cOOL.exe & MicroSoft.exe probs - HJT Log

Discussion in 'adware, spyware & hijack cleaning' started by jessiemcg, May 15, 2004.

Thread Status:
Not open for further replies.
  1. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Hi All,

    I have been having some problems with my computer, stuff like Norton AntiVirus not loading, etc, and noticed that cOOL.exe is in my Add\Remove Programs but it won't let me remove it. I already use AdAware and Spybot, and ran them both before I downloaded HijackThis as instructed here, so here's my log file. If anyone is able to help, it'd be much appreciated.

    Cheers,

    Jess

    Logfile of HijackThis v1.97.7
    Scan saved at 10:31:04 AM, on 16/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\officeXP.exe
    C:\WINDOWS\System32\lexpps.exe
    C:\WINDOWS\System32\Rist0r\patch.exe
    C:\WINDOWS\System32\Rist0r\sxe6.tmp
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SYSTEM32\SOL.EXE
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
    C:\Documents and Settings\Jessie\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Config33.exe] Config33.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
    O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
    O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: OzEmail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
    O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    you're running hjt from the temp, unzip it into a permanent folder like c:\hijackthis before proceeding with it..

    i see some very suspicious entries, so before cleaning the spyware, there is something more urgent here

    download and install this
    ftp://ftp.microworldsystems.com/download/tools/mwav.exe

    recommended settings here
    http://img10.imageshack.us/img10/9808/escan_bitti.jpg


    scan your system with it, disinfect anything found.

    also get an anti trojan, in this case i recomend getting tds-3
    from www.diamondcs.com.au
    download it, install, update( download radius file from here http://www.diamondcs.com.au/tds/radius.td3 right click the link and select save target as, save it to your program files\tds directory)
    then do all available scans in tds' scan menu. clean all trojans found with tds

    post a fresh log after you're done, also report any errors and failures
     
  3. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Wow, thanks so much for your help :) Much appreciated.

    I did all the stuff you suggested, and the mwave thing seemed to have a mind of it's own and cleaned up what it wanted. If you want the log file from that, lemme know...

    I tried to use TDS-3 as suggested, but encountered a bit of a problem - basically it made the computer freeze after about two minutes - I tried it 7 or 8 different times but to no avail.

    Lastly, I installed Hijack This and ran it again in its own directory. I'll paste the log contents below. Sorry if I stuffed anything up, I was at a loss as to how to get TDS-3 working. It seemed to detect about three things at first but then it'd just freeze. Again though, I'm really appreciating all your help! You're a champion! :)

    ---------------------------


    Logfile of HijackThis v1.97.7
    Scan saved at 12:09:56 AM, on 17/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\Rist0r\MicroSoft.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijack This\HijackThis.exe
    C:\WINDOWS\System32\cmd.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
    O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: OzEmail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
    O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi jessiemcg,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:


    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
    O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

    Then reboot into safe mode and zip up:
    C:\WINDOWS\System32\Rist0r <= entire folder

    Do not leave the original in place. Then try scanning with TDS again.
    Let us know if it still doesn't work.

    Regards,

    Pieter
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first copy these files or folders and zip them and send to submit@thespykiller.co.uk with a short note referring to this thread

    C:\WINDOWS\System32\Rist0r entire rist0r folder please
    C:\WINDOWS\System32\officeXP.exe

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
    O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d6...ip/RdxIE601.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\System32\officeXP.exe

    and Delete these folders

    C:\WINDOWS\System32\Rist0r


    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R304 16.05.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left

    And I'll send a message out for a TDS expert to have look and give you some advice, but I suspect that the officeXP entry is an agobot version that prevents antiviruses including tds running
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Jess

    You have a bad back door hacker there that has control of the computer

    hopefully what we have suggested above will remove it

    I'm sending it on to TDS as it detects the remote access trojan part of it but not the rest (it will after I send it though and they include detections for the other parts)

    THe windowsXP file you sent was useles as it was the prefetch file and not the actual.exe file from system32 folder

    I would assume from looking at it that it has stolen all your passwords and other private info. All passwords should be changed immediately and check carefully any banking info etc on the computer and notify any credit card companies etc that you might have been compromised and they will need changing as well
     
