HijackThis Scan

Mosaic1 · Posted: Sun Mar 21, 2004 7:05 am Post subject:

Also lets see if you can get sfc to check your system files.

Go to start>Run. Copy and paste this command in and then press enter.
sfc /scannow

You may be asked for your install CD.
This will take a while to run. SFC is System File Checker. And it will check the integrity of your system files.

Mosaic1 · Posted: Sun Mar 21, 2004 7:22 am Post subject:

Also I am attaching another file so we can look at your run keys.

Rename it
XP Runkeys.bat

Double click on XP Runkeys.bat and it will export the keys we need to look at to a text file and open it. Copy and paste the contents of that file into your next reply here.

I am going to move this to the Operating System forum. If we later find it was either Spyware or viral or a Trojan we can move it back.

Mosaic1 · Posted: Sun Mar 21, 2004 7:27 am Post subject:

You say everything freezes. Go to control panel>Administrative tools and Click Event Viewer.

Look for any errors and see if you can find any useful information.

That should get you started. Post back and let us know what you have found.

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

I ran the file association fix.
In Normal mode i still can't run HijackThis or CWShredder - Task Manager shows them as not responding.
Task Manager also shows OSA.EXE running at about 23, EXPLORER.EXE at 2 or 3, and 3 files called dumprep.exe at 20-30 ... all that while i have no windows open.
On shutdown i get OSA.EXE not responding.

In Safe mode there is no dumprep.exe but also no problem with OSA.EXE on shutdown.

HijackThis and CWShredder still won't run.

That's all i have done so far, and can't try your other suggestions till later when i come back from work.

Thankfully i still have Win98.

Mosaic1 · Posted: Sun Mar 21, 2004 5:28 pm Post subject:

The reason you don't have the shutdown error and other problems in Safe Mode is because the program(s) in question is not loaded. None of the items in your run keys are loaded in Safe Mode.

It sounds like a very basic problem with your Operating System. Go ahead and try the suggestions. But be prepared to do a repair install or even a format and reinstall of XP at some point.

You can go into msconfig and uncheck the kernel fault check and dumprep will not run again until you have another big crash.

If you can run a virus scan in Safe Mode, do that too.

I'll be around later and will look for your post.

Good luck. After re-reading at least I know you have a regular install CD and that's a plus.

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

Replying to previous questions:

Yes, notepad, Solitaire and all control panel icons are fine.

OSA.EXE still not responding in Normal mode.

I have an install disk, not recovery.

Virus scan in Safe mode shows nothing.

Here is the result of listprocesspaths.vbs
I got an error message saying line 4, character 1, code 800A0046 permission denied.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\DOWNLO~1\INCRED~1\bin\ImApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\WScript.exe

I haven't tried XP Runkeys yet, or checked event viewer. I have to keep switching between 98 and XP, so everything takes a bit of time.

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

I went into Event Viewer and under Application found multiple True Vector Engine errors.

Under System every day there were Service Control Manager errors following Dhcp warnings.
Also on March 19 and March 21 there were W32 Time errors.

Here is the XPRunkeys result
˙ţW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n ]

" A V G _ C C " = " C : \ \ P R O G R A ~ 1 \ \ G r i s o f t \ \ A V G 6 \ \ a v g c c 3 2 . e x e / S T A R T U P "

" T w e a k U I " = " R U N D L L 3 2 . E X E T W E A K U I . C P L , T w e a k M e U p "

" S y s t e m I n i t " = " "

" N e r o C h e c k " = " C : \ \ W I N D O W S \ \ s y s t e m 3 2 \ \ N e r o C h e c k . e x e "

" M y W e b S e a r c h E m a i l P l u g i n " = " C : \ \ P R O G R A ~ 1 \ \ M Y W E B S ~ 1 \ \ b a r \ \ 1 . b i n \ \ m w s o e m o n . e x e "

" M i c r o s o f t N e t w o r k D a e m o n f o r W i n 3 2 " = " n e t d 3 2 . e x e "

" M e s s e n g e r P l u s 2 " = " \ " C : \ \ P r o g r a m F i l e s \ \ M e s s e n g e r P l u s ! 2 \ \ M s g P l u s . e x e \ " "

" I n C D " = " C : \ \ P r o g r a m F i l e s \ \ a h e a d \ \ I n C D \ \ I n C D . e x e "

" G S I C O N E X E " = " G S I C O N . E X E "

" D S L A G E N T E X E " = " d s l a g e n t . e x e U S B "

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ O p t i o n a l C o m p o n e n t s ]

