Need Help with XP Bug

Discussion in 'malware problems & news' started by coldog, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. coldog

    coldog Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    9
    Location:
    Toronto
    I'm not sure but I might be infected by this new "bug." About two weeks ago I started having problems with my printer. All of a sudden one morning my PC (XP Home) flashed a message saying it detected new hardware (Epson Printer). The only problem was that I have had this printer for over a year now, which is the same time period for the PC.

    This is where it gets "Funny."

    I have tried to access the task manager to see what was running and it won't let me. I can get the Taskmanager window to open for only about half a second and then something shuts it down. It is almost like something is working in the background that doesn't want to be found or shut down.

    Not sure what to do, any help would be appreciated.
     
  2. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Coldog - :( From what you post, I believe you have a virus or worm. Chances are that when you got hit, that your AV was corrupted or not updated, so would suggest you do an online scan through TrendMicro [it's free] .........

    http://housecall.antivirus.com/housecall/start_corp.asp

    If you are using Windows XP, there is a good chance this bug will be in the system restore and you will need to disable SR before scanning otherwise the scan will not detect it there. By disabling SR, restore dates will be wiped so a new date from the date the computer is cleaned out 100% will have to be set manually. Good luck.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Coldog,

    Welcome to Wilders!

    In addition to Peaches4you's suggestion; can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Regards,

    Dan
     
  4. coldog

    coldog Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    9
    Location:
    Toronto
    Here are the results. As you may notice I have just added a different anti-virus program (avast) which is still doing the thorough scan. I ran the scan that peaches suggested and there was one file that could not be cleaned (something in the temp internet file).

    Thanx again in advance :doubt:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Colin Uildersma@X-3T7VGE5ST47KP, 08-19-2003
    c:\autoexec.bat
    c:\factonly\factonly.bat
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    C:\PROGRA~1\ALWILS~1\Avast4\aswmonds.sys
    c:\config.sys
    c:\factonly\oakcdrom.sys /D:mscd001
    c:\factonly\btdosm.sys
    c:\factonly\flashpt.sys
    c:\factonly\btcdrom.sys /D:mscd001
    c:\factonly\aspi2dos.sys
    c:\factonly\aspi8dos.sys
    c:\factonly\aspi4dos.sys
    c:\factonly\aspi8u2.sys
    c:\factonly\aspicd.sys /D:mscd001
    c:\windows\wininit.ini [rename]
    NUL=C:\WINDOWS\System32\bdeinsta2.dll
    c:\windows\system.ini [drivers]
    timer=timer.drv
    VIDC.CVID=iccvid.drv
    VIDC.MSVC=msvidc.drv
    VIDC.IV32=ir32.dll
    VIDC.IV31=IR32.dll
    VIDC.MRLE=MSRLE.drv
    VIDC.RT21=ir21_r.dll
    VIDC.YVU9=ir21_r.dll
    WaveMapper=msacm.drv
    MSACM.msadpcm=msadpcm.acm
    MSACM.imaadpcm=imaadpcm.acm
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EM_EXEC
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\InCD
    C:\Program Files\ahead\InCD\InCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WT GameChannel
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ADUserMon
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Iomega Drive Icons
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Deskup
    C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\system32\MSCONFIG32.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Program Files\Messenger\msmsgs.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TClockEx
    C:\Program Files\TClockEx\TCLOCKEX.EXE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HomeAlarm
    C:\Program Files\Chameleon Clock\ChamClock.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\MSConfig
    C:\WINDOWS\system32\MSCONFIG32.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\Documents and Settings\Colin Uildersma\Start Menu\Programs\Startup\
    C:\Documents and Settings\Colin Uildersma\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP2216
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\aswUpdSv\
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\avast! Antivirus\
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\EPSONStatusAgent2\
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Iomega App Services\
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\_IOMEGA_ACTIVE_DISK_SERVICE_\
    C:\Program Files\Iomega\AutoDisk\ADService.exe
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay, you definitely have some problems.

    First, if these proceses are running, stop them

    MSCONFIG32.EXE
    webdav.exe
    TFTP2216

    You should right-click on these entries in Autostartviewer and remove them

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\MSConfig
    C:\WINDOWS\system32\MSCONFIG32.EXE

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP2216

    Then, I highly recommend that you download and run the trial version of TDS from

    http://tds.diamondcs.com.au/index.php?page=download

    Once it is installed, manually update the radius (definition) file from that same URL and then start TDS, change all sensitivity settings to maximum and do a full scan of the system.

    HTH,

    Dan
     
  6. coldog

    coldog Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    9
    Location:
    Toronto
    thanks everyone for all of the help. I managed to find three virus's by using avast! (wich by the way seems like a great program so far)

    http://avast.com/

    and by using the trial version of TDS from

    http://tds.diamondcs.com.au/index.php?page=download

    I managed to get two trojans out of my system. In all it took two nights to search everything, then after it was done I did a deep clean of my hard drive and got rid of a bunch of stuff I should have cleaned out a long time ago.

    Thanks again everyone
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Glad to help!

    Hopefully, the occasion for your next thread will be far less devastating!!!



    :D :D :D
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    coldog,

    I would highly recommend changing all passwords in use as well; chances are big they have been harvested by the trojan client users.

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.