• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cookwithfire

Shrinkwrap.exe launches IE randomly

9 posts in this topic

Hello,

I have read the instructions and FAQ....

 

C:\winnt\system32\shrinkwrap.exe

randomly (every 5-10 min) tries to access the internet with IE. I don't know what site its trying to hit because I have ZoneAlarm blocking it from getting out and there is no address bar listing the URL. It just says "click here to bookmark" across the top, and then below it says "this page cannot be displayed".

 

I can delete the file but it comes back within 5 minutes. Scanned the drive with updated AdAware and Spybot but they don't find anything. Ran updated Mcafee stinger and virusscan and they are clean as well. Is this spyware? If any of you good people can help me I would greatly appreciate it.

Below is my HijackThis log.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:25:10 AM, on 6/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\PROGRA~1\BMS-IMSS\REMOTE~1\cvpnd.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe

C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINNT\system32\OnSrvr.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\AChkr.exe

C:\Program Files\Maintainence\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livephish.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mcd-server/mcd/proxy.pac:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bms.com;local;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts

O1 - Hosts: 207.44.240.65 rad.msn.com

O1 - Hosts: 216.93.174.28 view.atdmt.com

O1 - Hosts: 216.93.174.28 ad.doubleclick.net

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"

O4 - HKLM\..\Run: [nwzgacgs] C:\WINNT\System32\nwzgacgs.exe

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OnSrvr] C:\WINNT\system32\AChkr.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

O4 - Startup: Shortcut to HOTSYNC.EXE.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Shortcut to zapro.exe.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab

O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7867.9333101852

O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedia.com/dlver/1_5.exe

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

(the above is for XP, but you get the idea)

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts

O1 - Hosts: 207.44.240.65 rad.msn.com

O1 - Hosts: 216.93.174.28 view.atdmt.com

O1 - Hosts: 216.93.174.28 ad.doubleclick.net

O4 - HKLM\..\Run: [nwzgacgs] C:\WINNT\System32\nwzgacgs.exe

O4 - HKLM\..\Run: [OnSrvr] C:\WINNT\system32\AChkr.exe

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab

O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab

O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedia.com/dlver/1_5.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINNT\system32\OnSrvr.exe <--this file

C:\WINNT\system32\AChkr.exe <--this file

C:\WINNT\System32\nwzgacgs.exe <--this file

 

Restart normally and then ...

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

Thank you so much for your help thus far! I followed all instructions to the letter. Here is the fresh AdAware log. I apologize if I misunderstood which log file you wanted. (Wasn't sure if you wanted the fresh AdAware log or a new HJT log)

 

 

Lavasoft Ad-aware Personal Build 162

Logfile created on :Tuesday, June 15, 2004 2:02:39 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :0R150 05.07.2003

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 0R150 05.07.2003

Internal build : 683

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 417692 Bytes

Signature data size : 409063 Bytes

Reference data size : 8565 Bytes

Signatures total : 9637

Target categories : 8

Target families : 197

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium III

Memory available:31 %

Total physical memory:129328 kb

Available physical memory:40028 kb

Total page file size:623108 kb

Available on page file:515560 kb

Total virtual memory:2097024 kb

Available virtual memory:2055788 kb

OS:Windows 2000

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan within archives

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Automatically try to unregister objects prior to deletion

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Remember window positions

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 6-15-2004 5:51:32 PM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:39 PM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:40 PM

BasePriority : Normal

FileSize : 87 KB

FileVersion : 5.00.2195.6700

ProductVersion : 5.00.2195.6700

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 12/7/1999 12:00:00 PM

Last accessed : 6/15/2004 5:32:57 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:4 [lsass.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:40 PM

BasePriority : Normal

FileSize : 32 KB

FileVersion : 5.00.2195.6902

ProductVersion : 5.00.2195.6902

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : LSA Executable and Server DLL (Export Version)

InternalName : lsasrv.dll and lsass.exe

OriginalFilename : lsasrv.dll and lsass.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 12/7/1999 12:00:00 PM

Last accessed : 6/15/2004 5:32:57 PM

Last modified : 2/25/2004 11:59:07 PM

 

#:5 [cvpnd.exe]

FilePath : C:\PROGRA~1\BMS-IMSS\REMOTE~1\

ThreadCreationTime : 6-15-2004 5:51:45 PM

BasePriority : Normal

FileSize : 1208 KB

FileVersion : 3.1.1 (Rel)

ProductVersion : 3.1.1 (Rel)

Copyright : Copyright 1998-2001 Cisco Systems, Inc.

