4 replies to this topic

[desertranger]

It's always amazing whenever I log into a new forum. I often wonder if a users name relates to the individual who has it. MIne does. It describes me and what I do. I am also an Alpha Geek with a spyware prob I've been trying to get rid of for weeks. And the last thing I want to do is format my hdisk. The infected box is a 3.2ghz 1gig used as a workstation and data, print server for the house. We have dial up on this computer and one other. I tried Webroot's spy sweeper which was highly reccommended. It finds it but can't kill it. I tried safe mode, unsafe mode I even tried dangerous mode; nada. I disabled several services including windows installer and was able to remove the active traces I could find. then had to install a prog and enabled the installer, did my install then disabled it again everything came back. main symptom is the appearence of the installer screen when using msie (I use opera) on boot and various tmes when utility apps are ruin. ie control panel and some items in there. This is what I know is in there. A couple of others whose names I don't have at the moment internet optimizer, suspected root cause 180 search assistant &radio xsczn.inf mpl32 driver I've cleaned the registry by hand, the hdisk by hand, memory by hand I even killed myself and took a week off dead to see if zen could help. I current choices are. DL all kinds of spyware removers that don't work inc ad aware and spybot sd and try them again. format the hdisk and start from scratch. This a big job and kills a lot of stuff for several weeks. Go back to being dead for another couple of weeks. suggestions

[Micah_6:8]

Greetings and welcome to TomCoyote.org!

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Download HijackThis into this folder.

If required a tutorial is here = Hijackthis Folder Tutorial

Links to Hijack This! v 1.98.2:

http://tools.radiosp.../HijackThis.exe
http://spywarewarrio.../HijackThis.exe

Run it from that folder.

Click "Scan".

DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!

Click "Save log".

Reply to this thread, and "copy/paste" the ENTIRE CONTENTS of the log file into this thread.

[desertranger]

Thank you Micah_6:8

Your instructions were much appreciated. Here is the the log file. I've heard of hijack but always been kind of leary bout it not knowing anything about it. I'm reading the tut. Your input is gratefully appreciated.

DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!"

Duh!

No sweat. Wouldn't do it until I knew what I was doing anyway.

As my friends say I'm a barbarian not an idiot. took a guess at what I don't think belong highlighted below. I may be wrong, prob am. Maybe not, who knows.

Everything has been left intact on the server and no changes have been made.


Logfile of HijackThis v1.98.2
Scan saved at 8:49:03 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\FS\FSService.exe
C:\Program Files\FS\fsp.exe This belongs
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SIDEWI~1\Common\SWTrayV4.exe
C:\Program Files\Creative\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN05.EXE
C:\Program Files\Shove-it\Shove-it.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\PowerDesk\PDExplo.exe
C:\Program Files\Common Files\ACD Systems\IDBSvr.exe
F:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php Not supposed to be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com Not supposed to be
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com Not supposed to be??
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFShared\weaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx Not sure
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll can go
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\SIDEWI~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [fspr] "C:\Program Files\FS\FolderShield.exe" CR this stays
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPL32 Driver] lsasss.exe can never rem what this is
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EPSON Stylus COLOR 760] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN05.EXE /A "C:\WINDOWS\System32\E_S1B7.tmp"
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Shove-it.lnk = C:\Program Files\Shove-it\Shove-it.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\psn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML Not supposed to be
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll suspect? yes/no
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab can go?

[Micah_6:8]

[quote]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php  Not supposed to be[/quote]

Can be fixed ^

[quote]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com  Not supposed to be[/quote]

Can be fixed^

[quote]O1 - Hosts: 64.91.255.87 www.dcsresearch.com    Not supposed to be??  [/quote]

Can be fixed^

[quote]O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx  Not sure[/quote]

NOT malware^

[quote]O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll  can go[/quote]

Would be best removed via Start > Control Panel > Add/Remove programs, if you wish.

[quote]O4 - HKLM\..\Run: [MPL32 Driver] lsasss.exe    can never rem what this is[/quote]

This is unusual. The "head" is part of one worm, the "tail" looks like another.

[quote]O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML    Not supposed to be[/quote]

Would be best removed via Start > Control Panel > Add/Remove programs, if you wish.

[quote]O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe  Not supposed to be

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe  Not supposed to be[/quote]

You can remove ICQLite via Start > Control Panel > Add/Remove programs, then fix these if you want.

[quote]O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll    suspect?  yes/no[/quote]

NOT malware^

[quote]O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab    can go?[/quote]

Can be fixed^

[quote]internet optimizer, suspected root cause
180 search assistant
&radio
xsczn.inf[/quote]

Don't see any of that anywhere, but Hijack This! doesn't look everywhere.

Personally, I'd suggest the "whole enchilada", which would be all of this:

[quote]Please download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning malware off your system.  Here are links to both programs, and instructions for their use.

Get Spybot - Search & Destroy from http://security.kolla.de
(This is the NEW Version 1.3)
Get AdAware SE Personal from http://www.lavasoft....upport/download
(This is the NEW Build 1.05)

Download and install these programs if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED here:

http://www.cjwd.demo...ot-adaware.html

Reboot after running each program.

Please try these free online virus scans of your system:

Trend-Micro Housecall

Panda Activescan

Etrust Security Advisor

Choose "fix" or "clean".

Let them remove any infections found. Reboot after each scan.[/quote]

Then post another log, and we'll see if the worm survived.

[desertranger]

Thank you Micah. I'll be in the back country unitl until Sat night so porbably won't be able to repost the log. You have been very kind. I'll get back to you.