hands at this point. My background is in environmental protection services and I do not have much of a programming background other than self-exposure to computers and the internet. In the past I have been able to "fix" some problems but I've also destroyed my own operating system more than once. That's history. I've been reading information from various sites in the last 36 hours until I now know less about computers, the web and electronic malice than I thought I knew last week. Well, let the games begin. . .

My strategy is to fix DT first, then LT. Both OSs are Windows Me, fully updated and now using Sun java. Please disregard the HJT log first posted above until a later date when (iff) I fix the desktop. Before running HJT on this desktop computer (DT) I am assuming I will need to restore system files. Like LT, the DT system folder is also missing eleven files (according to TDS) but the list of file names varies slightly:
cmd.exe
netstat.exe
drwatson.exe
drwtsn32.exe
rundll32.exe
taskman.exe
taskmgr.exe
winlogon.exe
regedt32.exe
netmsg.dll
winsock.dll

The computer runs without these files, however perhaps slugglishly and there is a hesitation whenever I open a program (cursor and display freezes for about ten seconds) and the mouse doesn't move the cursor around very adeptly (could be a bad mouse, planning to pick up a new one today).

This morning I ran Xsoftspy and found I had two Winpup32 register keys return after deletion yesterday, and a fresh reference to cws.ologo under HKey_Current_User\software\microsoft\windows\current version\internet settings\zonemap\domains\coolwwwsearch.com. (I will try to attach a screen picture below). Even before rebooting, my home page (space.com) main add now says "action cancelled". several other differences in internet behavior now. I am guessing this is a good thing.

QUESTION 1: I deleted the above keys. Under domains I noticed a long sultry list of adult and gaming sites. Can I selectively delete these from the registry. If I delete a website that I later wish to visit, will the deletion from the registry prevent this?

I successfully deleted the 108kb msconfig.exe file with the help of KillBox. I assume that the first course of action should be to recover the missing system files. Also, since I have no msconfig capability at the moment, the only way I can control startup programs right now is through the program options themselves (actually haven't tried this yet) or through System Mechanic 4. So I am thinking without the system files above and now msconf.exe, HJT may not run properly.

QUESTION 2: How can I be sure that the above list of files is needed by Windows Me in the systems subfolder?

QUESTION 3: Is there a good source on the internet for replenishing these files with the most updated files, or should I stick with my original CD and search for those files?

I will post again when I have made further progress, or not, in case this may be of help to someone or possibly generate suggestions. Thank you readers for your time ===SEAN

#9 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 May 2004 - 01:36 PM

Prior to an attempt to recover msconfig.exe and the other eleven missing system files I ran CWShredder (FIX button) and it noted msconfig.exe as missing but reported that the system was clean. However, upon running CWShredder (SCAN ONLY button) I got the following result:

CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.or.../hijackthis.zip
http://www.spywarein.../hijackthis.zip

Windows ME (4.90.3000 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Profiles\TATAY\Application Data
Username: TATAY

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8806 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2838 bytes, A)
Found line in System.ini: shell=Explorer.exe
Found CWS.Aff.Madfinder file: C:\WINDOWS\BrowserHelper.dll (599552 bytes, A)

- END OF REPORT -

What does this mean? Note that my control.exe file is currently 2.09 kb and browserhelper.dll is located at c: and at c:\windows directories (both 585 kb). How about the statements regarding registry values, win.ini and system.ini above?

#10 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 May 2004 - 06:32 PM

HELLO, I'm back. mouse trouble seems to be related to cpu activity but still plan to replace it today.

I lost contact with the internet for awhile and had to delete all cookies and temporary files to get back to this forum.

I was able to find the following windows me system files from my CD:
drwatson.exe 136 kb
msconfig.exe 108 kb (same size as the file I deleted)
msconfig.exe 108 kb (from merijn)
netstat.exe 32kb
rundll32.exe 24kb
rundll32.exe 24kb (from merijn)
taskman.exe 48kb

In the mean time Panda is alerting me to repeated spoofing (for example by UDP 209.133.47.222 and 66.81.0.252), then now for the first time a port scan TCP 158.109.91.107. THEN NOW, A red flag message from Panda, to the best of my memory, RESPONDING TO INTRUSION! RESPONSE TYPE INITIATED. BLOCKING ATTACK SENT BY IP AGAINST THIS COMPUTER. It spent ten minutes finalizing a defense during which time I shut down the dialup connection, probably impacting panda's defense.

I'm back online now. files still missing:
drwtsn32.exe
taskmgr.exe
winlogon.exe
regedt32.exe
netmsg.dll

QUESTION: how critical are the above files? where my I find these if needed or desirable?

I'm going to restore the files I did find in dos mode now and see what happens. . .

#11 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 May 2004 - 01:19 AM

OK ran AVG, cleaned up register, caches and several programs.