CompanyName : Cisco Systems, Inc.

FileDescription : Cisco Systems VPN Client

InternalName : cvpnd

OriginalFilename : CVPND.EXE

ProductName : Cisco Systems VPN Client

Created on : 11/9/2002 5:18:55 PM

Last accessed : 6/15/2004 5:33:03 PM

Last modified : 10/15/2001 4:34:26 PM

 

#:6 [svchost.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:46 PM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 12/7/1999 12:00:00 PM

Last accessed : 6/15/2004 5:33:04 PM

Last modified : 12/7/1999 12:00:00 PM

 

#:7 [spoolsv.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:47 PM

BasePriority : Normal

FileSize : 44 KB

FileVersion : 5.00.2195.6659

ProductVersion : 5.00.2195.6659

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolss.exe

OriginalFilename : spoolss.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 9/18/2002 2:12:06 AM

Last accessed : 6/15/2004 5:33:04 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:8 [avsynmgr.exe]

FilePath : C:\Program Files\McAfee\McAfee VirusScan\

ThreadCreationTime : 6-15-2004 5:51:47 PM

BasePriority : Normal

FileSize : 168 KB

FileVersion : 6.02.1019.1

ProductVersion : 6.02.1019.1

Copyright : Copyright 1995-2001 Networks Associates Technologies, Inc. All rights reserved

CompanyName : Networks Associates Technologies, Inc.

FileDescription : VirusScan Synchronization Service

InternalName : AvSynMgr

OriginalFilename : AvSynMgr.exe

ProductName : McAfee VirusScan

Created on : 9/27/2001 11:01:00 AM

Last accessed : 6/15/2004 5:33:05 PM

Last modified : 5/28/2002 11:02:30 AM

 

#:9 [cdac11ba.exe]

FilePath : C:\WINNT\System32\drivers\

ThreadCreationTime : 6-15-2004 5:51:47 PM

BasePriority : Normal

FileSize : 51 KB

FileVersion : 4.16.050

ProductVersion : 4.16.050 Windows NT 2002/04/24

Copyright : Copyright © 1998-2002 Macrovision Corp.

CompanyName : Macrovision

FileDescription : Macrovision RTS Service

InternalName : CDANTSRV

OriginalFilename : CDANTSRV.EXE

ProductName : SafeCast Windows NT

Created on : 12/22/2002 5:57:39 PM

Last accessed : 6/15/2004 5:33:05 PM

Last modified : 12/22/2002 5:57:39 PM

 

#:10 [svchost.exe]

FilePath : C:\WINNT\System32\

ThreadCreationTime : 6-15-2004 5:51:47 PM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 12/7/1999 12:00:00 PM

Last accessed : 6/15/2004 5:33:04 PM

Last modified : 12/7/1999 12:00:00 PM

 

#:11 [hidserv.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:53 PM

BasePriority : Normal

FileSize : 19 KB

FileVersion : 5.00.2195.6655

ProductVersion : 5.00.2195.6655

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : HID Audio Service

InternalName : hidserv

OriginalFilename : HIDSERV.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/29/2003 5:27:17 AM

Last accessed : 6/15/2004 5:33:10 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:12 [regsvc.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:55 PM

BasePriority : Normal

FileSize : 66 KB

FileVersion : 5.00.2195.6701

ProductVersion : 5.00.2195.6701

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Remote Registry Service

InternalName : regsvc

OriginalFilename : REGSVC.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/29/2003 5:30:15 AM

Last accessed : 6/15/2004 5:33:11 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:13 [mstask.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:51:55 PM

BasePriority : Normal

FileSize : 116 KB

FileVersion : 4.71.2195.6704

ProductVersion : 4.71.2195.6704

Copyright : Copyright © Microsoft Corp. 1997

CompanyName : Microsoft Corporation

FileDescription : Task Scheduler Engine

InternalName : TaskScheduler

OriginalFilename : mstask.exe

ProductName : Microsoft Windows Task Scheduler

Created on : 7/29/2003 5:29:24 AM

Last accessed : 6/15/2004 5:33:12 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:14 [explorer.exe]

