• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Thunderbay

Malware removal

10 posts in this topic

Hi there,

 

I downloaded and ran CWShredder and it removed 5 infected registry entries, although it did not specifically detect any CWS entries.

I had to do that because I couldn't even access my home page and, when I typed a URL it wouldn't allow me to access certain sites (e.g. my home page).

 

I have downloaded Ad-aware and Spybot but have not installed them yet.

Here is the HJT log -

----------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0

Scan saved at 10:56:14 AM, on 7/23/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\Program Files\Common Files\CMEII\CMESys.exe

C:\WINNT\System32\msbb.exe

C:\WINNT\System32\SahAgent.exe

C:\WINNT\System32\wyzwbaj.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Date Manager\DateManager.exe

C:\Program Files\PrecisionTime\PrecisionTime.exe

C:\Program Files\Common Files\GMT\GMT.exe

C:\WINNT\System32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll

O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\calsdr.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [msbb] C:\WINNT\System32\msbb.exe

O4 - HKLM\..\Run: [sAHAgent] C:\WINNT\System32\SahAgent.exe

O4 - HKLM\..\Run: [belt] C:\WINNT\Belt.exe

O4 - HKLM\..\Run: [xwvohul] C:\WINNT\xwvohul.exe

O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe

O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe

O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{6E08B0D8-6486-47B1-856D-30EB74C7C039}: NameServer = 216.90.136.1 216.90.136.2

 

Thank you

Share this post


Link to post
Share on other sites

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

 

Make sure the following settings are made and on (ON=GREEN)

 

From main window click "Start" then " Activate in-depth scan"

 

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

 

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning", "Cleaning engine" and "Let windows remove files in use at next reboot"

 

To save your settings click "proceed".

 

Now click the "Scan" button.

 

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

 

reboot again, and let Adaware run if it asks.

 

Then rescan with Hijack this, and post a fresh log.

Share this post


Link to post
Share on other sites

Ad-aware run (after update) identified and deleted -

5 processes

78 registrykeys

10 registry values

156 files

6 folders

 

Re-booted and ran Ad-aware again - it deleted 1 tracking cookie.

 

HJT log

----------------------------------------------------------------------------

Logfile of HijackThis v1.98.0

Scan saved at 12:40:17 PM, on 7/24/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\WINNT\System32\wyzwbaj.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\mail_shots\spybot\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe

O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe

O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Share this post


Link to post
Share on other sites

Thats a LOT better.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [udejaqbds] C:\WINNT\System32\wyzwbaj.exe

O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

O4 - HKCU\..\Run: [key] C:\WINNT\System32\winxp.exe

O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe

Reboot and delete

 

files

C:\WINNT\System32\wyzwbaj.exe

C:\WINNT\System32\WINdirect.exe

C:\WINNT\System32\winxp.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

OK, deleted the 5 registry entries, rebooted and deleted the 3 files.

Next to 'winxp.exe' were 4 files, the purpose of which I have no idea,

so I put them into a compressed directory 'winxp.zip' until you have

chance to read this. The 'Date Modified' is similar to the deleted

'WINdirect.exe' so I suspect a connection, intentional or otherwise -

 

winxp.exeopenopenopenopen 2 KB 7/22/2004 8:40 AM

winxp.exeopenopenopen 2 KB 7/22/2004 8:40 AM

winxp.exeopenopen 22 KB 7/22/2004 4:42 PM

winxp.exeopen 22 KB 7/22/2004 4:42 PM

 

- following is new HJT log -

-------------------------------------------------------------------

Logfile of HijackThis v1.98.0

Scan saved at 12:44:36 PM, on 7/25/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\WINNT\System32\wyzwbaj.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\mail_shots\spybot\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

----------------------------------------------------------------------------------

Question :

Do I need the following entries to be in startup?

 

---------------------------------------------------------------------------------------

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

--------------------------------------------------------------------------------------

 

The reason I ask is because, although my system is much faster than it was, it is still somewhat sluggish on start up and could still be faster afterwards.

