Adware detection every reboot

Discussion in 'adware, spyware & hijack cleaning' started by jw390898, Apr 14, 2004.

Thread Status:
Not open for further replies.
  1. jw390898

    jw390898 Registered Member

    Joined:
    Apr 13, 2004
    Posts:
    3
    I have picked something up on my machine and can't seem to clear it permanently.

    Adware, when run on boot up, picks up the same file every time even once removed. It is a reigstry value detection and is indicated as being in localmachine\software\microsoft\windowsnt\currentversion\winlogon and is described as a shell compromise.

    I have checked this registry and everything is intact. If i rerun adware without shutting down then the file is no longer detetcted, but if I restart the machine again then its there. Incidentally I have also run AVG, Spybot, hijack this, cw shredder, A2 and have spyblaster installed and none of these have ever detected a thing. I have also tried running adaware and removing the file while having system restore turned off on all drives, but this made no difference.

    When adaware runs it seems to pick the file out while scanning internetexplorer though and not the location given in the log and report?

    The only thing I have found is that is is not either there or found by adaware if i start the machine in safe mode.

    HELP!o_O
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  3. jw390898

    jw390898 Registered Member

    Joined:
    Apr 13, 2004
    Posts:
    3
    k, sorry hadnt included anything before, well here it all is:-

    Adaware:-
    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :14 April 2004 18:45:17
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R291 14.04.2004
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R290 13.04.2004
    Internal build : 220
    File location : C:\Program Files\Ad-aware 6\reflist.ref
    Total size : 1031549 Bytes
    Signature data size : 1013615 Bytes
    Reference data size : 17870 Bytes
    Signatures total : 22833
    Target categories : 10
    Target families : 445
    14-04-2004 18:44:14 Performing Webupdate...

    Installing Update...
    Reference file loaded:
    Reference Number : 01R291 14.04.2004
    Internal build : 221
    File location : C:\Program Files\Ad-aware 6\reflist.ref
    Total size : 1032769 Bytes
    Signature data size : 1014835 Bytes
    Reference data size : 17870 Bytes
    Signatures total : 22862
    Target categories : 10
    Target families : 445

    14-04-2004 18:44:23 Success.
    Update successfully downlodaded and installed.


    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium III
    Memory available:60 %
    Total physical memory:523764 kb
    Available physical memory:309564 kb
    Total page file size:1280504 kb
    Available on page file:1096944 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2050392 kb
    OS:

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    14-04-2004 18:45:17 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 14-04-2004 17:43:22
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 14-04-2004 17:43:25
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-04-2004 17:43:25
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:23:18
    Last accessed : 14/04/2004 17:43:25
    Last modified : 01/12/2001 14:23:18

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-04-2004 17:43:25
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:22:28
    Last accessed : 14/04/2004 17:43:16
    Last modified : 29/08/2002 03:41:26

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-04-2004 17:43:25
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:23:26
    Last accessed : 14/04/2004 17:43:43
    Last modified : 01/12/2001 14:23:26

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 14-04-2004 17:43:25
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:23:26
    Last accessed : 14/04/2004 17:43:43
    Last modified : 01/12/2001 14:23:26

    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 14-04-2004 17:43:27
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 18/11/2003 20:20:31
    Last accessed : 14/04/2004 17:43:27
    Last modified : 29/08/2002 03:41:24

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-04-2004 17:43:27
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:23:24
    Last accessed : 14/04/2004 17:43:16
    Last modified : 01/12/2001 14:23:24

    #:9 [msexec.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 14-04-2004 17:43:27
    BasePriority : Realtime
    FileSize : 67 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    CompanyName : g
    InternalName : 123
    OriginalFilename : 123.exe
    ProductName : xsrvx
    Created on : 09/04/2004 21:36:22
    Last accessed : 14/04/2004 17:43:28
    Last modified : 09/04/2004 21:36:22

    #:10 [avgcc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 292 KB
    FileVersion : 7,0,0,221
    ProductVersion : 7.0.0.221
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC
    OriginalFilename : AvgCC.EXE
    ProductName : AVG Anti-Virus System
    Created on : 26/02/2004 18:54:33
    Last accessed : 14/04/2004 17:43:43
    Last modified : 26/02/2004 18:54:33