    Last edited: May 16, 2004
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    a possible solution would be RENAMING tds3.exe to for example killtrojans.exe and lauching it by doubleclicking the exe in the tds folder

    usually the backdoors have a list of process names to kill> renaming security processes does the trick. you obviously have to put the old name back after the infection is cleaned.

    kaspersky detected an exploit in the package
    rist0r.zip/Rist0r/shell.exe Packed Cexe
    rist0r.zip/Rist0r/shell.exe Infected Exploit.Win32.RPCLsa.01.c
     
    Last edited: May 16, 2004
  8. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Oh wow. Wow. That back door hacker\credit card thing has got me feeling rather shabby! Who knew?! Argh!!

    Okay. I did what the first two instructions said regarding safe mode, deleting stuff, running Spybot and Adaware - unfortunately, TDS bombed yet again, but I've taken a screen shot of where it was up to and attached it to this post. Hope that's some help?! I'll give that renaming thing a go too.

    Here's the HiJackThis log for my last scan....

    ---------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 3:41:33 AM, on 17/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: OzEmail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------

    May I just add HOW glad I am I Google'd cOOL.exe and found this site. My god, I had no idea how bad it was!! I'm still quite nervous about the passwords stuff but I guess I'm on the road to recovery thanks to you guys.

    Oh, and I could not find officeXP.exe in the System32 files anywhere, so I ended up searching for it and zipped what I found. Thanks again, everyone - I grovel at your knowledgable feet!
     

    Attached Files:

    • tds2.jpg
      tds2.jpg
      File size:
      75.1 KB
      Views:
      318
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it's hanging on a hiodden stream in the MSfax folder which is probably harmless anyway

    try this


    open tds , press scan control/click on ads stream options and tick ignore non executable streams and tick ignore streams smaller than , put 80 in box and press ok

    see if taht cures the TDS hanging

    I think it's a corrupted overlong reference it's hanging on
     
  10. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Okay, I'll give that a go - I've just downloaded the latest radius.td3 file (again - I did it earlier but for some reason TDS keeps saying I need to do it again) and I'll try that. Report back in a moment.

    Oh - should I be worried about that first warning it comes up with?

    RAT.Retribution - c:\autoexec

    Should I delete that?
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    do a complete tds scan and then

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  12. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    I don't know if it's just me (I've tried everything everyone's suggested) but TDS just ain't happening. I tried yet another scan with all the changes and it's stalled again, this time while scanning C:\Windows\System32\OOBE\ from what I can tell.

    It did pick up a few more things, though I can't right click and save as a text file as the screen is frozen.

    c:\autoexec.exe
    c:\windows\system32\silent.exe
    c:\windows\system32\microsoft\kernel32.exe.mwt

    Should I go and delete these directly?
     
  13. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Ooooh, also - should I use CWBShredder as well? I downloaded it from here :)
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    you seem to have nortons auto protection running, maybe that is conflicting with tds when it is scanning. try to disable norton when scanning with tds.

    do you have the patch for sasser worm? if you don't it might be a good idea to disconnect from the net when doing a tds scan and norton being disabled( and to get that patch of course ;) )

    if those were named as trojans go ahead and delete those.
    if they were labelled as suspicious, or possible trojans you need to submit them to gavin submit@diamondcs.com.au
     
    Last edited: May 17, 2004
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Interesting ones, for starters can you please send those to submit@diamondcs.com.au

    You should be ok to run TDS if you remove all trojan autostarts and remove all adware junk. You might want to install the latest VB Runtime (SP6) from this page too

    http://tds.diamondcs.com.au/index.php?page=files
     
  16. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    a little update:

    kaspersky now detects the rist0r backdoor as Backdoor.IRC.Fasmex.

    don't worry jessiemcg, as Gavin stepped in you're now in good hands :)
     
  17. FanJ

    FanJ Guest

    Hi,

    Don't worry about the fact that TDS-3 keeps telling you that the Radius-file (the definitions for TDS-3) needs to be updated.

    In the trial version of TDS-3 that is what happens ;)
    In the trial version of TDS-3 you need to download the Radius file manually.

    At the moment it is:
    [34443 references - 13043 primaries/9762 traces/11638 variants/other]
    Updates are published every working day.