 

Thanks

Share this post


Link to post
Share on other sites

In C:\WINNT\system32 the following files still reside and must have been part of the

spyware system used by some of the deleted files -

 

Deleted file ----- Other files -------------------------- action

msbb.exe ------- msbb.log - dm 7/24/2004 1118 ----- to 'msbb.zip' & deleted

msbb.exe ------- msbb_kyf.dat - 7/23/2004 1030 ----- to 'msbb.zip' & deleted

msbb.exe ------- msbb321.dll - dm 3/15/2004 1659 --- none

msbb.exe ------- msbbau.dat - dm 6/28/2004 1753 --- none

SahAgent.exe -- SHAgentNew.dll - 3/15/2004 1700 --- none

calsdr.dll -------- calsdr.dll - dm 200403111440 ------- none (file not deleted)

calsdr.dll -------- calsdr.exe - dm 200403211047 ------ none

 

- in the above calsdr.dll was an '02' entry in the HJT log but the run of

'Ad-aware 6' did not, apparently, delete the file, although it must have deleted the

registry entry.

 

I also noticed some new '.exe' files -

 

_dll.exe dm 200407251242 (2 minutes after I logged on to the internet)

erl.exe dm 200407251027

ect.exe dm 200407251027

re_files.exe dm 200407221647

 

I ran 'Ad-aware' on the C:\WINNT directory plus subs

 

'Ad-aware' found as follows -

--------------------------------------------------------

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : File

Data : erl.exe

Object : C:\WINNT\system32\

FileSize : 5 KB

Created on : 7/24/2004 4:17:45 PM

Last accessed : 7/25/2004 8:41:59 PM

Last modified : 7/25/2004 3:27:10 PM

 

 

 

Win32.I-Worm.ai Object recognized!

Type : File

Data : re_file.exe

Object : C:\WINNT\system32\

FileSize : 5 KB

Created on : 7/22/2004 9:47:09 PM

Last accessed : 7/25/2004 8:42:53 PM

Last modified : 7/22/2004 9:47:23 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : _dll.exe

Object : C:\WINNT\system32\

FileSize : 11 KB

Created on : 7/22/2004 9:47:29 PM

Last accessed : 7/25/2004 8:43:17 PM

Last modified : 7/25/2004 5:42:17 PM

 

 

 

Disk scan result for C:\WINNT\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 3

 

3:43:20 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:04:47:859

Objects scanned :20658

Objects identified :3

Objects ignored :0

New objects :3

--------------------------------------------------------

I deleted the 'worm' object but decided to use 'CWShredder' to delete the CWS

files - however I could not update the shredder (it struck me that something

may be blocking the update) and it didn't recognize the files

(there are apparently no registry entries).

 

SO I ran Ad-aware again and this time deleted both the CWS files.

I also put 'ect.exe' into a zip file and deleted the .exe file.

 

I await with bated breath - this thing's rampant!

Edited by Thunderbay

Share this post


Link to post
Share on other sites

Although signed in as 'Thunderbay' I am 'NormanD' (Helper Trainee) and I am doing a favor for friends of mine at Thunder Bay Resort here in the midwest of the USA. My friends have no security (Norton AV not updated for 18 months) and no Windows updates have been downloaded forever. They also have no idea what they should do to counterract the threats which exist.

Either they have something on their computer which is installing or reinstalling these CWS files or they are being targetted as soon as they log on to the internet.

I can help them with NAV and the WIndows updates but I'm not sure what to do with the stream of malware files with which they are being infected.

 

Could you please suggest a strategy to overcome these problems?

I am reporting this from my own computer, which you very recently helped me to clear of malware (case 14970).

If I do this in future would you prefer that I log in as myself or as the new customer? I have told a few people about your organization and all of a sudden they are all wanting me to help them! (D'oh!)

The only snag with logging in as myself would be that I would appear to be 'hogging' the resources for myself when I am actually trying to help others with whom I am friends/acquaintances.

 

Thank you for your time and expertise.

Share this post


Link to post
Share on other sites

Did I do something wrong or is everyone too busy to reply to my queries please?

Seeing the number of new cases the latter would not surprise me but I wondered whether I should have done things a different way or if I did something wrong.

The people at Thunder Bay Resort keep asking me when they can be sure their computer is OK and I don't know what to tell them.

Share this post


Link to post
Share on other sites

This was previously a fit of pique - please ignore.

Edited by NormanD

Share this post


Link to post
Share on other sites

Nothing obvious in the last log you posted. It seems that I didn't get any notification of replies in the topic, for some reason.

 

To spped up the machine, I suggest that you visit Black Viper's site and follow the hints there about stopping unneeded Windows services.

Answers that work Als o has useful information about startup programs in the Tasklist.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0