Jump to content


Photo

Malware removal


  • Please log in to reply
9 replies to this topic

#1 Thunderbay

Thunderbay

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 July 2004 - 11:26 AM

Hi there,

I downloaded and ran CWShredder and it removed 5 infected registry entries, although it did not specifically detect any CWS entries.
I had to do that because I couldn't even access my home page and, when I typed a URL it wouldn't allow me to access certain sites (e.g. my home page).

I have downloaded Ad-aware and Spybot but have not installed them yet.
Here is the HJT log -
----------------------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 10:56:14 AM, on 7/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\System32\msbb.exe
C:\WINNT\System32\SahAgent.exe
C:\WINNT\System32\wyzwbaj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\calsdr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [msbb] C:\WINNT\System32\msbb.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [xwvohul] C:\WINNT\xwvohul.exe
O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E08B0D8-6486-47B1-856D-30EB74C7C039}: NameServer = 216.90.136.1 216.90.136.2

Thank you

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 23 July 2004 - 02:10 PM

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Make sure the following settings are made and on (ON=GREEN)

From main window click "Start" then " Activate in-depth scan"

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning", "Cleaning engine" and "Let windows remove files in use at next reboot"

To save your settings click "proceed".

Now click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again, and let Adaware run if it asks.

Then rescan with Hijack this, and post a fresh log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Thunderbay

Thunderbay

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 July 2004 - 01:36 PM

Ad-aware run (after update) identified and deleted -
5 processes
78 registrykeys
10 registry values
156 files
6 folders

Re-booted and ran Ad-aware again - it deleted 1 tracking cookie.

HJT log
----------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 12:40:17 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINNT\System32\wyzwbaj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\mail_shots\spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 July 2004 - 02:18 PM

Thats a LOT better.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

Reboot and delete

files
C:\WINNT\System32\wyzwbaj.exe
C:\WINNT\System32\WINdirect.exe
C:\WINNT\System32\winxp.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Thunderbay

Thunderbay

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 July 2004 - 01:18 PM

OK, deleted the 5 registry entries, rebooted and deleted the 3 files.
Next to 'winxp.exe' were 4 files, the purpose of which I have no idea,
so I put them into a compressed directory 'winxp.zip' until you have
chance to read this. The 'Date Modified' is similar to the deleted
'WINdirect.exe' so I suspect a connection, intentional or otherwise -

winxp.exeopenopenopenopen 2 KB 7/22/2004 8:40 AM
winxp.exeopenopenopen 2 KB 7/22/2004 8:40 AM
winxp.exeopenopen 22 KB 7/22/2004 4:42 PM
winxp.exeopen 22 KB 7/22/2004 4:42 PM

- following is new HJT log -
-------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 12:44:36 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINNT\System32\wyzwbaj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\mail_shots\spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
----------------------------------------------------------------------------------
Question :
Do I need the following entries to be in startup?

---------------------------------------------------------------------------------------
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
--------------------------------------------------------------------------------------

The reason I ask is because, although my system is much faster than it was, it is still somewhat sluggish on start up and could still be faster afterwards.

Thanks

#6 Thunderbay

Thunderbay

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 July 2004 - 04:10 PM

In C:\WINNT\system32 the following files still reside and must have been part of the
spyware system used by some of the deleted files -

Deleted file ----- Other files -------------------------- action
msbb.exe ------- msbb.log - dm 7/24/2004 1118 ----- to 'msbb.zip' & deleted
msbb.exe ------- msbb_kyf.dat - 7/23/2004 1030 ----- to 'msbb.zip' & deleted
msbb.exe ------- msbb321.dll - dm 3/15/2004 1659 --- none
msbb.exe ------- msbbau.dat - dm 6/28/2004 1753 --- none
SahAgent.exe -- SHAgentNew.dll - 3/15/2004 1700 --- none
calsdr.dll -------- calsdr.dll - dm 200403111440 ------- none (file not deleted)
calsdr.dll -------- calsdr.exe - dm 200403211047 ------ none

- in the above calsdr.dll was an '02' entry in the HJT log but the run of
'Ad-aware 6' did not, apparently, delete the file, although it must have deleted the
registry entry.

