HJT log

Discussion in 'adware, spyware & hijack cleaning' started by Shelb, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Hello all,
    I am helping a friend clean up a really clogged pc. A virus scan has revealed and cleaned several viral and trojan infections. Looks like his box was being used for DDoS.

    I was wondering if the kind folks here could offer me a second opinion on some of the entries in his HJT logfile. Here are the main entries that I was need validation or are unsure about. Several show up as malware when I google them, but I can not find info at all on a few of them. Looks like the mobsynca and magna processes have open ports that are listening.

    Thanks so much for your help.

    O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
    O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab


    Here is the full file....
    --------------------------------------------------------------------------------------
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\SYSTEM32\manga.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINNT\System32\serviceede.exe
    C:\WINNT\System32\mobsynca.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
    O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: NameServer = 66.82.4.8
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = direcway.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com
     
  2. k3dc

    k3dc Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    33
    Location:
    Sunny Florida
    Hi shelb,

    I'm sure the big guns will be along shortly to help you, but I have one suggestion right away. That is, post a complete HJT log, especially including the header that you didn't include above. They need that info to tell what should be on your system- every OS has its own load of "must-have" files, and some nasties spoof legit filenames to hide in the folders- wolves in sheep's clothing, so to speak.

    Good luck with this one. I can see a few things that look suspicious to me, but I'm too inexperienced to offer much by way of advice. :rolleyes:
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Shelb,

    I am afraid your friend's system is infected with several viruses.

    First, could you please find the following files, zip them up and email them to Pieter at the address in his Profile. Please include a link to this thread in the body of the email. Thank you.

    C:\WINNT\SYSTEM32\manga.exe
    C:\WINNT\SYSTEM32\fqefws.exe
    C:\WINNT\system32\msmsgri32.exe

    You will have to do a search for these:
    serviceede.exe
    ldasp.exe
    msvdm6.exe



    Open HijackThis and rescan, then with ALL browsers and any open windows closed, place a check beside the following items and click *Fixed check:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https

    O4 - HKLM\..\Run: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fqefws.exe
    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [Csrs Loader] serviceede.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab

    Make sure you have all files and folders viewable. Click Here, for instructions on how to do that.

    Reboot into Safe Mode by tapping the F8 key after the BIOS has loaded, then find and delete the following:

    C:\WINNT\SYSTEM32\manga.exe
    C:\WINNT\SYSTEM32\fqefws.exe
    C:\WINNT\system32\msmsgri32.exe

    You will have to do a search for these:
    serviceede.exe
    ldasp.exe
    msvdm6.exe

    Then reboot your computer normally.

    Then do a FULL on-line scan at one of these antivirus sites: Free Services

    Rescan with HijackThis and post a new log here. As k3dc has mentioned, please make sure you copy all of the HijackThis log to include the top portion that shows the Operating System, HijackThis version, and date/time of scan.

    Regards,

    snap

    Reference:
    manga.exe: http://securityresponse.symantec.com/avcenter/venc/data/w32.ogid.html
    msmsgri32.exe: http://www.symantec.com/avcenter/venc/data/w32.randex.d.html
    msvdm6.exe: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RANDEX.MV
    ldasp.exe: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_AGOBOT.BH
     
  4. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Thanks for the help.

    This entry is installed by default by the isp Direcway (satellite), are you sure I should delete it?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https

    As for the other files......
    Looks like he's been at the scanners before I got here. All but three of the entries you suggested for fixing are gone. He had installed TDS and scanned at several online site, so I guess it got rid of them. They all show a clean bill of health now.....may never know malware the others were :doubt:

    I was able to find the file and fix the following entry
    O4 - HKLM\..\Run: [svchosts32] C:\WINNT\SYSTEM32\manga.exe

    Kaspersky.com reveals this file to be the following.
    manga.exe Packed: PE_Patch
    manga.exe Packed: UPX
    manga.exe Infected: TrojanProxy.Win32.Agent.m

    The are two entries that you suggested that are still left in the registry (log copied below).
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

    HJT is unable to fix these, even in safe mode. Manual deletion from regedit returns the following error: "Edit string dialog: cannot edit configuration loader, error writing value's new contents."

    The object files ldasp.exe and msvdm6.exe do not turn up on the pc from a search however.

    Here is the latest HJT log...

    Logfile of HijackThis v1.97.7
    Scan saved at 9:13:49 AM, on 3/24/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINNT\System32\mobsynca.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\bell ranch\Application Data\Mozilla\Profiles\default\sagjn7bk.slt\prefs.js)
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C8422E-F1EA-4698-87FD-CE78A3AA2993}: NameServer = 66.82.4.8
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = direcway.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Shelb,

    Try this:

    First run this registry script, which forces Windows to show so called "superhidden" files:

    Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files").

    Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

    Then try to do a search for those two files and if you can find them, zip the files and e-mail them to Pieter at the address in his profile. Please include a link to this thread.

    Regards,
    Kent
     
  6. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    No resulting files after unhiding superhidden files.
    I think he is clean, just the annoying registry error to deal with.

    Thanks for your help.
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Shelb,

    The 'ldasp.exe' and 'msvdm6.exe' may have already been removed by either TDS-3 or one of the on-line scanners, and the 04 lines showing in HijackThis may be orphaned run keys now.

    (sorry, I missed this one)
    First, through TaskManager (Ctrl-Alt-Del), look for 'mobsynca.exe' and if you see it running, end task on it.

    Next, move HijackThis out of the Temp folder and into a folder of it's own. HijackThis creates backups in the folder it is ran from, and backups in a temp folder will be easily lost.

    Then with ALL browsers and any open windows closed, place a check beside the following items and click *Fixed check:

    O4 - HKLM\..\Run: [Synchronization Agent] mobsynca.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] ldasp.exe
    O4 - HKLM\..\RunServices: [Registration Service] msvdm6.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15eaf97...ip/RdxIE601.cab

    Reboot your computer

    Then do a search for 'mobsynca.exe' (the one with the 'a' at the end and not the mobsync.exe file) and upload it to Kaspersky for a scan. Then could you please email it to Pieter at the email addy listed in his Profile.

    I am only finding this reference for the file, but I would like to see what the Kaspersky's scan shows, and what Pieter says about it before we say delete the file.
    mobsynca.exe: Worm_Randbot.A = http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RANDBOT.A

    Re-scan with Hijackthis and post a new log here along with the Kaspersky scan for mobsynca.exe.

    snap

    fixed my url tags
     
  8. k3dc

    k3dc Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    33
    Location:
    Sunny Florida
    Can this Registry patch be left in permanently as a diagnostic tool, or should it be removed for normal use of the computer?
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    k3dc,

    The patch can be left in, just remember that now ALL files on your system are now displayed including all critical system files and such that are normally hidden. You have to practice added caution and be very careful as not to change or delete something you should not.

    HTH.....

    Regards,
    Kent
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi all,

    I have had a few people ask, so here is the patch to change back your folder view settings:

    This registry script will force Windows to change back to default folder view mode:

    Copy the contents of the Quote box to Notepad, and save in a location of your choice as Hide.reg (make sure to save as type: "All Files").

    Doubleclick Hide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.