cOOL.exe & MicroSoft.exe probs - HJT Log

jessiemcg · May 15, 2004

Hi All,

I have been having some problems with my computer, stuff like Norton AntiVirus not loading, etc, and noticed that cOOL.exe is in my Add\Remove Programs but it won't let me remove it. I already use AdAware and Spybot, and ran them both before I downloaded HijackThis as instructed here, so here's my log file. If anyone is able to help, it'd be much appreciated.

Cheers,

Jess

Logfile of HijackThis v1.97.7
Scan saved at 10:31:04 AM, on 16/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\officeXP.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\Rist0r\patch.exe
C:\WINDOWS\System32\Rist0r\sxe6.tmp
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\SOL.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Documents and Settings\Jessie\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Config33.exe] Config33.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: OzEmail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**

illukka · May 16, 2004

you're running hjt from the temp, unzip it into a permanent folder like c:\hijackthis before proceeding with it..

i see some very suspicious entries, so before cleaning the spyware, there is something more urgent here

download and install this
ftp://ftp.microworldsystems.com/download/tools/mwav.exe

recommended settings here
http://img10.imageshack.us/img10/9808/escan_bitti.jpg

scan your system with it, disinfect anything found.

also get an anti trojan, in this case i recomend getting tds-3
from www.diamondcs.com.au
download it, install, update( download radius file from here http://www.diamondcs.com.au/tds/radius.td3 right click the link and select save target as, save it to your program files\tds directory)
then do all available scans in tds' scan menu. clean all trojans found with tds

post a fresh log after you're done, also report any errors and failures

jessiemcg · May 16, 2004

Wow, thanks so much for your help Much appreciated.

I did all the stuff you suggested, and the mwave thing seemed to have a mind of it's own and cleaned up what it wanted. If you want the log file from that, lemme know...

I tried to use TDS-3 as suggested, but encountered a bit of a problem - basically it made the computer freeze after about two minutes - I tried it 7 or 8 different times but to no avail.

Lastly, I installed Hijack This and ran it again in its own directory. I'll paste the log contents below. Sorry if I stuffed anything up, I was at a loss as to how to get TDS-3 working. It seemed to detect about three things at first but then it'd just freeze. Again though, I'm really appreciating all your help! You're a champion!

---------------------------

Logfile of HijackThis v1.97.7
Scan saved at 12:09:56 AM, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Rist0r\MicroSoft.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\cmd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: OzEmail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**
O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.** 210.80.58.**

Pieter_Arntz · May 16, 2004

Hi jessiemcg,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

Then reboot into safe mode and zip up:
C:\WINDOWS\System32\Rist0r <= entire folder

Do not leave the original in place. Then try scanning with TDS again.
Let us know if it still doesn't work.

Regards,

Pieter

dvk01 · May 16, 2004

first copy these files or folders and zip them and send to submit@thespykiller.co.uk with a short note referring to this thread

C:\WINDOWS\System32\Rist0r entire rist0r folder please
C:\WINDOWS\System32\officeXP.exe

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\Rist0r\MicroSoft.exe
O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d6...ip/RdxIE601.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\System32\officeXP.exe

and Delete these folders

C:\WINDOWS\System32\Rist0r

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R304 16.05.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left

And I'll send a message out for a TDS expert to have look and give you some advice, but I suspect that the officeXP entry is an agobot version that prevents antiviruses including tds running

dvk01 · May 16, 2004

Hi Jess

You have a bad back door hacker there that has control of the computer

hopefully what we have suggested above will remove it

I'm sending it on to TDS as it detects the remote access trojan part of it but not the rest (it will after I send it though and they include detections for the other parts)

THe windowsXP file you sent was useles as it was the prefetch file and not the actual.exe file from system32 folder

I would assume from looking at it that it has stolen all your passwords and other private info. All passwords should be changed immediately and check carefully any banking info etc on the computer and notify any credit card companies etc that you might have been compromised and they will need changing as well

illukka · May 16, 2004

a possible solution would be RENAMING tds3.exe to for example killtrojans.exe and lauching it by doubleclicking the exe in the tds folder

usually the backdoors have a list of process names to kill> renaming security processes does the trick. you obviously have to put the old name back after the infection is cleaned.

kaspersky detected an exploit in the package
rist0r.zip/Rist0r/shell.exe Packed Cexe
rist0r.zip/Rist0r/shell.exe Infected Exploit.Win32.RPCLsa.01.c

jessiemcg · May 16, 2004

Oh wow. Wow. That back door hacker\credit card thing has got me feeling rather shabby! Who knew?! Argh!!

Okay. I did what the first two instructions said regarding safe mode, deleting stuff, running Spybot and Adaware - unfortunately, TDS bombed yet again, but I've taken a screen shot of where it was up to and attached it to this post. Hope that's some help?! I'll give that renaming thing a go too.

Here's the HiJackThis log for my last scan....

