s&D scan with strange result???

Discussion in 'adware, spyware & hijack cleaning' started by Minera, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi
    I just did a scan with S&D and Adaware. Adaware removed some stuff
    but S&D came up with an error msg:

    I'm attaching it as a jpg file. The weird thing is it says no problems etc.
    then an error notice
    and an exploit notice showing a change in the registry files which im scared to delete in case it causes problems or something (as finally my computer is working ok)
    The file it is attched to in regeidit is a 'search assistant' folder so im not sure if that is safe to delete or not. Any help would be appreciated.
    I will also post a hijackthis log, although I can't SEE anything that seems problematic. The only thing is that when I do a search on my computer it seems to end up in this 'search assistant' file in the registry.
    Not ALL files mind you, but when I did a search for Alexa it ended up there as did Kuang both exploits i was doing a seach for as exe files. The actual files themselves could not be found either with the virus program or anything else so I know this came from my searching. When I did a search only for .exe files I checked the registry and it added
    48cc155-6c1e*.*
    the above item is there several times whenever I check for any .exe files it adds itself . not sure what it means but a while back I posted about hidden streams and the program was the file registry number
    48cc155-6c1e-11d1-8e41-00c04f669386d
    I used the tds3 but had to unistall it as it kept locking up for some reason (conflict?)
    Pieter, the above registry key is the one sending the hidden streams
    and copying itself in different program folders, yet nothing seems to be able to detect what it is for or what program it belongs to. Do you have any suggestions?
    Minera
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    The item Spybot found seems to indicate one of the opther accounts has some untrustworthy site in their Trusted Zone.

    You promised a HijackThis log. Could you run that for that account?

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: 48cc155-6c1e-11d1-8e41-00c04f669386d

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Reagrds,

    Pieter   
     
  3. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    Here is the log file you requested. There are a couple of items Im wondering about. There seems to be a 'file missing' in my adobe reader program. That was installed with my tax program, but I did update it and that is when the file seemed to have gone 'missing'
    I had to copy and paste the file as it won't let me save it as txt file and keeps saving it as a log file
    Logfile of HijackThis v1.97.3
    Scan saved at 1:05:40 AM, on 3/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.cg.shawcable.net:8080
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://canoe.ca/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.5346180556
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4336/mcfscan.cab

    The only program I can think of is McAffee, as it seems the 'auto' update had been mysteriously discontinued, and when I do update manually it said it is current...but I could be wrong about it being a problem. I did notice some weird behavior when doing searches with my browser, so I jjust go directly to google and the search usually works there (othewise I keep ending up in Ebay)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    Your version of HijackThis is a bit outdated, but I don't expect the new version to show much more.

    You can fix that
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
    It will not work like this anyway.

    I'll wait for the Registry Search results.

    Regards,

    Pieter
     
  5. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    here is the other scan for the registry item.
     

    Attached Files:

  6. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    Forgot to mention it but my tds3 scan came up with a warning about double extensions on a file :
    install.wse.exe
    the above is in the same registry directory as the one I attached above.
    I think it is an installation for acrobat reader, but I don't know why it would have double extensions. the file was in the installation disc that came with my hp scanner. I previously deleted it and reinstalled the hp scanner program but the above re appeared after the reinstallation.
    I will fix the acrobat reader by uninstalling it and reinstalling it from the disc and see if that fixes the problem or if its something from the tax site that changes the files o_O
    Hijack this i just downloaded again recently so im wondering why its outdatedo_O I lost the original when I reformated.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Minera,

    The registry Search scan only shows that you have searched for that CLSID.

    Where did you download HijackThis from?
    Try this direct download-link
    A double extension does not automatically mean a file is bad.
    TDS is just warning about a possible danger there.

    Regards,

    Pieter
     
  8. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi Pieter:
    I did another registry scan and nothing was found.
    I also deleted and reinstalled the hijackthis from the link you provided.
    I also deleted and removed anything connected with the Adobe reader and reinstalled it from the disk. Seems to be working ok, although it worked even with the 'missing file' but I still can't seem to save it as a text file (?)
    Logfile of HijackThis v1.97.7
    Scan saved at 6:57:00 PM, on 3/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.cg.shawcable.net:8080
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://canoe.ca/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ci67qv7l.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.5346180556
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4336/mcfscan.cab

    I'm not sure if there is anything on there that is a problem. I did have two files that appeared on my desktop after uninstalling and removing Adobe
    hpothb07.dat and hpothbo7.tif which I assume belongs to the HP scanner program (which also had Adobe installed ) Could I safely delete those two from the desktop?? I can always reinstall the program but I really don't want to reinstall the Adobe that comes with it and so far the program seems to be working okay.
    Minera
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I don't see any problems.
    The files on your desktop should be safe to remove, but if you like to make sure, move them to a different place. If any program needs them it will start complaining. ;)
    Deleting them and letting them stay in the trashcan is another option.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.