FilePath : C:\WINNT\

ThreadCreationTime : 6-15-2004 5:52:11 PM

BasePriority : Normal

FileSize : 237 KB

FileVersion : 5.00.3700.6690

ProductVersion : 5.00.3700.6690

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/29/2003 5:27:05 AM

Last accessed : 6/15/2004 5:59:13 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:15 [avconsol.exe]

FilePath : C:\Program Files\McAfee\McAfee VirusScan\

ThreadCreationTime : 6-15-2004 5:52:15 PM

BasePriority : Normal

FileSize : 148 KB

FileVersion : 6.02.1019.1

ProductVersion : 6.02.1019

Copyright : Copyright 1995-2001 Networks Associates Technology, Inc. All Rights Reserved.

CompanyName : Network Associates, Inc.

FileDescription : VirusScan Consol

InternalName : AvConsol

OriginalFilename : AvConsol.exe

ProductName : McAfee VirusScan

Created on : 9/27/2001 11:01:00 AM

Last accessed : 6/15/2004 5:33:29 PM

Last modified : 5/28/2002 11:02:30 AM

 

#:16 [winmgmt.exe]

FilePath : C:\WINNT\System32\WBEM\

ThreadCreationTime : 6-15-2004 5:52:23 PM

BasePriority : Normal

FileSize : 192 KB

FileVersion : 1.50.1085.0100

ProductVersion : 1.50.1085.0100

Copyright : Copyright © Microsoft Corp. 1995-1999

CompanyName : Microsoft Corporation

FileDescription : Windows Management Instrumentation

InternalName : WINMGMT

ProductName : Windows Management Instrumentation

Created on : 7/29/2003 5:31:08 AM

Last accessed : 6/15/2004 5:33:47 PM

Last modified : 6/19/2003 7:05:04 PM

 

#:17 [mspmspsv.exe]

FilePath : C:\WINNT\System32\

ThreadCreationTime : 6-15-2004 5:52:24 PM

BasePriority : Normal

FileSize : 56 KB

FileVersion : 7.10.00.3068

ProductVersion : 7.10.00.3068

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : WMDM PMSP Service

InternalName : MSPMSPSV.EXE

OriginalFilename : MSPMSPSV.EXE

ProductName : Microsoft ® DRM

Created on : 9/18/2002 8:29:27 AM

Last accessed : 6/15/2004 5:33:50 PM

Last modified : 5/16/2002 10:24:48 PM

 

#:18 [svchost.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-15-2004 5:52:24 PM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 12/7/1999 12:00:00 PM

Last accessed : 6/15/2004 5:33:04 PM

Last modified : 12/7/1999 12:00:00 PM

 

#:19 [speedkey.exe]

FilePath : C:\Program Files\Microsoft Hardware\Keyboard\

ThreadCreationTime : 6-15-2004 5:52:29 PM

BasePriority : Normal

FileSize : 30 KB

FileVersion : 1.01.430

ProductVersion : 1.01.430

Copyright : Copyright © 1995-1999 Microsoft Corporation

CompanyName : Microsoft Corporation

FileDescription : MS IntelliType Pro

InternalName : MS IntelliType Pro

OriginalFilename : SpeedKey.exe

ProductName : Microsoft IntelliType Pro

Created on : 12/26/2002 6:34:15 PM

Last accessed : 6/15/2004 5:33:42 PM

Last modified : 1/13/2000 7:10:16 AM

 

#:20 [alogserv.exe]

FilePath : C:\Program Files\McAfee\McAfee VirusScan\

ThreadCreationTime : 6-15-2004 5:52:29 PM

BasePriority : Normal

FileSize : 36 KB

FileVersion : 6.02.1019.1

ProductVersion : 6.02.1019.1

Copyright : Copyright 1995-2001 Networks Associates Technologies, Inc. All rights reserved

CompanyName : Networks Associates Technologies, Inc.

