Jump to content


Photo

Shrinkwrap.exe launches IE randomly


  • This topic is locked This topic is locked
8 replies to this topic

#1 cookwithfire

cookwithfire

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 04:05 AM

Hello,
I have read the instructions and FAQ....

C:\winnt\system32\shrinkwrap.exe
randomly (every 5-10 min) tries to access the internet with IE. I don't know what site its trying to hit because I have ZoneAlarm blocking it from getting out and there is no address bar listing the URL. It just says "click here to bookmark" across the top, and then below it says "this page cannot be displayed".

I can delete the file but it comes back within 5 minutes. Scanned the drive with updated AdAware and Spybot but they don't find anything. Ran updated Mcafee stinger and virusscan and they are clean as well. Is this spyware? If any of you good people can help me I would greatly appreciate it.
Below is my HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 4:25:10 AM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRA~1\BMS-IMSS\REMOTE~1\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\OnSrvr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\AChkr.exe
C:\Program Files\Maintainence\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livephish.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mcd-server/mcd/proxy.pac:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bms.com;local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [nwzgacgs] C:\WINNT\System32\nwzgacgs.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OnSrvr] C:\WINNT\system32\AChkr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Shortcut to HOTSYNC.EXE.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Shortcut to zapro.exe.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai..../v6/brix6ie.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai..../v7/brix7ie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.9333101852
O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedi...m/dlver/1_5.exe
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish...r/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 June 2004 - 06:13 AM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.
(the above is for XP, but you get the idea)

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O4 - HKLM\..\Run: [nwzgacgs] C:\WINNT\System32\nwzgacgs.exe
O4 - HKLM\..\Run: [OnSrvr] C:\WINNT\system32\AChkr.exe
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai..../v6/brix6ie.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai..../v7/brix7ie.cab
O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedi...m/dlver/1_5.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINNT\system32\OnSrvr.exe <--this file
C:\WINNT\system32\AChkr.exe <--this file
C:\WINNT\System32\nwzgacgs.exe <--this file

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 cookwithfire

cookwithfire

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 01:33 PM

Thank you so much for your help thus far! I followed all instructions to the letter. Here is the fresh AdAware log. I apologize if I misunderstood which log file you wanted. (Wasn't sure if you wanted the fresh AdAware log or a new HJT log)


Lavasoft Ad-aware Personal Build 162
Logfile created on :Tuesday, June 15, 2004 2:02:39 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :0R150 05.07.2003
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 0R150 05.07.2003
Internal build : 683
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 417692 Bytes
Signature data size : 409063 Bytes
Reference data size : 8565 Bytes
Signatures total : 9637
Target categories : 8
Target families : 197

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:31 %
Total physical memory:129328 kb
Available physical memory:40028 kb
Total page file size:623108 kb
Available on page file:515560 kb
Total virtual memory:2097024 kb
Available virtual memory:2055788 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Remember window positions
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-15-2004 5:51:32 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:39 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:40 PM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/15/2004 5:32:57 PM
Last modified : 6/19/2003 7:05:04 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:40 PM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/15/2004 5:32:57 PM
Last modified : 2/25/2004 11:59:07 PM

#:5 [cvpnd.exe]
FilePath : C:\PROGRA~1\BMS-IMSS\REMOTE~1\
ThreadCreationTime : 6-15-2004 5:51:45 PM
BasePriority : Normal
FileSize : 1208 KB
FileVersion : 3.1.1 (Rel)
ProductVersion : 3.1.1 (Rel)
Copyright : Copyright 1998-2001 Cisco Systems, Inc.
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
OriginalFilename : CVPND.EXE
ProductName : Cisco Systems VPN Client
Created on : 11/9/2002 5:18:55 PM
Last accessed : 6/15/2004 5:33:03 PM
Last modified : 10/15/2001 4:34:26 PM