    So again, please don't worry that your trial-version keeps telling you that the Radius-file needs to be updated ;)
     
  18. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Hi all!

    Wow, everyones coming out to help - thank you SOOOO much!

    Okay, first things first, regarding those three files that TDS-3 alerted me about, I have sent two of them off to you Gavin, but had problems with the third. This is what I said in the email.

    ------------
    Kernel32.exe.mwt quite literally disappeared before my eyes! I opened up the Microsoft folder and it was there, and suddenly it disappeared. Which I know makes me sound insane but it really happened - hehe. I did a search for the file and it had jumped to the System 32 file.

    When I tried to zip it it came up with a message "The specified directory C:\Windows\System32\kernel32.exe.mwt is empty, so Compressed (zipped) Folders cannot add it to the archive." After that, it disappeared again and I couldn't find it through searching.
    -------------------

    Very weird. Fanj - downloaded the latest so from now on when it tells me to update, I'll know better than to listen to it :) Cheers!

    I did the sasser worm thing from Symantec yesterday and it said the computer was clean. I have had real trouble with Nortons, for instance, when I try to allow email scanning or enable autoprotect, it ignores what I say and keeps it off which causes Norton to say my system needs "Urgent Attention" though nothing comes up in scans. I have turned everything off, will reboot and try and scan with TDS again. Deep breath. Here I go!
     
  19. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Oh, and should I install that SP6 if I HAVE got Windows XP? Got a little confused on with the instructions on the DiamondCS page :)
     
  20. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Oh, I could kiss you all in a platonic way! All the advice worked brilliantly, looks like turning off Norton's Auto-Protect at Windows start up did the trick. It positively identified some trojans which I deleted, but here's the scandumbp.txt log.

    --------------------

    Scan Control Dumped @ 08:27:02 18-05-04
    File Trace: Default trojan filename: RAT.Retribution
    File: c:\autoexec.exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\jessie\desktop\my rubbish\my stuff\my stuff\keeva's birthday stuff\messages from others.....doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\jessie\desktop\my rubbish\my stuff\my stuff\keeva's birthday stuff\~$ssages from others.....doc

    Positive identification: TrojanDownloader.Win32.Keenval.a
    File: c:\program files\common files\updmgr\updmgr.exe

    Positive identification (in archive): Adware.WinFetch Dropper
    File: silent.exe (In c:\recycler\s-1-5-21-874222325-2783590928-244772144-1006\dc3.zip)

    Positive identification: Adware.WinFetch Dropper
    File: c:\windows\system32\silent.exe

    Positive identification: Adware.WinFetch
    File: c:\windows\temp\winwildapp.exe

    ------------------

    Everything it positively identified I deleted, anything suspcious I left as is. Any advice from this point in would be MUCH appreciated. That was all from the Normal Scan (I was too scared of TDS-3 freezing again to do the Full System Scan but I'll do that now since everything appears to be working - hurrah!!
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good job. Exactly right. :)

    You can delete this entire folder if you like:
    c:\program files\common files\updmgr

    Regards,

    Pieter
     
  22. FanJ

    FanJ Guest

    Hi Jessie,

    Just to make sure:

    You still have to download the Radius-file manually in the trial-version !!!
    Gavin publishes every working day an update, and puts a notification in the Update-Alert forum-section here at Wilders.

    Once you have bought TDS-3, you don't need to download the Radius-file manually anymore: then you can let TDS-3 do the job.

    For more info see also:
    TDS3 - Daily Update Information sources
    TDS-3 Trial-version : some differences compared to the registered version
     
  23. jessiemcg

    jessiemcg Registered Member

    Joined:
    May 15, 2004
    Posts:
    10
    Thanks for all your help, guys! I am fairly sure everythings okay though today a few things have been running slower than normal and my CPU usage is at 100% for some reason, so I figured I might post one last HijackThis log and see what you think. Again, I cant thank you all enough for your help!

    Logfile of HijackThis v1.97.7
    Scan saved at 12:21:44 PM, on 20/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Computer Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: OzEmail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.34 210.80.58.42
    O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.34 210.80.58.42
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi jessiemcg,

    Can you see which process is eating up all the resources?
    I see nothing wrong in your log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.