Jump to content


Photo

CWS trojan


  • Please log in to reply
49 replies to this topic

#1 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 12:28 PM

i have a variation of the cws bug and cannot get rid of it. ive run adaware, spybot, spysweeper, and cwshredder and its still there. please let me know what i should do. im assuming running hijack this and posting my log will be the next step, but i need some consent

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 12:30 PM

Yes please post a Hijack This log. Download and help page in my signature.

:)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 04:58 PM

here is the log from hijackthis:



Logfile of HijackThis v1.97.7
Scan saved at 5:56:41 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\sfcfiles.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 05:06 PM

A few wierd stuff.. random names etc..

A few items i think are suspicious

O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe

Id strongly suggest removing MsnPlus.
Then running an online virus scan from
Once you are done please post a new Hijack This log... we'll see if it removes these items.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 05:10 PM

how do i remove msn plus? is it on the hijack this log?

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 05:11 PM

No...

Goto Start - Control Panel - Add/Remove Programs - and remove MsnPlus :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 05:19 PM

there is no program there that says MSN Plus. could it be under a different name?

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 05:22 PM

Messenger Plus.

If its not there just continue with the other directions :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 08:29 PM

here is the new logfile after i ran panda's scan.



Logfile of HijackThis v1.97.7
Scan saved at 9:28:09 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx

#10 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 July 2004 - 09:13 PM

i was wondering if i should also run the about:buster

#11 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 July 2004 - 09:27 PM

sorry for extra posts, but can anyone help me?

#12 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 12 July 2004 - 09:38 PM

Ok just tick the box next to this one. (close windows, hit fix checked, reboot)

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab

Are you still having problems?

These processes dont look to appetizing. Can you find both files and get some of there properties.

C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\fpapli.exe
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#13 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 July 2004 - 09:54 AM

i deleted the weatherbug thing and checked on the two suspicious files. they are for my touchscreen mouse. i am still having problems.

here is a new hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 10:54:11 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {888EE8AC-6A1B-435E-B2D7-820D74BA3EBC} - C:\WINDOWS\System32\jcmlkl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx

#14 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 July 2004 - 03:25 PM

can anyone help?

#15 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 03:50 PM

Well since nobody else is helping you and i do not use FindNfix lets see how Ad-Aware fares on this..

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Click the Tweak button and select:
  • Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer and post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#16 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 July 2004 - 05:12 PM

here is the new hijack this log:


Logfile of HijackThis v1.97.7
Scan saved at 6:10:09 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx

#17 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 July 2004 - 09:04 PM

ive been also getting windows messages that my virtual memory is too low and that it will be increased. it has only started happening since the trojan. could it be from the CWS trojan?

#18 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 14 July 2004 - 10:26 PM

Yes it could easily be coming from CWS... I would like to see if you still have CWS... Please do this time travel test... Set your computer clock ahead a few days, reboot and run HJT, then post the fresh log here... then set your clock back to normal... DO NOT fix anything in the HJT log before posting... Also, you need to download the latest version of HJT to get the information we need to fix this thing... Please use the link below in my signature and while you are there also get the latest version of CWShredder and AboutBuster, both were recently updated and we may need both to kill this thing... Just save them for now, but use the HJT to do the new log...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#19 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 10:10 AM

here is my new log:



Logfile of HijackThis v1.97.7
Scan saved at 11:09:36 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C312D49A-0ECC-4FE8-A7B2-94EF89970FE3} - C:\WINDOWS\System32\cmh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx

#20 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 10:16 AM

sorry that log was before i had downloaded the new version of hjt. here is the new log


Logfile of HijackThis v1.98.0
Scan saved at 11:14:20 AM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C312D49A-0ECC-4FE8-A7B2-94EF89970FE3} - C:\WINDOWS\System32\cmh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx
O18 - Filter: text/html - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll
O18 - Filter: text/plain - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll

#21 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 06:09 PM

should i try running the new cwshredder?

#22 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 15 July 2004 - 06:43 PM

Hold off on using CWShredder until we try this other fix... It is not reliable in removing this variant and AboutBuster doesn't seem to be able to handle it yet... There is a somewhat complext fix that will safely remove it... Follow these steps carefully and post back if you are confused at any point...

First, you will need to download reglite...

http://www.resplendence.com/reglite

Run reglite and open this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DoubleClick and identify the file listed in AppInit_DLLs. I believe that is this file: cmh.dll

Create new folder for backups somewhere: (e.g. My Documents\Backups)
Hilite the Windows key marked in purple, and use reglite's file menu>export, save in the following formats:
Name them as--
1.) Winkey.reg (Selected by defaults) (Save as type: regedit4 .reg type)
2.) Winkey.hiv (in Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

When both files/backups are successfully saved, Rename the Windows key to Windows1
, Clear the data in the AppInit value., Rename back to original , restart
Preferably in Safe mode, find and delete the file.