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:46 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/15/2004 5:33:04 PM
Last modified : 12/7/1999 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:47 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 9/18/2002 2:12:06 AM
Last accessed : 6/15/2004 5:33:04 PM
Last modified : 6/19/2003 7:05:04 PM

#:8 [avsynmgr.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 6-15-2004 5:51:47 PM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019.1
Copyright : Copyright 1995-2001 Networks Associates Technologies, Inc. All rights reserved
CompanyName : Networks Associates Technologies, Inc.
FileDescription : VirusScan Synchronization Service
InternalName : AvSynMgr
OriginalFilename : AvSynMgr.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 6/15/2004 5:33:05 PM
Last modified : 5/28/2002 11:02:30 AM

#:9 [cdac11ba.exe]
FilePath : C:\WINNT\System32\drivers\
ThreadCreationTime : 6-15-2004 5:51:47 PM
BasePriority : Normal
FileSize : 51 KB
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
Copyright : Copyright © 1998-2002 Macrovision Corp.
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
OriginalFilename : CDANTSRV.EXE
ProductName : SafeCast Windows NT
Created on : 12/22/2002 5:57:39 PM
Last accessed : 6/15/2004 5:33:05 PM
Last modified : 12/22/2002 5:57:39 PM

#:10 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-15-2004 5:51:47 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/15/2004 5:33:04 PM
Last modified : 12/7/1999 12:00:00 PM

#:11 [hidserv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:53 PM
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
OriginalFilename : HIDSERV.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/29/2003 5:27:17 AM
Last accessed : 6/15/2004 5:33:10 PM
Last modified : 6/19/2003 7:05:04 PM

#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:55 PM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/29/2003 5:30:15 AM
Last accessed : 6/15/2004 5:33:11 PM
Last modified : 6/19/2003 7:05:04 PM

#:13 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:51:55 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft Windows Task Scheduler
Created on : 7/29/2003 5:29:24 AM
Last accessed : 6/15/2004 5:33:12 PM
Last modified : 6/19/2003 7:05:04 PM

#:14 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-15-2004 5:52:11 PM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/29/2003 5:27:05 AM
Last accessed : 6/15/2004 5:59:13 PM
Last modified : 6/19/2003 7:05:04 PM

#:15 [avconsol.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 6-15-2004 5:52:15 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019
Copyright : Copyright 1995-2001 Networks Associates Technology, Inc. All Rights Reserved.
CompanyName : Network Associates, Inc.
FileDescription : VirusScan Consol
InternalName : AvConsol
OriginalFilename : AvConsol.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 6/15/2004 5:33:29 PM
Last modified : 5/28/2002 11:02:30 AM

#:16 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 6-15-2004 5:52:23 PM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 7/29/2003 5:31:08 AM
Last accessed : 6/15/2004 5:33:47 PM
Last modified : 6/19/2003 7:05:04 PM

#:17 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-15-2004 5:52:24 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 7.10.00.3068
ProductVersion : 7.10.00.3068
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 9/18/2002 8:29:27 AM
Last accessed : 6/15/2004 5:33:50 PM
Last modified : 5/16/2002 10:24:48 PM

#:18 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-15-2004 5:52:24 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/15/2004 5:33:04 PM
Last modified : 12/7/1999 12:00:00 PM

#:19 [speedkey.exe]
FilePath : C:\Program Files\Microsoft Hardware\Keyboard\
ThreadCreationTime : 6-15-2004 5:52:29 PM
BasePriority : Normal
FileSize : 30 KB
FileVersion : 1.01.430
ProductVersion : 1.01.430
Copyright : Copyright © 1995-1999 Microsoft Corporation
CompanyName : Microsoft Corporation
FileDescription : MS IntelliType Pro
InternalName : MS IntelliType Pro
OriginalFilename : SpeedKey.exe
ProductName : Microsoft IntelliType Pro
Created on : 12/26/2002 6:34:15 PM
Last accessed : 6/15/2004 5:33:42 PM
Last modified : 1/13/2000 7:10:16 AM