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ O p t i o n a l C o m p o n e n t s \ I M A I L ]

" I n s t a l l e d " = " 1 "

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ O p t i o n a l C o m p o n e n t s \ M A P I ]

" I n s t a l l e d " = " 1 "

" N o C h a n g e " = " 1 "

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ O p t i o n a l C o m p o n e n t s \ M S F S ]

" I n s t a l l e d " = " 1 "

W i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

[ H K E Y _ C U R R E N T _ U S E R \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n ]

" S p y S w e e p e r " = " C : \ \ P r o g r a m F i l e s \ \ W e b r o o t \ \ S p y S w e e p e r \ \ S p y S w e e p e r . e x e / 0 "

" P o p U p S t o p p e r F r e e E d i t i o n " = " C : \ \ P R O G R A ~ 1 \ \ P A N I C W ~ 1 \ \ P O P - U P ~ 2 \ \ P S F r e e . e x e "

" m s n m s g r " = " \ " C : \ \ P r o g r a m F i l e s \ \ M S N M e s s e n g e r \ \ m s n m s g r . e x e \ " / b a c k g r o u n d "

" I n c r e d i M a i l " = " C : \ \ D O W N L O ~ 1 \ \ I N C R E D ~ 1 \ \ b i n \ \ I n c M a i l . e x e / c "

" C T F M O N . E X E " = " C : \ \ W I N D O W S \ \ S y s t e m 3 2 \ \ c t f m o n . e x e "

W i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w

Mosaic1 · Posted: Sun Mar 21, 2004 9:28 pm Post subject:

Your registry keys didn't import in the correct format.

At any rate I see a worm there:

This one:
Microsoft Network Daemon for Win32="netd32.exe"

Go to start >run and type msconfig. Find the entry for MicrosoftNetworkDaemon and uncheck it. Restart and then delete these files:
netd32.exe and WINNT32.DAT
from Windows\system32

While in Msconfig also uncheck this entry:
MyWebSearchEmailPlugin

We'll clean these out of the registry later.

See if you can run HijackThis. Let me know.

I would also like to see your Bho's. We'll do that after yuou have finished.

Mosaic1 · Posted: Sun Mar 21, 2004 9:33 pm Post subject:

Read about the worm here:
http://www.f-secure.com/v-descs/randex_j.shtml

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

This is weird. I could not find either netd32.exe or WINNT32.DAT, did a search of the whole computer.

Also, I had removed MyWebSearch a couple of days ago.

I'm totally confused now.

Mosaic1 · Posted: Mon Mar 22, 2004 2:26 am Post subject:

Let's do your search and file show settings.

Open Folder Options>view and check your settings:

Select
Show hidden files and folders

Display the contents of system folders

Uncheck: Hide protected operating system files

Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.

Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Because XP will not always show you hidden files by default

Try again and see if you find those files.

After redoing the couple of startups has anything improved?

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

Still no luck.
Search still doesn't find the files and nothing has improved.
Any suggestions?

Mosaic1 · Posted: Mon Mar 22, 2004 1:45 pm Post subject:

You found errors. What were the exact errors please?

Mosaic1 · Posted: Mon Mar 22, 2004 2:06 pm Post subject:

It's possible the run entries were leftovers.

I think you are looking at a repair install here. Have you run
sfc /scannow yet?

If not, do that.

To do a repair install go to this page:
http://www.webtree.ca/windowsxp/repair_xp.htm

Find this link and click on it.
How To Run a Repair Install

I am not sure if you have SP1 on your CD. If not apply SP1.

lyndal · Trooper Joined: Mar 21, 2004 Posts: 20 Location: Australia

At last HijackThis and CWshredder finally opened. I ran HijackThis and then CWShredder, which removed CWSMSconfig and restored 4 infected IE registry values. Here is the HijackThis log:

Logfile of HijackThis v1.97.5
Scan saved at 5:06:33 PM, on 3/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\RF WIRELESS MOUSE\RF WIRELESS MOUSE\1.1\MOUSE32A.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\YACSMON.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF Wireless Mouse\RF Wireless Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PrecisionTime.lnk = C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
O4 - Startup: Date Manager.lnk = C:\PROGRA~1\Date Manager\DateManager.exe
O4 - Global Startup: YacsMon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: admin.daboyz.lan.com
O15 - Trusted Zone: www.daboyz.lan.com
O15 - Trusted Zone: http://www.truevision3dsdk.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/...nPUpld.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...4747337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 781 pages served in previous 5 minutes. Page Generation: 0.932 seconds.