Backdoor.Agent.BA

Discussion in 'adware, spyware & hijack cleaning' started by the_jewish_jew855, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. the_jewish_jew855

    the_jewish_jew855 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    I have recently had many, MANY virus related problems with my computer. AntiVirus and Spyware programs close randomly, my computer runs slowly and sometimes not at all, etc. etc. Anyways, my main problem is this piece of **** Backdoor.Agent.BA virus. I followed the instructions on another forum and ran HijackThis (also closes randomly). I have the log here:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\System32\msvsrv32.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\xvshost.exe
    C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1120
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.zapros.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zapros.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\Run: [Desktop] rundll32.exe C:\WINDOWS\System32\avpcc.dll,Restore ControlPanel
    O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [Macromedia Drive] iexplor32.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [msvsrv32] msvsrv32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Macromedia Drive] iexplor32.exe
    O4 - HKLM\..\RunServices: [msvsrv32] msvsrv32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Macromedia Drive] iexplor32.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    If anyone can help me out with Backdoor or the random closing of my spyware and antivirus programs, please send me and email. If you want to help the whole world out with Backdoor or random closing of their spyware and antivirus programs, just post a solution.

    Thanks, The Jew
     
  2. the_jewish_jew855

    the_jewish_jew855 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    Helpage

    Well, I have waited a whole 24 hours. I've had time to shower, roof a whole house, come home, and type this and there still seems to be no solution. It's not like I'm in a hurry or anything, it's just that I want my damn computer back. Hey now, I appreciate it.

    Thanks
    The Jew

    "By the way, I know the only reason I'm having these problems is because I have an HP... not having an HP would help, but it's out of the question"
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi The_Jewish_ Jew855,

    Actually Tony had asked you to get an on-line virus scan in this thread: https://www.wilderssecurity.com/showthread.php?t=39013
    From your log, it doesn't look like you did that.

    Before you start, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis off the desktop and into it's own folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

    Next, bring up TaskManager (ctrl+alt+del keys) and end the running processes for the following files, if you can:
    wuamgrd.exe
    msvsrv32.exe
    xvshost.exe

    Navigate to the msvsrv32.exe in the C:\Windows\System32 folder and zip up a copy of it (password protect it and use the word infected as the password) and email the zipped copy of the file to pieterATwilderssecurity.org (replace the AT with an @) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily. Can you also submit a zipped copy to submit@diamondcs.com.au

    Then download CWShredder and put it in a place you will easily find it for a later step.

    Make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    ****

    Next, place a check beside the following items in HijackThis.
    Close all windows except HijackThis, and click *Fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1120
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.zapros.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zapros.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [Macromedia Drive] iexplor32.exe
    O4 - HKLM\..\Run: [msvsrv32] msvsrv32.exe

    O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Macromedia Drive] iexplor32.exe
    O4 - HKLM\..\RunServices: [msvsrv32] msvsrv32.exe

    O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Macromedia Drive] iexplor32.exe

    O4 - Global Startup: winlogin.exe


    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following listed in bold:

    C:\WINDOWS\System32\msvsrv32.exe <-- after you've submitted it please.
    C:\WINDOWS\System32\xvshost.exe
    C:\WINDOWS\System32\wuamgrd.exe
    scvhost.exe <--do a search for this file (note the spelling, the one you want to delete starts with scv. Do not delete the legitimate svchost.exe)
    iexplor32.exe <--do a search for this one spelled exactly like this.
    winlogin.exe <-- do a search for this file (note the spelling) and delete ONLY the one spelled like that. Do not delete the legitimate winlogon.exe)

    Also, I am not sure about this one:
    O4 - HKLM\..\Run: [Desktop] rundll32.exe C:\WINDOWS\System32\avpcc.dll,Restore ControlPanel
    For now, do not fix it, but I'd like you to upload the 'avpcc.dll' (it's in the System32 folder) for a scan at Kaspersky. Let me know what the scan results say about the file.


    While still in safe mode, run CWShredder
    Click the *Fix button, and follow the instructions you receive from the program.

    Reboot your computer normally, and do a FULL system scan at one of these on-line scan sites: Free Services

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Then go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6 installed.

    ****

    Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.


    Your log also shows that MSConfig is running at startup. This means that you are using the "diagnostic startup" rather than the "normal startup". This means that some entries will not show up in the Hijack this log which makes it difficult for us to know what other malware files may be on your computer. Before posting a fresh log, would you please open MSConfig, and choose the "normal startup" option. Close MSConfig, reboot your computer, and post a new hijackthis log (in this thread) to be checked.