---------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 3:41:33 AM, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: OzEmail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------

May I just add HOW glad I am I Google'd cOOL.exe and found this site. My god, I had no idea how bad it was!! I'm still quite nervous about the passwords stuff but I guess I'm on the road to recovery thanks to you guys.

Oh, and I could not find officeXP.exe in the System32 files anywhere, so I ended up searching for it and zipped what I found. Thanks again, everyone - I grovel at your knowledgable feet!

dvk01 · May 16, 2004

it's hanging on a hiodden stream in the MSfax folder which is probably harmless anyway

try this

open tds , press scan control/click on ads stream options and tick ignore non executable streams and tick ignore streams smaller than , put 80 in box and press ok

see if taht cures the TDS hanging

I think it's a corrupted overlong reference it's hanging on

jessiemcg · May 16, 2004

Okay, I'll give that a go - I've just downloaded the latest radius.td3 file (again - I did it earlier but for some reason TDS keeps saying I need to do it again) and I'll try that. Report back in a moment.

Oh - should I be worried about that first warning it comes up with?

RAT.Retribution - c:\autoexec

Should I delete that?

dvk01 · May 16, 2004

do a complete tds scan and then

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt

jessiemcg · May 16, 2004

I don't know if it's just me (I've tried everything everyone's suggested) but TDS just ain't happening. I tried yet another scan with all the changes and it's stalled again, this time while scanning C:\Windows\System32\OOBE\ from what I can tell.

It did pick up a few more things, though I can't right click and save as a text file as the screen is frozen.

c:\autoexec.exe
c:\windows\system32\silent.exe
c:\windows\system32\microsoft\kernel32.exe.mwt

Should I go and delete these directly?

jessiemcg · May 16, 2004

Ooooh, also - should I use CWBShredder as well? I downloaded it from here

illukka · May 17, 2004

you seem to have nortons auto protection running, maybe that is conflicting with tds when it is scanning. try to disable norton when scanning with tds.

do you have the patch for sasser worm? if you don't it might be a good idea to disconnect from the net when doing a tds scan and norton being disabled( and to get that patch of course )

if those were named as trojans go ahead and delete those.
if they were labelled as suspicious, or possible trojans you need to submit them to gavin submit@diamondcs.com.au

Gavin - DiamondCS · May 17, 2004

jessiemcg said:

I don't know if it's just me (I've tried everything everyone's suggested) but TDS just ain't happening. I tried yet another scan with all the changes and it's stalled again, this time while scanning C:\Windows\System32\OOBE\ from what I can tell.

It did pick up a few more things, though I can't right click and save as a text file as the screen is frozen.

c:\autoexec.exe
c:\windows\system32\silent.exe
c:\windows\system32\microsoft\kernel32.exe.mwt

Should I go and delete these directly?
Click to expand...

Interesting ones, for starters can you please send those to submit@diamondcs.com.au

You should be ok to run TDS if you remove all trojan autostarts and remove all adware junk. You might want to install the latest VB Runtime (SP6) from this page too

http://tds.diamondcs.com.au/index.php?page=files

illukka · May 17, 2004

a little update:

kaspersky now detects the rist0r backdoor as Backdoor.IRC.Fasmex.

don't worry jessiemcg, as Gavin stepped in you're now in good hands

FanJ · May 17, 2004

jessiemcg said:

Okay, I'll give that a go - I've just downloaded the latest radius.td3 file (again - I did it earlier but for some reason TDS keeps saying I need to do it again)
Click to expand...

Hi,

Don't worry about the fact that TDS-3 keeps telling you that the Radius-file (the definitions for TDS-3) needs to be updated.

In the trial version of TDS-3 that is what happens
In the trial version of TDS-3 you need to download the Radius file manually.

At the moment it is:
[34443 references - 13043 primaries/9762 traces/11638 variants/other]
Updates are published every working day.

So again, please don't worry that your trial-version keeps telling you that the Radius-file needs to be updated

jessiemcg · May 17, 2004

Hi all!

Wow, everyones coming out to help - thank you SOOOO much!

Okay, first things first, regarding those three files that TDS-3 alerted me about, I have sent two of them off to you Gavin, but had problems with the third. This is what I said in the email.

------------
Kernel32.exe.mwt quite literally disappeared before my eyes! I opened up the Microsoft folder and it was there, and suddenly it disappeared. Which I know makes me sound insane but it really happened - hehe. I did a search for the file and it had jumped to the System 32 file.

When I tried to zip it it came up with a message "The specified directory C:\Windows\System32\kernel32.exe.mwt is empty, so Compressed (zipped) Folders cannot add it to the archive." After that, it disappeared again and I couldn't find it through searching.
-------------------

Very weird. Fanj - downloaded the latest so from now on when it tells me to update, I'll know better than to listen to it Cheers!

