Backdoor.Agent.BA

I have recently had many, MANY virus related problems with my computer. AntiVirus and Spyware programs close randomly, my computer runs slowly and sometimes not at all, etc. etc. Anyways, my main problem is this piece of **** Backdoor.Agent.BA virus. I followed the instructions on another forum and ran HijackThis (also closes randomly). I have the log here:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\msvsrv32.exe
C:\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\xvshost.exe
C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qwertysearch123.biz/?id=1120
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://qwertysearch123.biz/?id=1120
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1120
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.zapros.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zapros.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Desktop] rundll32.exe C:\WINDOWS\System32\avpcc.dll,Restore ControlPanel
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Macromedia Drive] iexplor32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [msvsrv32] msvsrv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Macromedia Drive] iexplor32.exe
O4 - HKLM\..\RunServices: [msvsrv32] msvsrv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Macromedia Drive] iexplor32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

If anyone can help me out with Backdoor or the random closing of my spyware and antivirus programs, please send me and email. If you want to help the whole world out with Backdoor or random closing of their spyware and antivirus programs, just post a solution.

Thanks, The Jew

 

Helpage

Well, I have waited a whole 24 hours. I've had time to shower, roof a whole house, come home, and type this and there still seems to be no solution. It's not like I'm in a hurry or anything, it's just that I want my damn computer back. Hey now, I appreciate it.

Thanks
The Jew

"By the way, I know the only reason I'm having these problems is because I have an HP... not having an HP would help, but it's out of the question"

 

Hi The_Jewish_ Jew855,

Actually Tony had asked you to get an on-line virus scan in this thread: https://www.wilderssecurity.com/showthread.php?t=39013
From your log, it doesn't look like you did that.

Before you start, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis off the desktop and into it's own folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

Next, bring up TaskManager (ctrl+alt+del keys) and end the running processes for the following files, if you can:
wuamgrd.exe
msvsrv32.exe
xvshost.exe

Navigate to the msvsrv32.exe in the C:\Windows\System32 folder and zip up a copy of it (password protect it and use the word infected as the password) and email the zipped copy of the file to pieterATwilderssecurity.org (replace the AT with an @) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily. Can you also submit a zipped copy to submit@diamondcs.com.au

Then download CWShredder and put it in a place you will easily find it for a later step.

Make sure you have all files and folders viewable:
How to Show Hidden Files and Folders

****

Next, place a check beside the following items in HijackThis.
Close all windows except HijackThis, and click *Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qwertysearch123.biz/?id=1120
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://qwertysearch123.biz/?id=1120
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1120
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.zapros.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zapros.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Macromedia Drive] iexplor32.exe
O4 - HKLM\..\Run: [msvsrv32] msvsrv32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Macromedia Drive] iexplor32.exe
O4 - HKLM\..\RunServices: [msvsrv32] msvsrv32.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Macromedia Drive] iexplor32.exe

O4 - Global Startup: winlogin.exe


Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

Find and delete the following listed in bold:

C:\WINDOWS\System32\msvsrv32.exe <-- after you've submitted it please.
C:\WINDOWS\System32\xvshost.exe
C:\WINDOWS\System32\wuamgrd.exe
scvhost.exe <--do a search for this file (note the spelling, the one you want to delete starts with scv. Do not delete the legitimate svchost.exe)
iexplor32.exe <--do a search for this one spelled exactly like this.
winlogin.exe <-- do a search for this file (note the spelling) and delete ONLY the one spelled like that. Do not delete the legitimate winlogon.exe)

Also, I am not sure about this one:
O4 - HKLM\..\Run: [Desktop] rundll32.exe C:\WINDOWS\System32\avpcc.dll,Restore ControlPanel
For now, do not fix it, but I'd like you to upload the 'avpcc.dll' (it's in the System32 folder) for a scan at Kaspersky. Let me know what the scan results say about the file.


While still in safe mode, run CWShredder
Click the *Fix button, and follow the instructions you receive from the program.

Reboot your computer normally, and do a FULL system scan at one of these on-line scan sites: Free Services

Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

Then go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6 installed.

****

Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

1. Put a check inside the items listed for download and install them.
2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

Follow these instructions for setting up Ad-Aware for a full scan:
How To Perform a "Full Scan" with Ad-Aware6.


Your log also shows that MSConfig is running at startup. This means that you are using the "diagnostic startup" rather than the "normal startup". This means that some entries will not show up in the Hijack this log which makes it difficult for us to know what other malware files may be on your computer. Before posting a fresh log, would you please open MSConfig, and choose the "normal startup" option. Close MSConfig, reboot your computer, and post a new hijackthis log (in this thread) to be checked.