    Regards,

    snap

    *Also, please include the top portion of the hijackthis log. The section that shows the version of Hijackthis, the scan time and date, and the operating system and version of IE, otherwise, I am guessing at what you are running.

    wuamgrd reference -> Trendmicro: WORM_RBOT.AE
     
    Last edited: Jul 2, 2004
  4. the_jewish_jew855

    the_jewish_jew855 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 2:52:21 PM, on 7/3/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\AVG Virus Scanner\avgcc32.exe
    C:\WINDOWS\System32\hpsysmon.exe
    C:\WINDOWS\System32\msdns.exe
    C:\WINDOWS\System32\winipcfgs.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\PROGRA~1\AVGVIR~1\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\System32\pidserv.exe
    C:\WINDOWS\System32\mssp.exe
    C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HP System Monitor] hpsysmon.exe
    O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
    O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
    O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
    O4 - HKLM\..\RunServices: [HP System Monitor] hpsysmon.exe
    O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HP System Monitor] hpsysmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    This is my newest log, after following the direction's you yourself gave me.
    ALSO: My internet connection seems to be failing off and on, and yesterday my keyboard quit working... but behold, it now works... I dont know if that has anything to do with anything, but please tell me if you find any more problems... oh yeah, I also have this file on my desktop... every time I delete it, it changes it's name and comes back. It's a real pisser o_O

    Thanks
    The Jew
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    You're gonna make me guess right? ;) I'll need more information than provided to figure out what kind of file you are trying to describe.

    Alrighty, are you sure you followed all my instructions?

    We got rid of some of the bad files, and seemed to have acquired a few more.

    Did you do an on-line virus scan like I asked? You have another worm and a few other suspicious entries there I am not finding much information on.

    You also have not moved Hijackthis off the desktop and into it's own folder. Please do that now before you continue.

    You have also not updated your operating system nor IE. You will continue to be infected unless you do that immediately.

    To double-check some of these files, I need you to upload each of the following files (individually) for a scan at Kaspersky. Please post back what the scan says about them, that will determine if we need to delete the one's I am unfamiliar with.
    C:\WINDOWS\System32\msdns.exe
    C:\WINDOWS\System32\winipcfgs.exe
    C:\WINDOWS\System32\pidserv.exe
    C:\WINDOWS\System32\mssp.exe

    Then zip up copies of them (password protect it and use the word infected as the password) and email the zipped copies to, pieterATwilderssecurity.org (replace the AT with an @) and also to submit@diamondcs.com.au for analysis. In the body of the email message, state that the password is "infected" and include a link back to this thread.

    Also, did you submit the files that I had requested in my previous post before you deleted them?

    In Hijackthis, place a check beside the following items.
    Close all windows except HijackThis, and click *Fix checked

    O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
    O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
    O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
    O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
    O4 - Global Startup: winlogin.exe

    You were suppose to delete the 'winlogin.exe' file as earlier instructed. It is not the legitimate winlogon.exe file. You will have to reboot your computer into safe mode to delete it. Do a search for the winlogin.exe file and delete it. (watch the spelling, the one you want to delete is spelled winlogin).
    O4 - Global Startup: winlogin.exe

    Next, do a full system scan with one of these on-line virus scanners (turn off your antivirus while doing the on-line scans): Free Services.
    Followup with a full scan with both AdAware and Spybot S&D (links are in my first post)
    Then go to Microsoft Update site and get ALL the Critical Updates for XP and IE.

    Once you have done the above, rescan with Hijackthis and post a new log.
    Regards,

    snap

    Reference: pidserve.exe - Spybot.PI Worm
     
    Last edited: Jul 3, 2004
  6. the_jewish_jew855

    the_jewish_jew855 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    I'm having troubly with my connection... pain in the ass... I'll get ahold of my provider... I had a whole 4 paragraphs written about why's and what's but my connection failed again... I hate Suscom. I'll get back to you, and I'm sorry about the short replies

    Thanks
    The Jew
     
  7. the_jewish_jew855

    the_jewish_jew855 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 11:28:03 AM, on 7/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVGVIR~1\avgserv.exe
    C:\WINDOWS\System32\mssp.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\AVG Virus Scanner\avgcc32.exe
    C:\WINDOWS\System32\hpsysmon.exe
    C:\WINDOWS\System32\msdns.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\pidserv.exe
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\winipcfgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner.Jewster\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\AVG Virus Scanner\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HP System Monitor] hpsysmon.exe
    O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
    O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
    O4 - HKLM\..\Run: [Process Session Manager] pidserv.exe
    O4 - HKLM\..\RunServices: [HP System Monitor] hpsysmon.exe
    O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
    O4 - HKLM\..\RunServices: [Process Session Manager] pidserv.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HP System Monitor] hpsysmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
    O4 - HKCU\..\Run: [Process Session Manager] pidserv.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I have the updates, and a guy came over and cleaned out my computer. I am virus (and problem) free. If you see anything, please tell me, though. I appreciate your patience

    Thanks
    The Jew
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi The_Jew,

    These files are still there, and I am very suspicious of them, unless you know what they are for and why they are there:

    C:\WINDOWS\System32\msdns.exe
    C:\WINDOWS\System32\winipcfgs.exe
    C:\WINDOWS\System32\pidserv.exe
    C:\WINDOWS\System32\mssp.exe

    Did you upload them to Kaspersky for a scan, and did you submit them for analysis to the email addresses as I requested in my previous posts, along with the other file msvsrv32.exe that was present in your first log? If not, can you do that now please and also post back what the Kaspersky scan says about them.

    Regards,

    snap
     
Thread Status:
Not open for further replies.