I did the sasser worm thing from Symantec yesterday and it said the computer was clean. I have had real trouble with Nortons, for instance, when I try to allow email scanning or enable autoprotect, it ignores what I say and keeps it off which causes Norton to say my system needs "Urgent Attention" though nothing comes up in scans. I have turned everything off, will reboot and try and scan with TDS again. Deep breath. Here I go!

jessiemcg · May 17, 2004

Oh, and should I install that SP6 if I HAVE got Windows XP? Got a little confused on with the instructions on the DiamondCS page

jessiemcg · May 17, 2004

Oh, I could kiss you all in a platonic way! All the advice worked brilliantly, looks like turning off Norton's Auto-Protect at Windows start up did the trick. It positively identified some trojans which I deleted, but here's the scandumbp.txt log.

--------------------

Scan Control Dumped @ 08:27:02 18-05-04
File Trace: Default trojan filename: RAT.Retribution
File: c:\autoexec.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\jessie\desktop\my rubbish\my stuff\my stuff\keeva's birthday stuff\messages from others.....doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\jessie\desktop\my rubbish\my stuff\my stuff\keeva's birthday stuff\~$ssages from others.....doc

Positive identification: TrojanDownloader.Win32.Keenval.a
File: c:\program files\common files\updmgr\updmgr.exe

Positive identification (in archive): Adware.WinFetch Dropper
File: silent.exe (In c:\recycler\s-1-5-21-874222325-2783590928-244772144-1006\dc3.zip)

Positive identification: Adware.WinFetch Dropper
File: c:\windows\system32\silent.exe

Positive identification: Adware.WinFetch
File: c:\windows\temp\winwildapp.exe

------------------

Everything it positively identified I deleted, anything suspcious I left as is. Any advice from this point in would be MUCH appreciated. That was all from the Normal Scan (I was too scared of TDS-3 freezing again to do the Full System Scan but I'll do that now since everything appears to be working - hurrah!!

Pieter_Arntz · May 18, 2004

jessiemcg said:

Everything it positively identified I deleted, anything suspcious I left as is.
Click to expand...

Good job. Exactly right.

You can delete this entire folder if you like:
c:\program files\common files\updmgr

Regards,

Pieter

FanJ · May 18, 2004

jessiemcg said:

Fanj - downloaded the latest so from now on when it tells me to update, I'll know better than to listen to it Cheers!
Click to expand...

Hi Jessie,

Just to make sure:

You still have to download the Radius-file manually in the trial-version !!!
Gavin publishes every working day an update, and puts a notification in the Update-Alert forum-section here at Wilders.

Once you have bought TDS-3, you don't need to download the Radius-file manually anymore: then you can let TDS-3 do the job.

For more info see also:
TDS3 - Daily Update Information sources
TDS-3 Trial-version : some differences compared to the registered version

jessiemcg · May 19, 2004

Thanks for all your help, guys! I am fairly sure everythings okay though today a few things have been running slower than normal and my CPU usage is at 100% for some reason, so I figured I might post one last HijackThis log and see what you think. Again, I cant thank you all enough for your help!

Logfile of HijackThis v1.97.7
Scan saved at 12:21:44 PM, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Computer Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausculture.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ozemail.com.au;aust.com;192.168.100.1;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ozemail.com.au/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: OzEmail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.34 210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{51D10C18-CABF-479E-AED6-663CD1E858B1}: NameServer = 210.80.58.34 210.80.58.42

Pieter_Arntz · May 20, 2004

Hi jessiemcg,

Can you see which process is eating up all the resources?
I see nothing wrong in your log.

Regards,

Pieter

Log in or Sign up

cOOL.exe & MicroSoft.exe probs - HJT Log

jessiemcg Registered Member

illukka Spyware Fighter

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

dvk01 Global Moderator

dvk01 Global Moderator

illukka Spyware Fighter

jessiemcg Registered Member

Attached Files:

tds2.jpg

dvk01 Global Moderator

jessiemcg Registered Member

dvk01 Global Moderator

jessiemcg Registered Member

jessiemcg Registered Member

illukka Spyware Fighter

Gavin - DiamondCS Former DCS Moderator

illukka Spyware Fighter

FanJ Guest

jessiemcg Registered Member

jessiemcg Registered Member

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

FanJ Guest

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

cOOL.exe & MicroSoft.exe probs - HJT Log

jessiemcg Registered Member

illukka Spyware Fighter

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

dvk01 Global Moderator

dvk01 Global Moderator

illukka Spyware Fighter

jessiemcg Registered Member

Attached Files:

tds2.jpg

dvk01 Global Moderator

jessiemcg Registered Member

dvk01 Global Moderator

jessiemcg Registered Member

jessiemcg Registered Member

illukka Spyware Fighter

Gavin - DiamondCS Former DCS Moderator

illukka Spyware Fighter

FanJ Guest

jessiemcg Registered Member

jessiemcg Registered Member

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

FanJ Guest

jessiemcg Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches