Jump to content


Photo

Holy Mstasks2.exe!


  • Please log in to reply
22 replies to this topic

#1 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 03:47 PM

Ok. Well last night I was surfing the net and a porn pop-up page came up. My browser started automatically downloading something in order to fully display this pop-up page. I tried to stop it and AOL froze up. I Restarted my PC and when it came back on it was super slow. I hit control+alt+Delete and under "processes" I noticed that my CPU usage was 100% and that the process that was responsible was mstasks2.exe. I searched my pc and found this file in my windows folder. I noticed that it had been created when AOL crashed. I deleted it and my PCU usage went back to normal. However, now all kinds of crazy stuff is happening. For example, Norton System Works 2002 stopped working properly. Windows Explorer crashes. Aol crashes and then starts trying to dial crazy phone numbers. Norton Anti-virus both won't install or uninstall properly because of MsiExec.exe files. Now I am not a computer guy, so when I tried to do some research on this it went way over my head. Because of a friend's suggestion, I've downloaded Highjack This, CWShredder, and spybotsd13. I have no idea if these will help or really how to use them. I ran CWShredder and it fixed a couple registry things and somethings having to do with Internet Explorer. I also made a log with highjack this, however I have no idea what any of it means. Obviously, like everyone else of this forum, my computer is crucial for me and my job. Please help, and please speak in layman's terms because, again, I am not a computer guy. I would really appreciate it.

Thanks,
Jason

#2 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 04:43 PM

This is an update. Ok, I ran spybot search and destroy and it found like 90 problems and removed or fixed them. They were all printed in red text, so I assume that it was safe to fix them. Anyway, my PCís symptoms still persist. Windows explorer crashes and then restarts about a minute after start up and 2 Internet Explorer applications run when I am logged onto the Internet. I squash those by using the ďend taskĒ command. AOL eventually crashes and then my modem tries to dial a long distance number over and over again until I restart my computer.

#3 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 04:54 PM

I read the rules of this forum and I hope I didn't misunderstand them by posting this. Here is a highjack this log:

Logfile of HijackThis v1.97.7
Scan saved at 4:51:19 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\documents and settings\thor\local settings\temp\FJA.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System\user32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Thor\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FJA.exe] C:\documents and settings\thor\local settings\temp\FJA.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://accu.accuload...aler/us_cax.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi...s/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8028.4057175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 06:16 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe

O4 - HKLM\..\Run: [FJA.exe] C:\documents and settings\thor\local settings\temp\FJA.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://accu.accuload...aler/us_cax.cab

Reboot, and delete

files
C:\documents and settings\thor\local settings\temp\FJA.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\msmc.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 10:19 PM

First of all, Thank you VERY MUCH for your assistance. I followed your directions and so far the problems have ceased. Here is the follow up log:

Logfile of HijackThis v1.97.7
Scan saved at 10:13:17 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Thor\Desktop\HJT\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi...s/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8028.4057175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24522F6-FD16-425B-B56D-7A49364E5920}: NameServer = 205.188.146.146

Please let me know if there's anything else that needs tending to. I have Norton System Works 2002. Can this prevent another episode from occuring? What is the best preventative measure to take? Thanks again.

Sincerely,
Jason

#6 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 June 2004 - 10:56 PM

One thing I have noticed, but I'm not sure that it's a bad thing, is that Symantec Automatic Live Update has been downloading files almost the entire time I've been online. The size of the files are all 4896 kbytes big. Is this a indicative of a problem or is it finally updating my windows XP? BTW, I haven't noticed an update in months, which is why I ask.

#7 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 12:03 AM

Ok, just a couple more issues. First I set up my windows Internet options like it says to here: http://www.spywarein...ked/prevent.php. Iíve also downloaded and installed Spyware Blaster. Second, last night when I first got bugged, I noticed my Norton System Works didnít work, and I got a few errors when I both uninstalled it and tried to reinstall it that read: ďProblem with MsiExec.exe. Must shut down.Ē Iíd click ďdonít sendĒ with regard to the error report and then the installation would continue. Well, I tried to reinstall it just now and the same thing happened Ė I got that error like three times. Once installed many of Nortonís functions didnít work, and the anitvirus software didnít install at all. I uninstalled it and got the error a few times again. I assume this is somehow caused by what happened last night, as the problem didnít exist before my PC was highjacked. However, I have no idea if Iím right. Please tell me what you can and thanks again.

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 June 2004 - 02:12 PM

It sounds as if you have caught another nasty!

To ensure that there are no viruses on your machine, tyr an on line scan at either Housecall or Panda A/V.
Let it fix anything it finds, reboot, and then post a fresh Hijack this log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#9 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 08:16 PM

Ok, I used Housecall to scan my PC. Right away during the scan it found malware and removed it intantaneously. When the scan was complete, it had found four infected files. They were all "uncleanable" and they were all labeled as "trojans." I hit the "delete" button and deleted them, then I rebooted and did a "Hijack This" scan. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 8:09:57 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Thor\Desktop\HJT\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi...s/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8028.4057175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24522F6-FD16-425B-B56D-7A49364E5920}: NameServer = 205.188.146.146

So it doesn't look like I have a virus, but it looks like there are still traces of the malware/trojan problem, or at least there were until I used House Call. Hopefully you will be able to help help me figure out whether or not I've gotten rid of everything. Thanks.

#10 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 11:09 PM

I decided to scan with House Call agian just for the hell of it and it found three more Trojan files. I deleated them, but before I did I decided to click on them to read what they were. In so doing, I read how to best clear Windows XP of unwanted files. I followed their directions by turning off System Restore and then I ran another scan. It turned up nothing. I reboooted and did another Highjack This log. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 11:03:27 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Thor\Desktop\HJT\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi...s/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8028.4057175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Sorry for posting unecessary logs, but I figured this one is better since did a more thorough scanning.

#11 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 June 2004 - 01:02 AM

I just ran Syware S&D and it found 3 problems: Double Click, and Avenue A Inc., which are both tracking cookie issues and it found 5 DSO exploits which are registry changes. How do I get rid of all this stuff? It seems like once one scan tells me I'm clear, another program will find new stuff. Ok, I'm going to bed so no more posts from me until I hear from you, I promise, lol.

#12 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 12:30 PM

Bump

#13 roger

roger

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 June 2004 - 09:37 PM

Go to www.majorgeeks.com and download the latest Spybot1.3. This is the latest, plu it too has even been updated, so get that after installing 1.3. This version gets many of the everry day Trojans, bugs, dialers etc currently floating around.

AdAware6.0 has a recent update by visiting upgrade from AdAware menu.

#14 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 13 June 2004 - 01:24 AM

My only symptoms now are that I still get the dso exploits when I run Spybot s&d, but I got all the wondows XP updates last night so I'm not too worried about it. However, when I am online, symantec live update starts up and begins downloading two updates for something or another. The first is small and then the second one is always like 4689.6 kb big (I could be off, but it's some such number). When I cancell it, it happens again the next time I sign on. When I let it download completly, it also happens again the next time I sign on. Has anyone ever heard of this happening? What is it and how can I stop it?

#15 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 13 June 2004 - 11:39 PM

bump

#16 Doc Watson

Doc Watson

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 June 2004 - 04:04 PM

Have you contacted Symantec support to ask them what this DL is ??? I'm sure they could tell you if it is legit or not. :scratchhead:

#17 Doc Watson

Doc Watson

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 June 2004 - 04:08 PM

I'd get the details straight before you call. DL size, etc. :D

Edited by Doc Watson, 14 June 2004 - 04:11 PM.


#18 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 14 June 2004 - 05:57 PM

The DSO exploit is a known minor bog in Spybot, not malware affecting your computer! Its being dealt with.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#19 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 June 2004 - 11:24 PM

Thanks. The symantec downloads have since stopped after I'd gotten all the windows XP updates. I have one last probelm that is bothering me. I still can't reinstall Norton Systems Works 2002. So basically I've no antivirus software right now. Right after my computer went insane with trojans and dialers and the like, I didn't know what it was, so I tried to run the windows doctor function and it was missing the ability to scan my windows. I uninstalled Norton and got a few errors during the process from windows saying that MsiExec.exe had a problem. When I tried to reinstall it, I got the same errors and when it was finished none of the functions I used to use worked properly including the anivirus. I have since uninstalled and reinstalled it several times getting the same results. I would really like to know what the problem is and how I can fix it, because I really want to have my antivirus software armed and ready. It's a bit scary not having it right now. All the trojan related stuff seems to be solved, again, I just need to fix this one last MsiExec.exe problem. Thanks for all the help.

#20 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 15 June 2004 - 03:11 AM

Ok, tonight I ran spybot S&D 1.3 and nothing came up (except for DSO exploit, but I guess that's not a problem) and then I ran Housecall virus scan. This thing hasn't found anything for a couple days, but tonight it found 9 problems. All but one were trojans, the other was a worm. None of them were cleanable so I tried to delete them. Housecall deleted all but two of them because apparently those two files were in use. I ran the scan again and it found 4 problems this time. What are these files doing? How do I get rid of them....completey? Why do these scans vary so much with regard to what they find? I also have spyware blaster and I've set up my windows internet settings the way it explains to on this site, so I don't think I could have gotten another trojan, could I have? I don't understand this whole trojan thing, but I really would like to know how to solve it. I am waiting for housecall to get done scanning right now and then I'm going to delete what it will let me, then I'll reboot and post a highjack this log. Please help and if anybody can answer any of my questions, I'd appreciate it. I'd like to know what I'm dealing with and again I'm not really a computer person. Thank you.

#21 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 15 June 2004 - 03:34 AM

The two problems that housecall could not delete because they were running were both called TROJ GRITZ.A and they were both in the windows/system area of my hard drive. Here is my highjack this log and please refer to my two previous posts for a description of my most recent problems:

Logfile of HijackThis v1.97.7
Scan saved at 3:28:51 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Thor\Desktop\HJT\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi...s/custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8028.4057175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#22 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 16 June 2004 - 12:54 PM

bump

#23 Fog Crawler

Fog Crawler

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 16 June 2004 - 04:05 PM

I have done some hardcore tinkering around and I've made somewhat of a breakthrough, and subsequently I have a new question that should be posted under a different topic area. Thanks to everyone that replied to this thread. I am ending this thread now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button