--When done:
1.) Navigate to backups location, And DoubleClick on the winkey.reg file.
Answer yes to the prompt.
2.) Run reglite, open the same windows key:
While it's being selected/marked in purple, Use reglite's file menu>Import
Browse to and select the "winkey.hiv" saved.
Hit 'open' , merge and 'ok' it.
Repeat the cleanup steps outlined before in the AppInit value (clearing the data)
=====================================================
*If the file name irself is unknown following the steps above, inspect properties of all dlls in System32 ~ that are 56k, 57,344 bytes, modified in last 5 months.

*Most AVs would recognise the file anyway, when it isn't active.
Primarily, AVG free.

*If the file is found but can't be deleted!
Create Dummy folder (e.g. C:\junk) Move it there, first:
1.)
-RightClick on it: properties
/Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.
2.)-Right click the 'Container' (junk) folder itself. hit properties.
-Go to the security tab and click the advanced button.
-check the box to reset permissions on all child objects.
Hit apply. ok
Delete file+folder.

This is a fix from one of the Developers, freeatlast, and hopefully will be able to do the job... We have other choices as well, but this is actually one of the easier ones... If you can make it all the way through, do the time travel test again and post a fresh log....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#23 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 07:22 PM

i am up to this point...

Hold off on using CWShredder until we try this other fix... It is not reliable in removing this variant and AboutBuster doesn't seem to be able to handle it yet... There is a somewhat complext fix that will safely remove it... Follow these steps carefully and post back if you are confused at any point...

First, you will need to download reglite...

http://www.resplendence.com/reglite

Run reglite and open this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DoubleClick and identify the file listed in AppInit_DLLs. I believe that is this file: cmh.dll


after double clicking AppInit_DLLs i cant find anything with cmh.dll in it. the only thing there is after the "value" and it is "C:\WINDOWS\System32\wdmj.dll" is this what i need to make backups of? i am unsure of what to do from that point

#24 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 15 July 2004 - 07:31 PM

Yep that is the file, but you do not make backups of it... that is the one you actually will need to fix... Just note what it is and go on to the next step... you will be asked to remove it in another few steps....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#25 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 07:45 PM

where is the windows key i need to hilite?


Create new folder for backups somewhere: (e.g. My Documents\Backups)
Hilite the Windows key marked in purple, and use reglite's file menu>export, save in the following formats:
Name them as--
1.) Winkey.reg (Selected by defaults) (Save as type: regedit4 .reg type)
2.) Winkey.hiv (in Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

#26 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 08:44 PM

the file would not let me delete it when i was in safe mode. are the steps you have in your post what i do next? (*If the file is found but can't be deleted!)

#27 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 15 July 2004 - 08:49 PM

Did you figure out the question in your previous post??

For your latest post: yes, go on to that step if you can't delete that file...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#28 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 08:51 PM

im pretty sure i figured out that step. if it was the folder on the left labeled WINDOWS, then yes that is the folder i exported and saved twice. so this is my next step:


*If the file is found but can't be deleted!
Create Dummy folder (e.g. C:\junk) Move it there, first:
1.)
-RightClick on it: properties
/Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.
2.)-Right click the 'Container' (junk) folder itself. hit properties.
-Go to the security tab and click the advanced button.
-check the box to reset permissions on all child objects.
Hit apply. ok
Delete file+folder.

do i do this in safe mode or regular?

#29 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 15 July 2004 - 09:03 PM

Try it in Normal mode and move to Safe Mode if it doesn't work... Unless you are already in Safe Mode of course... :D
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#30 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 09:07 PM

when i go into properties for "wdmj.dll" there is no tab for security. there is also no security tab for the junk folder either.

#31 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 15 July 2004 - 09:19 PM

What tabs do you have?? Are you in the Administrator's profile?? Do you have a "Sharing" tab??

If this doesn't work, we do have another option, but this is the preferable way... You do need to be in the Administrator profile to do this fix...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#32 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 09:33 PM

there is only a sharing tab for the junk folder. when i click advanced on the file i get "archive and index attributes" and "compress or encrypt attributes". and yes i am on the administrator.

#33 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 July 2004 - 09:17 PM

Sorry I didn't get back to you sooner, I didn't get a notice on your last post...

I think the option you need may be in the "archive and index attributes" and "compress or encrypt attributes"... What options do they offer??

Another option you can go to... Download Killbox in the links below, run it and put the full path to that file in it... Set it to delete on reboot and then do the reboot... Check after that and see if it is gone...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#34 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 04:33 PM

sorry i was away for the weekend. i just tried killbox and it said the file doesnt seem to exist. here is what the options are for the properties of the file:

"archive and index attributes"
-File is ready for archiving
-for fast searching, allow indexing service to index this file

"Compress or encrypt attributes"
-compress contents to save disk space
-encrypt contents to secure data

those are the only options given after clicking advanced.

#35 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 04:44 PM

disregard that last post. i was able to delete the file in safe mode after trying a few times. im going to finish up what you said about the backups and do the time travel and post a new hjt log.

