1 on 1 dialler - another victim

Discussion in 'adware, spyware & hijack cleaning' started by KeithL, May 6, 2004.

Thread Status:
Not open for further replies.
  1. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    One more “1on1 victim” – more like “one on many, many, ……”. I have taken advice and deleted certain files, etc. but have not been brave enough yet to go on-line on my infected PC.

    I still have most of the files I deleted in my recycle bin and have not yet deleted old restore points. One file I deleted that was not mentioned in anything I have read, but which had the triple X icon, was “MSN.EXE”.

    I also deleted all prefetch files. My system is working OK off-line although Windows Explorer acted a bit weird when I dragged files from a floppy. Also I was following instructions on how to backup my XP registry and found that the Backup icon was myssing in system tools and that the backup option in the new look control panel just did nothing. Could I have deleted something I shouldn’t have?

    I deleted all my temp files and sub-folders in \temp and \temporary internet files folders (still in recycle bin though). I also deleted all files in a sub-folder called \cache, but from no other folders with cache in the folder name.

    I had one file that was similarly named to one thought to be a problem. Mine is C:\Windows\svchost.ex_ rather than C:|Windows|svchost.exe. I have not deleted it.

    The only thing I am a bit worried about is that Win Doctor gave a registry error in startup for csrss.exe. I have two files of this name in the “…\system32” folder and in its sub-folder “dllcache”. Win Doctor gave me a manual option of deleting the registry entry, which I did. Did I do wrong? If so, can I get it back?

    Anyway, here is my logfile and any help you can give me is greatly appreciated. (I would like to get backup back if possible). The MXOALDR.EXE entry below looked a bit worrying however I do have a lot of Maxtor s/w for my scanner and the same file name in C:\Windows says it is “Maxtor MXO autoloader application” from “Cypress Semiconductors,, created 7/4/2003”.

    KeithL

    Logfile of HijackThis v1.97.7
    Scan saved at 21:46:02, on 05/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\xl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\S3tray2.exe
    C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    C:\Program Files\Business Software\PopKill.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\QKeys\QKeys.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Documents and Settings\Keith\Desktop\05-05-04\Virus Progs\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: QKeys.lnk = C:\Program Files\QKeys\QKeys.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.gmtv.co.uk/ftp/misc/dropdial/2504mazda.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37597.5778703704
    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.coulomb.co.uk/del/L220094.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello KeithL,

    Check the following items, then close all windows except Hijackthis and click "Fix Checked"


    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab

    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.gmtv.co.uk/ftp/misc/dropdial/2504mazda.cab

    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.coulomb.co.uk/del/L220094.cab


    Then run hijackthis and post a new log.


    You Need to Update Windows and IE to get all the Latest Security Patches that Protects Your Computer.

    This can be accessed by going to http://v4.windowsupdate.microsoft.com/ and following the prompts.


    I suggest that you install SpywareBlaster to prevent further infections:

    SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html
     
  3. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Reread your post and noted that you said you found a process called C:\Windows\svchost.ex_ . Svchost.exe should only be in the system32 folder like this C:\Windows\System32\svchost.exe. It is normal for there to be more than one in the running processes. Any other location is bad, so you should update Norton and do a full system scan. I would also do an online scan for a second opinion.Take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

    After doing all of the items I have suggested, post a new hijackthis log for review.
     
    Last edited: May 9, 2004
  4. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    Does anyone else have the ".ex_" file on their machine - has it a purpose?
     
  5. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    Thanks Nick - just seen your first response - will do as you suggest. I can't download on my PC 'coz of the virus. I am trying to get someone at work to copy the programmes you (and others) have suggested onto CD-ROM for me. I have also ordered up XP service pack 1 on CD to get me to a position that the security downloads can be applied. Lastly I have signed up for Broadband as Freeserve Anytime does not allow you on-line longenough for some of the downloads.
    I have Norton AV which did not catch this (you need "extended virus theat protection" apparently!). I am staying off line as much as possible until I have done as much as I can to erradicate this virus and stop it, and others, coming back.

    Thanks, KeithL.
     
  6. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    Nick,

    Here is the log after ticking and fixing the three items you identified. It turns out that the “svchost.ex_” file was in the Windows sub-folder I386 alongside a lot of other ex_ files. I have not deleted it.

    Your help is very much appreciated as this is a debilitating virus and those responsible are sick!

    A quick question: what “cache” files, if any should be deleted? Anything in folders with “cache” in the name, or what?

    Kind regards,

    KeithL (UK)

    Logfile of HijackThis v1.97.7
    Scan saved at 22:56:51, on 06/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\xl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\S3tray2.exe
    C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    C:\Program Files\Business Software\PopKill.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\QKeys\QKeys.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Keith\Desktop\05-05-04\Virus Progs\Virus2\Virus3\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [PopKill] C:\Program Files\Business Software\PopKill.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: QKeys.lnk = C:\Program Files\QKeys\QKeys.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37597.5778703704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    HI again!

    I am hoping that no news is good news although I can see you guys are very busy.

    Is the log in my previos post clean? Also, what cache folders/files can I safely delete?

    Cheers,

    KeithL.
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Keith L

    yes your log looks OK but

    1) Open Internet Explorer and click on Tools
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then follow this advice

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then using windows explorer go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it
    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this

    while in the temp folder, select view and select details.

    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.

    select all the files/folders except the today ones and delete them all.


    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

    & it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
     
  9. KeithL

    KeithL Registered Member

    Joined:
    May 4, 2004
    Posts:
    6
    Thank you so much for all this help. I spent 5 hours on-line last night and downloaded and installed nearly 100mb of windows and office updates. I last did this in Dec. 2002! I guess I've been lucky up to now but after getting this horrible virus, or whatever it is, I am now loaded to the gills with Ad-aware, Spybot, CWshredder and anything else I have found (including my bought and paid for Norton AV). I hope that they all live well with each other!

    Very many thanks,

    Kind regards,

    KeithL.
     
Thread Status:
Not open for further replies.