#:20 [alogserv.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 6-15-2004 5:52:29 PM
BasePriority : Normal
FileSize : 36 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019.1
Copyright : Copyright 1995-2001 Networks Associates Technologies, Inc. All rights reserved
CompanyName : Networks Associates Technologies, Inc.
FileDescription : Activity Log Server
InternalName : AlogServ
OriginalFilename : AlogServ.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 6/15/2004 5:52:18 PM
Last modified : 5/28/2002 11:02:30 AM

#:21 [directcd.exe]
FilePath : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 6-15-2004 5:52:30 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.5.10
ProductVersion : 5.3.5.10
Copyright : Copyright © 2001-2003, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 1/11/2001 10:00:00 AM
Last accessed : 6/15/2004 5:33:43 PM
Last modified : 12/28/2003 9:07:16 PM

#:22 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 6-15-2004 5:52:30 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 3:44:46 AM
Last accessed : 6/15/2004 5:33:44 PM
Last modified : 2/23/2004 3:44:44 AM

#:23 [rulaunch.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\
ThreadCreationTime : 6-15-2004 5:52:31 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.1113.0
ProductVersion : 1.04.1113.0
Copyright : Copyright 1998-2001 Networks Associates Technologies, Inc. All rights reserved
CompanyName : Networks Associates Technologies, Inc.
FileDescription : RuLaunch
InternalName : RuLaunch
OriginalFilename : RuLaunch.exe
ProductName : McAfee Instant Updater
Created on : 9/27/2001 6:01:00 AM
Last accessed : 6/15/2004 5:33:46 PM
Last modified : 5/2/2002 6:04:00 AM

#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-15-2004 5:59:22 PM
BasePriority : Normal
FileSize : 645 KB
FileVersion : 6.0.1.165
ProductVersion : 6.0.0.0
Copyright : Copyright Lavasoft Sweden
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/8/2003 10:58:01 PM
Last accessed : 6/15/2004 5:59:22 PM
Last modified : 2/9/2003 2:50:52 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0

2:10:30 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:07:51:87
Objects scanned :68788
Objects identified :0
Objects ignored :0
New objects :0

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 June 2004 - 03:39 PM

Hi,

Wasn't sure if you wanted the fresh AdAware log or a new HJT log

Actually a HijackThis log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 cookwithfire

cookwithfire

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 06:56 PM

Sorry about that, my mistake.

Logfile of HijackThis v1.97.7
Scan saved at 2:31:31 PM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRA~1\BMS-IMSS\REMOTE~1\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Maintainence\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livephish.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mcd-server/mcd/proxy.pac:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bms.com;local;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Shortcut to HOTSYNC.EXE.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Shortcut to zapro.exe.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.9333101852
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish...r/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 June 2004 - 08:03 PM

Hi,
Your log looks clean now ... good job!

I would suggest adding some "Defense" to your system ...
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 RandyBreyer

RandyBreyer

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 14 July 2004 - 06:06 PM

I too have been getting this shrinkwrap.exe and to clik to bookmark this. I installed Zone Alarm but didn't understand the instructions given to cookwithfire regarding HiJack This log. I have Norton Internet Security with anti virus definitions up to date and now included a block on shrinkwrap.exe I went into regedit and deleted all shrinkwrap words except for the block in Norton Internet Security. I just uninstalled Zone Alarm since I already had a firewall with Norton Internet Security.

I have adjusted the settings in AdAware to what was mentioned in the reply to cookwithfire on 6/15/04. I also have run Spybot and Spysweeper.
Will this prevent the pest from reappearing or what do I need to do?

Thank you for any help you can offer on this matter

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 July 2004 - 06:56 PM

Randy,

Will this prevent the pest from reappearing or what do I need to do?

Download Posted Image HijackThis! 1.98

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your post by clicking "New Topic"

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 July 2004 - 08:05 PM

Fozzie,
Your posts have been moved to a thread of your own.
http://forums.spywar...17428&hl=Fozzie

Glad we could help, cookwithfire. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button