    #:11 [avgemc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 182 KB
    FileVersion : 7,0,0,225
    ProductVersion : 7.0.0.225
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG E-Mail Scanner
    InternalName : avgemc
    OriginalFilename : avgemc.exe
    ProductName : AVG Anti-Virus System
    Created on : 01/03/2004 17:27:24
    Last accessed : 14/04/2004 17:43:16
    Last modified : 01/03/2004 17:27:25

    #:12 [soundman.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 45 KB
    FileVersion : 5.0.02
    ProductVersion : 5.0.02
    Copyright : Copyright (c) 2001-2002 Avance Logic, Inc.
    CompanyName : Avance Logic, Inc.
    FileDescription : Avance Sound Manager
    InternalName : ALSMTray
    OriginalFilename : ALSMTray.exe
    ProductName : Avance Sound Manager
    Created on : 19/11/2003 21:32:16
    Last accessed : 14/04/2004 17:43:16
    Last modified : 18/06/2002 10:44:20

    #:13 [wsys.exe]
    FilePath : C:\Program Files\Common Files\Services\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 436 KB
    FileVersion : 5, 0, 3, 1023
    ProductVersion : 5, 0, 3, 1023
    FileDescription : Service
    InternalName : Service
    ProductName : 04
    Created on : 03/12/2003 18:30:24
    Last accessed : 14/04/2004 17:43:16
    Last modified : 03/12/2003 18:30:24

    #:14 [ee.exe]
    FilePath : C:\Program Files\Evidence Eliminator\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 808 KB
    FileVersion : 5.00.0055
    ProductVersion : 5.00.0055
    Copyright : (C) 1999 - 2001 www.evidence-eliminator.com
    CompanyName : www.evidence-eliminator.com
    FileDescription : Evidence Eliminator
    InternalName : Ee
    OriginalFilename : Ee.exe
    ProductName : Evidence Eliminator
    Created on : 19/11/2003 20:07:54
    Last accessed : 14/04/2004 17:43:28
    Last modified : 18/11/2001 11:25:26

    #:15 [e_s10ic2.exe]
    FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 73 KB
    FileVersion : 3.05
    ProductVersion : 3.05
    Copyright : Copyright (C) SEIKO EPSON CORP. 2002
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Status Monitor 3
    InternalName : E_S10IC2
    OriginalFilename : E_S10IC2.EXE
    ProductName : EPSON Status Monitor 3
    Created on : 25/12/2003 22:14:53
    Last accessed : 14/04/2004 17:43:28
    Last modified : 01/07/2002 03:05:00

    #:16 [qttask.exe]
    FilePath : C:\Program Files\QuickTime\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 96 KB
    FileVersion : 6.5
    ProductVersion : QuickTime 6.5
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    OriginalFilename : QTTask.exe
    ProductName : QuickTime
    Created on : 17/01/2004 17:17:01
    Last accessed : 14/04/2004 17:43:16
    Last modified : 17/01/2004 17:17:01

    #:17 [mm_tray.exe]
    FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 116 KB
    FileVersion : 8.20.0081
    ProductVersion : 8.20.0081
    Copyright : Copyright
    CompanyName : MUSICMATCH, Inc.
    FileDescription : mm_tray
    InternalName : mm_tray
    OriginalFilename : mm_tray.exe
    ProductName : MUSICMATCH JUKEBOX
    Created on : 16/02/2004 20:21:23
    Last accessed : 14/04/2004 17:43:16
    Last modified : 12/12/2003 18:55:06

    #:18 [mmtask.exe]
    FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 52 KB
    FileVersion : 1.0.0.1
    ProductVersion : 1.0.0.1
    Copyright : TODO: (c) <Company name>. All rights reserved.
    CompanyName : TODO: <Company name>
    FileDescription : TODO: <File description>
    InternalName : mmtask.exe
    OriginalFilename : mmtask.exe
    ProductName : TODO: <Product name>
    Created on : 16/02/2004 20:21:24
    Last accessed : 14/04/2004 17:43:16
    Last modified : 12/12/2003 18:55:06

    #:19 [zapro.exe]
    FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
    ThreadCreationTime : 14-04-2004 17:43:28
    BasePriority : Normal
    FileSize : 413 KB
    FileVersion : 4.0.123.012
    ProductVersion : 4.0.123.012
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : ZoneAlarm Pro
    InternalName : zapro
    OriginalFilename : zapro.exe
    ProductName : ZoneAlarm Pro
    Created on : 18/11/2003 23:51:04
    Last accessed : 14/04/2004 17:43:28
    Last modified : 10/06/2003 00:02:44