Regards,

snap

*Also, please include the top portion of the hijackthis log. The section that shows the version of Hijackthis, the scan time and date, and the operating system and version of IE, otherwise, I am guessing at what you are running.

wuamgrd reference -> Trendmicro: WORM_RBOT.AE

 

Logfile of HijackThis v1.97.7
Scan saved at 2:52:21 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AVG Virus Scanner\avgcc32.exe
C:\WINDOWS\System32\hpsysmon.exe
C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\winipcfgs.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVGVIR~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\pidserv.exe
C:\WINDOWS\System32\mssp.exe
C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
O4 - HKLM\..\Run: [HP System Monitor] hpsysmon.exe
O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
O4 - HKLM\..\RunServices: [HP System Monitor] hpsysmon.exe
O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HP System Monitor] hpsysmon.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

This is my newest log, after following the direction's you yourself gave me.
ALSO: My internet connection seems to be failing off and on, and yesterday my keyboard quit working... but behold, it now works... I dont know if that has anything to do with anything, but please tell me if you find any more problems... oh yeah, I also have this file on my desktop... every time I delete it, it changes it's name and comes back. It's a real pisser

Thanks
The Jew

 

You're gonna make me guess right? I'll need more information than provided to figure out what kind of file you are trying to describe.

Alrighty, are you sure you followed all my instructions?

We got rid of some of the bad files, and seemed to have acquired a few more.

Did you do an on-line virus scan like I asked? You have another worm and a few other suspicious entries there I am not finding much information on.

You also have not moved Hijackthis off the desktop and into it's own folder. Please do that now before you continue.

You have also not updated your operating system nor IE. You will continue to be infected unless you do that immediately.

To double-check some of these files, I need you to upload each of the following files (individually) for a scan at Kaspersky. Please post back what the scan says about them, that will determine if we need to delete the one's I am unfamiliar with.
C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\winipcfgs.exe
C:\WINDOWS\System32\pidserv.exe
C:\WINDOWS\System32\mssp.exe

Then zip up copies of them (password protect it and use the word infected as the password) and email the zipped copies to, pieterATwilderssecurity.org (replace the AT with an @) and also to submit@diamondcs.com.au for analysis. In the body of the email message, state that the password is "infected" and include a link back to this thread.

Also, did you submit the files that I had requested in my previous post before you deleted them?

In Hijackthis, place a check beside the following items.
Close all windows except HijackThis, and click *Fix checked

O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
O4 - Global Startup: winlogin.exe

You were suppose to delete the 'winlogin.exe' file as earlier instructed. It is not the legitimate winlogon.exe file. You will have to reboot your computer into safe mode to delete it. Do a search for the winlogin.exe file and delete it. (watch the spelling, the one you want to delete is spelled winlogin).
O4 - Global Startup: winlogin.exe

Next, do a full system scan with one of these on-line virus scanners (turn off your antivirus while doing the on-line scans): Free Services.
Followup with a full scan with both AdAware and Spybot S&D (links are in my first post)
Then go to Microsoft Update site and get ALL the Critical Updates for XP and IE.

Once you have done the above, rescan with Hijackthis and post a new log.
Regards,

snap

Reference: pidserve.exe - Spybot.PI Worm

 

I'm having troubly with my connection... pain in the ass... I'll get ahold of my provider... I had a whole 4 paragraphs written about why's and what's but my connection failed again... I hate Suscom. I'll get back to you, and I'm sorry about the short replies

Thanks
The Jew

 

Logfile of HijackThis v1.97.7
Scan saved at 11:28:03 AM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVGVIR~1\avgserv.exe
C:\WINDOWS\System32\mssp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AVG Virus Scanner\avgcc32.exe
C:\WINDOWS\System32\hpsysmon.exe
C:\WINDOWS\System32\msdns.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\pidserv.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\winipcfgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Valve\Steam\Steam.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
O4 - HKLM\..\Run: [HP System Monitor] hpsysmon.exe
O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
O4 - HKLM\..\RunServices: [HP System Monitor] hpsysmon.exe
O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HP System Monitor] hpsysmon.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I have the updates, and a guy came over and cleaned out my computer. I am virus (and problem) free. If you see anything, please tell me, though. I appreciate your patience

Thanks
The Jew

 

Hi The_Jew,

These files are still there, and I am very suspicious of them, unless you know what they are for and why they are there:

C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\winipcfgs.exe
C:\WINDOWS\System32\pidserv.exe
C:\WINDOWS\System32\mssp.exe

Did you upload them to Kaspersky for a scan, and did you submit them for analysis to the email addresses as I requested in my previous posts, along with the other file msvsrv32.exe that was present in your first log? If not, can you do that now please and also post back what the Kaspersky scan says about them.

Regards,

snap