Here is the HJT log (reboot, all startup programs enabled, but normally I run with selected startup) then I turned off System Mechanic 4 Memory Defragger, Panda firewall, AVG antivirus and Spy Robot Teatimer before executing HJT:

Logfile of HijackThis v1.97.7
Scan saved at 10:27:20 PM, on 05/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
C:\WINDOWS\DRWATSON.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Home-sweet-Home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.exe -startup
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SRP Startup] C:\WINDOWS\SYSTEM\SRP\SRRPRO.EXE /startup
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\SMUtilityBar.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE
O4 - Startup: PUP STOPPER.lnk = C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - User Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE
O4 - User Startup: PUP STOPPER.lnk = C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8022.4287962963
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx

#12 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 May 2004 - 01:50 AM

I removed two RO items and a few 04 startup instructions, with the resultant HJT log given below.

The computer is running slightly faster now and starts much faster, but there is still a 3-5 second hesitation (cursor and screen freeze) when I open a program. I guess at this point I am going to have to call this desktop unit good, however, I believe a format would produce better results. I cannot do that right now as I need this DT computer to transfer data files from my lap top and burn some backup CDs. I will proceed next post with fixing the laptop. One final note on this desktop, in the absense of any comments, the task manager hangs everytime on shut down caused by centinel.vxd. I don't know what this means. The last HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 11:38:20 PM, on 05/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
C:\WINDOWS\WEBSHOTS.SCR
C:\WINDOWS\DRWATSON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Home-sweet-Home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE
O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - User Startup: DRWATSON.EXE.lnk = C:\WINDOWS\DRWATSON.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8022.4287962963
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx

#13 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 May 2004 - 07:10 PM

I have gone back to fixing the lap top (LT) now that I have a more stable desktop onto which to unload my user files. I have checked with the latest antivirus definitions and executed general maintenance including deletion of cookies, temp files and defrag and now ready to run HJT (log to be posted next). Three questions:

1) I am aware that it is a bad idea to run two resident antivirus programs. I am now running Panda (firewall protection only), AVG AV and Spybot teatimer at startup. Whether I run all or none of these at startup has little apparent effect on performance. Is this likely to be a compatible configuration?

2) Using Panda I am often blocking spoofing (what is this?) from UDP 209.133.47.222 and UDP 66.81.0.252; and TCP 158.109.91.107 both port scanned me and attempted an intrusion. Is there a list of "bad boys" that I can look up or is there a way to trace these parties?

3) Has anyone written about or characterized the nature and extent of WinMe OS damage caused by the above pests and/or suggestions on how to revitalize performance other than by reformatting? Is there any kind of system analysis available along this vain in addition to SFP?

#14 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 27 May 2004 - 03:18 PM

OK, with LT (laptop) WinMe startup in normal mode, after startup manually shutting down AVG AV, ZoneAlarm and Cachemem, then running HJT scan with the resulting log:

Logfile of HijackThis v1.97.7
Scan saved at 9:06:36 PM, on 5/25/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\ACER INC\POWERKEY\POWERKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\ACER INC\INDICATOR V1.2\INDICATOR.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
C:\ARCHIVE\DEVICES\FLASH\SDSTAT.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: (no name) - {0A4DC360-26A5-4FC1-8FB2-ADD00738A99B} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AcerPowerkey] "C:\Program Files\Acer Inc\Powerkey\Powerkey.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\PROGRAM FILES\SCREENPRINT32 V3\SCREENPRINT32.exe -startup
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TweakDUN] C:\PROGRAM FILES\TWEAKDUN\tweakdun.exe splash
O4 - HKLM\..\Run: [Pcc] c:\windows\pcc.exe
O4 - HKLM\..\Run: [Indicator] "C:\Program Files\Acer Inc\Indicator v1.2\d_indicator.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\SMUtilityBar.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\CACHEMAN\Cacheman.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe
O4 - Startup: FlashPath Status.lnk = C:\Archive\devices\flash\SDSTAT.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CacheSentry.exe.lnk = C:\Program Files\CacheSentry\CacheSentry.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - User Startup: HP ODLB08.lnk = C:\Program Files\Hewlett-Packard\HP PSC 500 98\scanning\Hpodlb08.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: System Mechanic 4 Utility Bar.lnk = C:\Program Files\iolo\System Mechanic 4\SMUtilityBar.exe
O4 - User Startup: FlashPath Status.lnk = C:\Archive\devices\flash\SDSTAT.exe
O4 - User Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - User Startup: CacheSentry.exe.lnk = C:\Program Files\CacheSentry\CacheSentry.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8030.7398611111
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab

#15 blue sky

blue sky

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 27 May 2004 - 03:20 PM

I have weeded the startup garden with the resulting new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 6:12:12 PM, on 5/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\ACER INC\POWERKEY\POWERKEY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\HJT\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueskyenvironment.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BLUE SKY
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [AcerPowerkey] "C:\Program Files\Acer Inc\Powerkey\Powerkey.exe"
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TweakDUN] C:\PROGRAM FILES\TWEAKDUN\tweakdun.exe splash
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2002\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2002\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2002\\Parser.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8030.7398611111
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button