FileDescription : Activity Log Server

InternalName : AlogServ

OriginalFilename : AlogServ.exe

ProductName : McAfee VirusScan

Created on : 9/27/2001 11:01:00 AM

Last accessed : 6/15/2004 5:52:18 PM

Last modified : 5/28/2002 11:02:30 AM

 

#:21 [directcd.exe]

FilePath : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\

ThreadCreationTime : 6-15-2004 5:52:30 PM

BasePriority : Normal

FileSize : 668 KB

FileVersion : 5.3.5.10

ProductVersion : 5.3.5.10

Copyright : Copyright © 2001-2003, Roxio, Inc.

CompanyName : Roxio

FileDescription : DirectCD Application

InternalName : DirectCD

OriginalFilename : Directcd.exe

ProductName : DirectCD

Created on : 1/11/2001 10:00:00 AM

Last accessed : 6/15/2004 5:33:43 PM

Last modified : 12/28/2003 9:07:16 PM

 

#:22 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\

ThreadCreationTime : 6-15-2004 5:52:30 PM

BasePriority : Normal

FileSize : 32 KB

Created on : 2/23/2068 3:44:46 AM

Last accessed : 6/15/2004 5:33:44 PM

Last modified : 2/23/2004 3:44:44 AM

 

#:23 [rulaunch.exe]

FilePath : C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\

ThreadCreationTime : 6-15-2004 5:52:31 PM

BasePriority : Normal

FileSize : 112 KB

FileVersion : 1.04.1113.0

ProductVersion : 1.04.1113.0

Copyright : Copyright 1998-2001 Networks Associates Technologies, Inc. All rights reserved

CompanyName : Networks Associates Technologies, Inc.

FileDescription : RuLaunch

InternalName : RuLaunch

OriginalFilename : RuLaunch.exe

ProductName : McAfee Instant Updater

Created on : 9/27/2001 6:01:00 AM

Last accessed : 6/15/2004 5:33:46 PM

Last modified : 5/2/2002 6:04:00 AM

 

#:24 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 6-15-2004 5:59:22 PM

BasePriority : Normal

FileSize : 645 KB

FileVersion : 6.0.1.165

ProductVersion : 6.0.0.0

Copyright : Copyright Lavasoft Sweden

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 3/8/2003 10:58:01 PM

Last accessed : 6/15/2004 5:59:22 PM

Last modified : 2/9/2003 2:50:52 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

2:10:30 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:07:51:87

Objects scanned :68788

Objects identified :0

Objects ignored :0

New objects :0

Share this post


Link to post
Share on other sites

Hi,

Wasn't sure if you wanted the fresh AdAware log or a new HJT log

Actually a HijackThis log ...

Share this post


Link to post
Share on other sites

Sorry about that, my mistake.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:31:31 PM, on 6/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\PROGRA~1\BMS-IMSS\REMOTE~1\cvpnd.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe

C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\Maintainence\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livephish.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mcd-server/mcd/proxy.pac:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bms.com;local;<local>

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

O4 - Startup: Shortcut to HOTSYNC.EXE.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Shortcut to zapro.exe.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7867.9333101852

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hpw.stf.bms.com,stf.bms.com,bms.com

Share this post


Link to post
Share on other sites

I too have been getting this shrinkwrap.exe and to clik to bookmark this. I installed Zone Alarm but didn't understand the instructions given to cookwithfire regarding HiJack This log. I have Norton Internet Security with anti virus definitions up to date and now included a block on shrinkwrap.exe I went into regedit and deleted all shrinkwrap words except for the block in Norton Internet Security. I just uninstalled Zone Alarm since I already had a firewall with Norton Internet Security.

 

I have adjusted the settings in AdAware to what was mentioned in the reply to cookwithfire on 6/15/04. I also have run Spybot and Spysweeper.

Will this prevent the pest from reappearing or what do I need to do?

 

Thank you for any help you can offer on this matter

Share this post


Link to post
Share on other sites

Randy,

Will this prevent the pest from reappearing or what do I need to do?

Download icon11.gifHijackThis! 1.98

 

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

Double-click "HijackThis.exe" and Press "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Click: "Save Log" (generates: "hijackthis.log")

 

Copy and Paste the entire log into your post by clicking "New Topic"

 

Note: do not attempt to "Fix" anything, as we need to see the entire log.

Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

 

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.

Share this post


Link to post
Share on other sites

Fozzie,

Your posts have been moved to a thread of your own.

http://forums.spywareinfo.com/index.php?sh...17428&hl=Fozzie

 

Glad we could help, cookwithfire. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0