Is my computer clean from hyjacker

Discussion in 'adware, spyware & hijack cleaning' started by Minera, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hello Once again:
    I reformatted my computer and reinstalled everything. Unfortunately I also reinstalled a Gaobot worm in memory and NAV did not catch it so I purchased MCaffee to delete it. I have ZoneAlarm which I also had to reinstall due to a problem. XP configured my network connection automatically but it shows an open port 5000. I have a csvhost.exe -service
    still in memory as it is running scripts or something according to TDS. which I don't know what to do about and the Symantec site said it is associated with the changes the gaobot worm made in registry. I really don't think my
    network is correctly configured but XP won't let me change it so it would work any other way than the setup. I used hijack this and deleted a link on my browser ie that was to a site called dscresearch.com that kept loading. Now I'm not sure what if anything else should be there but I am having a problem stopping windows messenger from loading even though I dissabled it etc.
    here is my info:
    Logfile of HijackThis v1.97.3
    Scan saved at 12:09:12 AM, on 2/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.canoe.ca/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.5346180556
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    hope you can help and let me know what to delete or not.
    Also I am suspicious of MSupdates if they're legit or not. I had a popup on my desktop (not the usual notice in bottom of toolbar) to update immediately or I could not use ie without problems. I later found out it was a site from earthlink NOT microsoft, where I think some of my other problems started with the ie browser.
    I' m getting frustrated as all I seem to be doing lately is trying to fix stuff
    but I really suspect the setup for the network is somhow wrong.
    o_O :'(
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    Hoping you made a typo in the processname:
    http://www.jsiinc.com/SUBJ/tip4600/rh4660.htm

    The one keeping port 5000 open is UpnP.
    Check this site on how to shut down several unnecessary services:
    http://www.blackviper.com/WinXP/servicecfg.htm

    You are right not to trust emails or other ways of getting offered MS updates. The only way to be sure is to go to the Windows Update site.

    Your log is clean as far as I can see. (Not all viruses can be detected this way and you are using a older version, but I see no reason for worries)

    Regards,

    Pieter
     
  3. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hello Pieter:
    No type just a copy of the hijack files. o_O o_O
     

    Attached Files:

    • tds.JPG
      tds.JPG
      File size:
      37.8 KB
      Views:
      648
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    Can you rightclick one of the lines in the bottom part of the TDS screen and choose Save as Text.
    Post the content of the text file please.

    Regards,

    Pieter
     
  5. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hello Pieter:
    I saved the TDX log file. It only allowed me to save one of the bottom
    file info's the rest were either blank or had other options attched.
    I visited only Symantec and Microsoft and this site in the past two days.
    Although it says I am free of infection it keeps changing the data stream infos whenever I do a full scan with the trial version of TDS. Some options are not available unless I purchase it. It seems to be whenever I allow the firewall to access either messenger (as server where the intellipoint part seemed to be added) or the svchost.exe
    Below is the text file of the scan:
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Thanks Minera

    I'll ask one of the TDS Moderators to have a look.

    Regards,

    Pieter
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mineria, Just a qiuick look at your log.
    Firstly please download the latest radius file & re-run your scan:
    Secondly the log shows Adstreams but can you please tell us the size reported in bytes as many adstreams below about 128bytes are usually not a threat and can be considered harmless. Right click the adstream to view the byte size.

    Hopefully Gavin will reply soon with a better analysis than I can supply. :)
     
  8. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    The size is 80 bites and the destination is 0. It looks as if it is looking for
    information of some sorts. Also the connected 'program' execute is
    MZ.exe
    I found a reference to it in a program I had as yet not installed but downloaded from a site. I deleted the folder as it was probably something
    I really did not need anyways (it was in my downloads file where I keep stuff I downloaded. The stuff I want to keep I usually put on a disc.
    It still has streams connected to it but im not sure what the file was for.
    I did a search but the actuall MZ program is not on my computer and the reference to MZ.exe is that it is an 'unknown' application. My biggest problem is the messenger for windows keeps loading up despite having disabled it several times, and it is open to one of my kid's names. The other day all his contacts were ereased for some reason. I don't know why it keeps opening even though I disabled it, but MSN is running where they usually are supposed to log into when they need to use the messenger so I'm not sure if there is a connection.
    I did update the TDS3. I had an old version on my computer before I reformatted it but can't find the old program etc. so I downloaded the trial (which I like better than the old ver)and considering buying as I already have port explorer.
    I am now reconfiguring the setup for the home network as instructed by my service provider see if that makes a difference. But if you say 128 and less bytes are usually harmless I won't worry. The original program is deleted where I found an MZ.exe reference. Hope that will work o_O
    I just wish I knew what the MZ.exe was FOR !
     
  9. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi again Pieter:
    I did another hijackthis scan. Im a bit curious about one or two entries
    re the Netscape browser which were not there before. I'm not sure if theyre supposed to BE there. I reconfigured my Linksys and the funny thing was when I typed in the number I got the login/password screen but there were two additions for logins, both hotmail id logins to messenger. They werent there before. When I recorded the changes in linksys the site recorded it to the mozila.cgi part (took quite a while) and its an http address so I'm not sure if that is anything to worry about.
    Plz advise (Im getting nervous again o_O :eek: :blink: !!
     
  10. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    The hijack log did not seem to go through so I am sending it again.
     

    Attached Files:

  11. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    I don't know what this dumb thing is doing but it is asking for something called 'codec' so I will try pasting it.
    Logfile of HijackThis v1.97.3
    Scan saved at 9:42:42 PM, on 2/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.canoe.ca/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.5346180556
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    Your log is fine and the Netscape entries are harmless. I would like to have an experts opinion about the streams, so please wait for that and update TDS following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update

    Regards,

    Pieter
     
  13. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    Thanks. I downloaded the update as you suggested. Will see what happens.
    Regards ;)
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Looks like normal streams which can be ignored, try ignoring streams smaller than 128 bytes and see if anything still comes up. In Scan Control, ADS Stream Options you can do this

    The real danger to watch out for is "Executable found in stream" ;) In this case it should be dumped to a file and emailed to submit@diamondcs.com.au immediately
     
  15. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hello
    Thanks so much for the reply. I will do as you suggested and keep an eye on things.
    Regards
    Minera
    :D
     
Thread Status:
Not open for further replies.