I also noticed some new '.exe' files -

_dll.exe dm 200407251242 (2 minutes after I logged on to the internet)
erl.exe dm 200407251027
ect.exe dm 200407251027
re_files.exe dm 200407221647

I ran 'Ad-aware' on the C:\WINNT directory plus subs

'Ad-aware' found as follows -
--------------------------------------------------------
Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : File
Data : erl.exe
Object : C:\WINNT\system32\
FileSize : 5 KB
Created on : 7/24/2004 4:17:45 PM
Last accessed : 7/25/2004 8:41:59 PM
Last modified : 7/25/2004 3:27:10 PM



Win32.I-Worm.ai Object recognized!
Type : File
Data : re_file.exe
Object : C:\WINNT\system32\
FileSize : 5 KB
Created on : 7/22/2004 9:47:09 PM
Last accessed : 7/25/2004 8:42:53 PM
Last modified : 7/22/2004 9:47:23 PM



CoolWebSearch Object recognized!
Type : File
Data : _dll.exe
Object : C:\WINNT\system32\
FileSize : 11 KB
Created on : 7/22/2004 9:47:29 PM
Last accessed : 7/25/2004 8:43:17 PM
Last modified : 7/25/2004 5:42:17 PM



Disk scan result for C:\WINNT\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 3

3:43:20 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:04:47:859
Objects scanned :20658
Objects identified :3
Objects ignored :0
New objects :3
--------------------------------------------------------
I deleted the 'worm' object but decided to use 'CWShredder' to delete the CWS
files - however I could not update the shredder (it struck me that something
may be blocking the update) and it didn't recognize the files
(there are apparently no registry entries).

SO I ran Ad-aware again and this time deleted both the CWS files.
I also put 'ect.exe' into a zip file and deleted the .exe file.

I await with bated breath - this thing's rampant!

Edited by Thunderbay, 27 July 2004 - 12:04 PM.


#7 Thunderbay

Thunderbay

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 July 2004 - 11:27 PM

Although signed in as 'Thunderbay' I am 'NormanD' (Helper Trainee) and I am doing a favor for friends of mine at Thunder Bay Resort here in the midwest of the USA. My friends have no security (Norton AV not updated for 18 months) and no Windows updates have been downloaded forever. They also have no idea what they should do to counterract the threats which exist.
Either they have something on their computer which is installing or reinstalling these CWS files or they are being targetted as soon as they log on to the internet.
I can help them with NAV and the WIndows updates but I'm not sure what to do with the stream of malware files with which they are being infected.

Could you please suggest a strategy to overcome these problems?
I am reporting this from my own computer, which you very recently helped me to clear of malware (case 14970).
If I do this in future would you prefer that I log in as myself or as the new customer? I have told a few people about your organization and all of a sudden they are all wanting me to help them! (D'oh!)
The only snag with logging in as myself would be that I would appear to be 'hogging' the resources for myself when I am actually trying to help others with whom I am friends/acquaintances.

Thank you for your time and expertise.

#8 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 02 August 2004 - 08:29 PM

Did I do something wrong or is everyone too busy to reply to my queries please?
Seeing the number of new cases the latter would not surprise me but I wondered whether I should have done things a different way or if I did something wrong.
The people at Thunder Bay Resort keep asking me when they can be sure their computer is OK and I don't know what to tell them.

#9 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 05 August 2004 - 01:38 AM

This was previously a fit of pique - please ignore.

Edited by NormanD, 05 August 2004 - 10:32 AM.


#10 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 August 2004 - 02:30 PM

Nothing obvious in the last log you posted. It seems that I didn't get any notification of replies in the topic, for some reason.

To spped up the machine, I suggest that you visit Black Viper's site and follow the hints there about stopping unneeded Windows services.
Answers that work Als o has useful information about startup programs in the Tasklist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button