#36 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 05:13 PM

here is my new hjt log after the time travel. the trojan is definitely still here. popups, ie hijacking. spysweeper says it detects cws is running in my memory after each startup and says it is cmh.dll i believe. what could be my next option

#37 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 05:13 PM

Logfile of HijackThis v1.98.0
Scan saved at 6:10:13 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C312D49A-0ECC-4FE8-A7B2-94EF89970FE3} - C:\WINDOWS\System32\cmh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx
O18 - Filter: text/html - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll
O18 - Filter: text/plain - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll

#38 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 18 July 2004 - 06:29 PM

Start back at the beginning with RegLite and see what the DLL is called and if it is still the same... If you run into the same impasse, look at your options under "archive and index attributes" I suspect that is where you may find the option that will allow you to really kill this thing...

In the meanwhile, say a little prayer (curse) that the people that wrote this thing end up with an extremely uncomfortable, but non-fatal illness that will make it even harder than it already is for them to seek the company of healthy individuals without immediate gasps of disgust.... :rant: :evilgrin:
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#39 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 07:15 PM

there is nothing there in the value in reglite

#40 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 18 July 2004 - 07:27 PM

Then we have to do it the hard way...

"If the file name irself is unknown following the steps above, inspect properties of all dlls in System32 ~ that are 56k, 57,344 bytes, modified in last 5 months."

There are a couple of ways to do this... Open Windows Explorer and go to the System32 folder... Set View Options to Details and click on Extension to get all the DLLs to group together. Scan down the list for files that fit the description and check Properties of each one... If they are from a legit program, ignore them and go on... If they are not, write down the name to post back here... If there is only one and it looks random like the others you have seen, use the procedure noted to see if you can kill it...

The other option is to use Search and set the parameters to Search in System32 for a DLL with the right size and time frame, then check out whatever is found...

Either way, make sure Windows is set to show all hidden and system files as well as full extensions....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#41 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 07:44 PM

i cant find anything suspicious in that size range. i did find cmh.dll. should i delete that?

#42 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 18 July 2004 - 10:15 PM

You can delete it, but it probably won't fix the problem, it will just generate a new DLL...

I just got a PM from another user who pointed out that you need to be in Safe Mode for most of these steps to work and I realized the directions are not clear about that... To find and use this, you need to be in Safe Mode:

If the file is found but can't be deleted!
Create Dummy folder (e.g. C:\junk) Move it there, first:
1.)
-RightClick on it: properties
/Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.
2.)-Right click the 'Container' (junk) folder itself. hit properties.
-Go to the security tab and click the advanced button.
-check the box to reset permissions on all child objects.
Hit apply. ok
Delete file+folder.

Go back to the start of the fix with RegLite and do it in Safe Mode as much as possible, then let me know how it is going... Hopefully you will be able to find and kill that DLL in Safe Mode...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#43 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 July 2004 - 02:24 PM

i found and deleted the wdmj.dll file a couple days ago. now there is no value in the reglite where that wdmj.dll used to be. i found nothing suspicious when looking through the dll's of the specific size range. should i search through the dlss in safe mode? could they be hidden unless im in safe mode?

#44 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 19 July 2004 - 06:12 PM

I am suggesting that you go back to the beginning in Safe Mode... Even though you may have deleted the wdmj.dll file, it appears that there is still an active DLL infecting your system and you need to find it... If it doesn't show up in RegLite in Safe Mode, then look for the file manually in Safe Mode... If you still don't find it, I will have to consult with others here to see if there is something being missed in the process... This thing is hard to kill, but this fix usually does it...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#45 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 July 2004 - 11:01 PM

i went back in safe mode and tried to find the value of the dll. there is nothing there. i searched again in safe mode for suspicious dll's and found nothing. after deleting admj.dll and cmh.dll i havent been having any more problems yet. should i try the time travel again and repost a new hjt log?

#46 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 19 July 2004 - 11:06 PM

Yes, go ahead and do the Time Travel... hopefully that is it... :D
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#47 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 09:04 AM

here is the new log after the time travel:


Logfile of HijackThis v1.98.0
Scan saved at 10:03:25 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://one.drexel.edu/cp/home/loginf
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C312D49A-0ECC-4FE8-A7B2-94EF89970FE3} - C:\WINDOWS\System32\cmh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [sfcfiles] C:\WINDOWS\System32\sfcfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw7fd.law7.ho...ex/HMAtchmt.ocx
O18 - Filter: text/html - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll
O18 - Filter: text/plain - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll

#48 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 20 July 2004 - 09:12 AM

I'll have to check again when I get home and have all of my tools, but do some cleanup in the meanwhile and we'll see if it is really clean... Use HJT to fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter: text/html - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll
O18 - Filter: text/plain - {CE37AA0F-365D-4C74-AE0E-500DE11E60E6} - C:\WINDOWS\System32\cmh.dll

Then reboot and run HJT again. If they are still there, try in Safe Mode, then reboot and post the log again... Hopefully this will do it...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#49 vicskim3

vicskim3

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 01:51 PM

they were deleted when i ran hjt again. so hopefully it is gone now. thanks for all your help and ill post back if i have any more questions. i really appreciate it.

#50 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 20 July 2004 - 06:44 PM

Well it would have been good to see an HJT log to be sure it is clean, but I will settle for your report... Congratulations on getting it cleaned up... Here is my prevention speech to help keep it that way:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Check out this article for more ideas:

http://www.computerc...tlite7736-.html
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button