HJT log

Hello all,
I am helping a friend clean up a really clogged pc. A virus scan has revealed and cleaned several viral and trojan infections. Looks like his box was being used for DDoS.

I was wondering if the kind folks here could offer me a second opinion on some of the entries in his HJT logfile. Here are the main entries that I was need validation or are unsure about. Several show up as malware when I google them, but I can not find info at all on a few of them. Looks like the mobsynca and magna processes have open ports that are listening.

Thanks so much for your help.

O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab


Here is the full file....
--------------------------------------------------------------------------------------
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\SYSTEM32\manga.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\System32\serviceede.exe
C:\WINNT\System32\mobsynca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: NameServer = 66.82.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

 

Hi shelb,

I'm sure the big guns will be along shortly to help you, but I have one suggestion right away. That is, post a complete HJT log, especially including the header that you didn't include above. They need that info to tell what should be on your system- every OS has its own load of "must-have" files, and some nasties spoof legit filenames to hide in the folders- wolves in sheep's clothing, so to speak.

Good luck with this one. I can see a few things that look suspicious to me, but I'm too inexperienced to offer much by way of advice.

 

Hi Shelb,

I am afraid your friend's system is infected with several viruses.

First, could you please find the following files, zip them up and email them to Pieter at the address in his Profile. Please include a link to this thread in the body of the email. Thank you.

C:\WINNT\SYSTEM32\manga.exe
C:\WINNT\SYSTEM32\fqefws.exe
C:\WINNT\system32\msmsgri32.exe

You will have to do a search for these:
serviceede.exe
ldasp.exe
msvdm6.exe


Open HijackThis and rescan, then with ALL browsers and any open windows closed, place a check beside the following items and click *Fixed check:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https

O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab

Make sure you have all files and folders viewable. Click Here, for instructions on how to do that.

Reboot into Safe Mode by tapping the F8 key after the BIOS has loaded, then find and delete the following:

C:\WINNT\SYSTEM32\manga.exe
C:\WINNT\SYSTEM32\fqefws.exe
C:\WINNT\system32\msmsgri32.exe

You will have to do a search for these:
serviceede.exe
ldasp.exe
msvdm6.exe

Then reboot your computer normally.

Then do a FULL on-line scan at one of these antivirus sites: Free Services

Rescan with HijackThis and post a new log here. As k3dc has mentioned, please make sure you copy all of the HijackThis log to include the top portion that shows the Operating System, HijackThis version, and date/time of scan.

Regards,

snap

Reference:
manga.exe: http://securityresponse.symantec.com/avcenter/venc/data/w32.ogid.html
msmsgri32.exe: http://www.symantec.com/avcenter/venc/data/w32.randex.d.html
msvdm6.exe: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RANDEX.MV
ldasp.exe: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_AGOBOT.BH

 

Thanks for the help.

This entry is installed by default by the isp Direcway (satellite), are you sure I should delete it?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https

As for the other files......
Looks like he's been at the scanners before I got here. All but three of the entries you suggested for fixing are gone. He had installed TDS and scanned at several online site, so I guess it got rid of them. They all show a clean bill of health now.....may never know malware the others were

I was able to find the file and fix the following entry
O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe

Kaspersky.com reveals this file to be the following.
manga.exe Packed: PE_Patch
manga.exe Packed: UPX
manga.exe Infected: TrojanProxy.Win32.Agent.m

The are two entries that you suggested that are still left in the registry (log copied below).
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

HJT is unable to fix these, even in safe mode. Manual deletion from regedit returns the following error: "Edit string dialog: cannot edit configuration loader, error writing value's new contents."

The object files ldasp.exe and msvdm6.exe do not turn up on the pc from a search however.

Here is the latest HJT log...

Logfile of HijackThis v1.97.7
Scan saved at 9:13:49 AM, on 3/24/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINNT\System32\mobsynca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: NameServer = 66.82.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

 

Hi Shelb,

Try this:

First run this registry script, which forces Windows to show so called "superhidden" files:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files").

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

Then try to do a search for those two files and if you can find them, zip the files and e-mail them to Pieter at the address in his profile. Please include a link to this thread.

Regards,
Kent

 

No resulting files after unhiding superhidden files.
I think he is clean, just the annoying registry error to deal with.

Thanks for your help.

 

Hi Shelb,

The 'ldasp.exe' and 'msvdm6.exe' may have already been removed by either TDS-3 or one of the on-line scanners, and the 04 lines showing in HijackThis may be orphaned run keys now.

(sorry, I missed this one)
First, through TaskManager (Ctrl-Alt-Del), look for 'mobsynca.exe' and if you see it running, end task on it.

Next, move HijackThis out of the Temp folder and into a folder of it's own. HijackThis creates backups in the folder it is ran from, and backups in a temp folder will be easily lost.

Then with ALL browsers and any open windows closed, place a check beside the following items and click *Fixed check:

O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab

Reboot your computer

Then do a search for 'mobsynca.exe' (the one with the 'a' at the end and not the mobsync.exe file) and upload it to Kaspersky for a scan. Then could you please email it to Pieter at the email addy listed in his Profile.

I am only finding this reference for the file, but I would like to see what the Kaspersky's scan shows, and what Pieter says about it before we say delete the file.
mobsynca.exe: Worm_Randbot.A = http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RANDBOT.A

Re-scan with Hijackthis and post a new log here along with the Kaspersky scan for mobsynca.exe.

snap

fixed my url tags

 

Can this Registry patch be left in permanently as a diagnostic tool, or should it be removed for normal use of the computer?

 

k3dc,

The patch can be left in, just remember that now ALL files on your system are now displayed including all critical system files and such that are normally hidden. You have to practice added caution and be very careful as not to change or delete something you should not.

HTH.....

Regards,
Kent

 

Hi all,

I have had a few people ask, so here is the patch to change back your folder view settings:

This registry script will force Windows to change back to default folder view mode:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as Hide.reg (make sure to save as type: "All Files").

Doubleclick Hide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

Regards,
Kent