    #:20 [avgamsvr.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 203 KB
    FileVersion : 7,0,0,221
    ProductVersion : 7.0.0.221
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Alert Manager
    InternalName : avgamsvr
    OriginalFilename : avgamsvr.EXE
    ProductName : AVG Anti-Virus System
    Created on : 26/02/2004 18:54:33
    Last accessed : 14/04/2004 17:43:16
    Last modified : 26/02/2004 18:54:33

    #:21 [avgupsvc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 22 KB
    FileVersion : 7,0,0,132
    ProductVersion : 7.0.0.132
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Update Service
    InternalName : avgupsvc
    OriginalFilename : avgupdsvc.EXE
    ProductName : AVG 7.0 Anti-Virus System
    Created on : 18/11/2003 23:48:08
    Last accessed : 14/04/2004 17:43:16
    Last modified : 18/11/2003 23:48:08

    #:22 [dkservice.exe]
    FilePath : C:\Program Files\Diskeeper\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 416 KB
    FileVersion : 8.0.459.0
    ProductVersion : 8.0.459.0
    CompanyName : Executive Software International, Inc.
    FileDescription : DKSERVICE.EXE
    InternalName : DKSERVICE
    OriginalFilename : DKSERVICE
    ProductName : Diskeeper (TM) Disk Defragmenter
    Created on : 22/08/2003 02:24:08
    Last accessed : 14/04/2004 17:43:16
    Last modified : 22/08/2003 02:24:08

    #:23 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 92 KB
    FileVersion : 2, 3, 0, 0
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright (C) SEIKO EPSON CORP. 2000-2001
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    OriginalFilename : SAgent2.exe
    ProductName : EPSON Bidirectional Printer
    Created on : 25/12/2003 22:14:54
    Last accessed : 14/04/2004 17:43:16
    Last modified : 17/07/2002 02:03:00

    #:24 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 6.14.10.5216
    ProductVersion : 6.14.10.5216
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 52.16
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 52.16
    Created on : 06/10/2003 14:16:00
    Last accessed : 14/04/2004 17:43:23
    Last modified : 06/10/2003 14:16:00

    #:25 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 14-04-2004 17:43:35
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 01/12/2001 14:23:26
    Last accessed : 14/04/2004 17:43:43
    Last modified : 01/12/2001 14:23:26

    #:26 [ulcdrsvr.exe]
    FilePath : C:\Program Files\Common Files\Ulead Systems\DVD\
    ThreadCreationTime : 14-04-2004 17:43:39
    BasePriority : Normal
    FileSize : 48 KB
    FileVersion : 1, 0, 0, 3
    ProductVersion : 1, 0, 0, 3
    Copyright : Copyright
    CompanyName : Ulead Systems, Inc.
    FileDescription : ULCDRSvr
    InternalName : ULCDRSvr
    OriginalFilename : ULCDRSvr.exe
    ProductName : Ulead Systems ULCDRSvr
    Created on : 12/04/2004 10:57:20
    Last accessed : 14/04/2004 17:43:23
    Last modified : 12/11/2003 03:48:20

    #:27 [vsmon.exe]
    FilePath : C:\WINDOWS\system32\ZoneLabs\
    ThreadCreationTime : 14-04-2004 17:43:39
    BasePriority : Normal
    FileSize : 873 KB
    FileVersion : 4.0.123.012
    ProductVersion : 4.0.123.012
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    OriginalFilename : vsmon.exe
    ProductName : TrueVector Service
    Created on : 18/11/2003 23:51:02
    Last accessed : 14/04/2004 17:43:23
    Last modified : 10/06/2003 00:02:12

    #:28 [msimn.exe]
    FilePath : C:\Program Files\Outlook Express\
    ThreadCreationTime : 14-04-2004 17:44:07
    BasePriority : Normal
    FileSize : 55 KB
    FileVersion : 6.00.2800.1123
    ProductVersion : 6.00.2800.1123
    CompanyName : Microsoft Corporation
    FileDescription : Outlook Express
    InternalName : MSIMN
    OriginalFilename : MSIMN.EXE
    ProductName : Microsoft
    Created on : 03/03/2003 15:57:18
    Last accessed : 14/04/2004 17:44:08
    Last modified : 03/03/2003 15:57:18

