Jump to content


Photo

Another Computer Infected


  • Please log in to reply
4 replies to this topic

#1 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 31 May 2004 - 04:21 PM

I started a different thread about a week ago discussing several problems with a different computer, but now another of my computers has become infected. I made the mistake of letting my brother play some online games from addictinggames.com, and when he had finished Ad-Aware found BroadCastPC and a group of tracking cookies. Since Adaware and all of my other programs have not successfully cleaned my other computer, I have no reason to believe that this one is clean, especially since it has slowed to a crawl when opening any file and is freezing when performing simple tasks (it was working fine a few hours ago). Here are some suspicious files (with their location in bold) I have found and my HJT log:

~df8463.tmp (C:\WINDOWS\TEMP) - Can't delete this file, will try S3 after this post.

{1DD56087-B19B-11D8-8782-000129225161}.dat (C:\WINDOWS)

{1DD5609A-B19B-11D8-8782-000129225161}.dat (C:\WINDOWS)

hh.dat (C:\WINDOWS)

hh.exe (C:\WINDOWS)

mozver.dat (C:\WINDOWS)

Msdfmap.ini (C:\WINDOWS) - This one really looks suspicious.

Msimgsiz.dat (C:\WINDOWS)

Ndislog.txt (C:\WINDOWS)

UserMigratedStore_59R.bin (C:\WINDOWS)

Win386.SWP (C:\WINDOWS) - This one is really suspicious, and was created just this afternoon.

Wininit.bak (C:\WINDOWS)

Wininit.exe (C:\WINDOWS)

Wininit.ini (C:\WINDOWS)

Wininit.sav (C:\WINDOWS)

{1DD56086-B19B-11D8-8782-000129225161}.dat (C:\WINDOWS\SYSTEM)

{1DD56099-B19B-11D8-8782-000129225161}.dat (C:\WINDOWS\SYSTEM)

Some of these files are probably harmless, but I don't know for sure.

Logfile of HijackThis v1.97.7
Scan saved at 6:31:54 PM, on 5/31/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PROFILES\TRUXTUN\DESKTOP\STORAGE FOLDER\FILES\PROGRAMS\ANTISPYWARE\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8136.4494328704
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

Thank You.

#2 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 31 May 2004 - 07:45 PM

Some *.ini files were created today, are these dangerous?

#3 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 01 June 2004 - 06:49 PM

Hi Chevyfan1
Run a scan at one or all of these sites-
http://housecall.tre.../start_corp.asp
http://www.wilders.o...ee_services.htm
http://www.pandasoft...n_principal.htm
http://www.bitdefend...can/licence.php
Then post another log along with the results of the scan.

#4 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 02 June 2004 - 09:22 AM

I tried to install the scanner from TrendMicro, but it wouldn't work unless I uninstalled Norton Internet Security, which I am not willing to do without further information. I probably should have mentionned that I already have considerable layered protection, which consists of the following programs:

Ad-Aware 6.81 (updated regularly), Spybot S&D, PestPatrol (trial version), Norton AntiVirus 2004 (updated regularly), Norton Internet Security (updated regularly), XCleaner (trial version - updated), HJT, CoolWebShredder (latest version), System Security Suite (S3), Camtech Spy Sites (blocks spyware-related pages), Spyware Blaster, Spyware Guard, and the Kerio Personal Firewall v4.

Ad-Aware is the only of these programs which has shown any serious problem - it found BroadCast PC (which apparently had only been on my computer for half an hour and hadn't gotten the chance to do anything) and some tracking cookies and deleted them (they haven't returned).

If there is anything on my computer right now, it is probably some new program which hasn't been added to any detection lists yet. Some of the files I listed here turned out to be trojan related (according to PestPatrol's webpage), but I couldn't find other files and registy entries that were supposed to accompany those trojans. The only sign of any trouble on this computer right now is the fact that copies of my temp. int. files, cookies, and history folders are being made in my Temp folder. These are always empty, and the original folders remain in place. There are always at least two .tmp files in my temp folder which cannot be deleted. I don't now what's going on.

PS - I do have another computer which is more seriously infected - I believe it is a file similar to BroadCastPC, but possibly too recent or obscure to be detected. None of he before-mentionned programs finds anything, except HJT finds a startup file called config.ini which appears to be CWS related, and PP finds two remnants of SaveNow in the registry. None of these files can be permanently deleted. Further details are posted in a thread under malware removal called "Cannot find parasite". I'm just afraid that that thread has been overlooked because of my large number of posts (all but two are mine), and because the post has been there for over a week.

#5 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 16 June 2004 - 04:04 PM

As far as I can tell, both computers are clean right now. I guess this thread can be closed, or even deleted if you want (since I have another thread dealing with the whole problem - I started this one to try to keep both computers separate but I guess it doesn't really matter). Thank You very much for helping to solve this problem (most advice was posted on the other thread).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button