    #:29 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ThreadCreationTime : 14-04-2004 17:44:08
    BasePriority : Normal
    FileSize : 1456 KB
    FileVersion : 4.7.2009
    ProductVersion : Version 4.7
    Copyright : Copyright (c) Microsoft Corporation 1997-2003
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msmsgs
    OriginalFilename : msmsgs.exe
    ProductName : Messenger
    Created on : 14/04/2003 19:30:14
    Last accessed : 14/04/2004 17:44:08
    Last modified : 14/04/2003 19:30:14

    #:30 [ad-aware.exe]
    FilePath : C:\Program Files\Ad-aware 6\
    ThreadCreationTime : 14-04-2004 17:44:09
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 19/11/2003 18:38:33
    Last accessed : 14/04/2004 17:44:10
    Last modified : 12/07/2003 22:00:20

    #:31 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 14-04-2004 17:44:58
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft
    Created on : 18/11/2003 20:20:50
    Last accessed : 14/04/2004 17:44:59
    Last modified : 29/08/2002 03:41:26

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Windows Object recognized!
    Type : RegData
    Data :
    Category : Vulnerability
    Comment : Shell Possibly Compromised
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value : Shell
    Data :


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    2 entries scanned.
    New objects :0
    Objects found so far: 1




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    18:46:36 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:18:547
    Objects scanned :44789
    Objects identified :1
    Objects ignored :0
    New objects :1


    Hijack This:-
    Logfile of HijackThis v1.97.7
    Scan saved at 18:49:20, on 14/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\msexec.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Services\wsys.exe
    C:\Program Files\Evidence Eliminator\ee.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Diskeeper\DkService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Jamie\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\msexec.exe
    F1 - win.ini: load=C:\WINDOWS\msexec.exe
    F1 - win.ini: run=C:\WINDOWS\msexec.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\msexec.exe
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe
    O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Services Controller] C:\WINDOWS\msexec.exe
    O4 - HKCU\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S10C.tmp"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    CW Shredder:-
    CWShredder v1.56.2 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Jamie\Application Data
    Username: Jamie

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (771 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (570 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -



    Im stumped
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jw390898,

    AdAware is right, but can't help you because I don't think this is spyware.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\msexec.exe
    F1 - win.ini: load=C:\WINDOWS\msexec.exe
    F1 - win.ini: run=C:\WINDOWS\msexec.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\msexec.exe

    O4 - HKLM\..\Run: [Services Controller] C:\WINDOWS\msexec.exe

    Then reboot and surf to: http://www.kaspersky.com/remoteviruschk.html

    Upload C:\WINDOWS\msexec.exe there and let us know the results.
    There are several viruses and trojans using that filename, so we will have to establish which one we are dealing with to find out what further actions are required.

    Regards,

    Pieter
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'd say also submit a copy to both us, and AVG support since you have AVG and TDS installed :) submit@diamondcs.com.au for me, unsure about AVG submissions address

    Could be YAHA/LENTIN but then again it could be anything
     
  6. jw390898

    jw390898 Registered Member

    Joined:
    Apr 13, 2004
    Posts:
    3
    Right, got the bas*ard!

    Your quite right it quickly became clear that this was not spyware, but was confused by the issue that nothing picked it up (in terms of virus software), AVG, Stinger, Norton, Sophus.

    From a bit of research it appeared that I had the w32Kullan worm (w32sory aka) and it appeared that it was just about the only bloody worm, that there wasnt a removal tool outh there for.

    I did eventually come across a page which indicated the particular registries to check in, as the worm copies itself once launched on start up to the root that adaware was picking it up from, hence why i could remove the end product every reboot but it still came back.

    Anyway I cant be sure if it was kullan as judging from the help page i worked from it would suggest that the altered values would indicate kullan in the name, but i only kept finding msexec (like you guys had said). So I have now removed all traces of this and tidied the registry, i believe i have repaired all known damage caused by the worm, and hey presto adaware no longer finds anything.

    I may have even had 2 worms as from checking all these help sites i came across more worms in my c:windows, view all files and look for files such as bigfoot.bmp and a couple of other named bitmap files and logs, nothing you would have ever put there, it appears to be quite common rom what i cpuld determine.

    appreciate the replies guys !! :D
     
  7. jhbarker

    jhbarker Registered Member

    Joined:
    May 8, 2004
    Posts:
    1
    Help

    I have the same problem with my home computer and am unable to get rid of it. Member jw390908 says that she came across a page that indicated the particular registries to check.

    Can you help me out here?

    Thanks
    JH Barker
     
Thread Status:
Not open for further replies.