Help with FreshBar Hijack, Strip Poker Popup

Question

dlh6213 27 Posting Maven

19 Years Ago

Hey, it's my turn for some help again! I got this hijacker that put a FreshBar toolbar on my computer, kept getting Strip Poker popups, and a balloon in the taskbar saying I needed to update my MS firewall.

I think I've got most of it fixed, just want some final cleanup advice. I'll tell you what I've done in case it will help -- or help someone else doing a search for any of the words listed (it's rather lengthy so you can probably skip the next few paragraphs if you like, to the *). This probably isn't the exact sequence either.

Ran HJT and had it fix some O17 entries that led to IP 69-50-166-94 and 69-31-80-244. I found out these were Atrivo Technologies and Nlayer Communications, respectively, by using Arin's "Whois." I also had it fix all the R0's & R1's that now said About:Blank, and an R3 (I think), that said FreshBar. I did some research (links at the end, at least one of them has a screen shot that matches my problem -- don't recall which one though), and found that this infection includes a package of the following files:
Unlodctl.exe
Nlsfuncs.exe
Pentxpl.exe
Openconf.exe
Iecust.exe

I found all of these in my System32 folder except for the pentxpl.exe. Interestingly, HJT didn't find any of these. I also found a number of other files in the same folder that were installed at about the same time, which is my primary request for assistance, but I'll get to that in a bit.

I also ran About:Buster, which found nothing; CWShredder, nothing; AdwareSE, which found 16 entries in various Favorites folders, which I had it fix; and Spybot, which found nothing, but took about an hour because the CPU was running at 97%-100%, all by Spybot (nothing else was running, I even disconnected from the internet, DSL, and disabled my AV and PestPatrol).

I reenabled my Norton AV and PestPatrol, and reconnected to the Net. I tried to run Norton AV, but it wouldn't work, so I ran Panda, which found nothing, and TrendMicro, which found three problems, one of which it fixed automatically, so I don't know what it was, and the other two were openconf.exe & iecust.exe.

I rebooted into Safe Mode, found the offending files, and put them along with several others that were created around the same time in my c:\windows\temp folder. Here are all the files I put in the temp folder:
Unlodctl.exe
Nlsfuncs.exe
Openconf.exe
Iecust.exe
Msij.dll
Msvw.dll
Spnping.dll
Icust.dll
Pv.sig
Dnsauth.dll
Qappsrvc32.exe
Taskopen.exe
Dx9vbc.dll
Dte.dat
Menu.txt
And about an hour later, these were installed:
Mwx.dll
Hdon.dll

I then rebooted normally, was able to get Norton AV working so I updated it and had it do a full scan. It found two entries:
Hdon.dll
Taskopen.exe

I went to Noton's website for removal instructions, rebooted into Safe Mode again, deleted the two entries, went to the registry, (hkey-local-machine, software, microsoft, windows, current version, run) but only found Taskopen, which I deleted. I did another scan with Norton while in Safe Mode of the C drive, which didn't find anything. Rebooted normally and here I am now.

*I would like to know if there is anything that I have left in the temp folder that should not be deleted:
Unlodctl.exe
Nlsfuncs.exe
Openconf.exe
Iecust.exe
Msij.dll
Msvw.dll
Spnping.dll
Icust.dll
Pv.sig
Dnsauth.dll
Qappsrvc32.exe
Dx9vbc.dll
Dte.dat
Menu.txt
Mwx.dll

I would also like to know if there is anywhere else I should look in the registry, or anything else I should look for anywhere else. So far it seems isolated to the System32 folder, but Norton says it can spread.

Also, when I rebooted last time, I got a message saying that qappsrvc32.exe could not be found (this is one of the files I put in the temp folder). The toolbar is gone; the popup and balloon, so far, have not reappeared.

Links to similar infection:
http://help.lockergnome.com/index.php?showtopic=28991&st=30&#entry214633
http://translate.google.com/translate?hl=en&sl=de&u=http://www.trojaner-board.de/showthread.php%3Ft%3D10772&prev=/search%3Fq%3Diecust.exe%26hl%3Den%26lr%3D
http://www.windowsbbs.com/showthread.php?t=38771

Thanks for any help you can offer!! :)

windows-virus

2 Contributors
31 Replies
565 Views
3 Days Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

19 Years Ago

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

http://downloads.subratam.org/DllCompare.exe

Now open DllCompare.exe and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.
save the log to desktop.

crunchie 990 Most Valuable Poster

19 Years Ago

Just allow it to run dlh, it's safe. Norton is just protecting you from unknown scripts :).

crunchie 990 Most Valuable Poster

19 Years Ago

OK. Am not that familiar with how silent runners works, so it will not hurt to email the guy (although I think he charges for any help).

Do this; Click on Config in hijackthis and then click on Miscellaneous Tools. Check "List also minor sections" and then click on "Generate Startup List Log"
Post away.

crunchie 990 Most Valuable Poster

19 Years Ago

Okay, now I got this one...
But right after that came up, a message popped up saying something about finding the results somewhere, but it disappeared too fast for me to see where.

The log that is saved is called *Startup Programs* with todays date. Try a search for it.

crunchie 990 Most Valuable Poster

19 Years Ago

No worries. You do realise that we don't get paid for helping the helpers :D.

dlh6213 commented: Thanks once again for everything!! :) - dlh +1

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

dlh6213 27 Posting Maven Team Colleague · Answer 1 · 2004-12-28T12:21:43+00:00

Okay, I've done some more checking and I deleted what I was pretty sure should be. Below is what's left. I think the dll's should all go, but I can't find enough info to be sure. The others I'm not so sure about -- I just think they are bad because they were created at the same time as the rest of the junk.

date.dat (I had dte.dat before, I guess that must have been a typo)
dnsauth.dll
iecust.dll
menu.txt
msij.dll
msvw.dll
mswx.dll

dlh6213 27 Posting Maven Team Colleague · Answer 2 · 2004-12-29T13:45:19+00:00

dlh6213 27 Posting Maven

19 Years Ago

No one with any suggestions?

dlh6213 27 Posting Maven Team Colleague · Answer 3 · 2004-12-30T11:27:12+00:00

I opened Silent Runners and got the message attached.

dlh6213 27 Posting Maven Team Colleague · Answer 4 · 2004-12-30T11:42:05+00:00

Okay, now I got this one...

But right after that came up, a message popped up saying something about finding the results somewhere, but it disappeared too fast for me to see where.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2004-12-30T12:05:55+00:00

Try running silent runners a couple of times. Another user here just tried it and got the same message as you but another pop up said it was ok the 2nd time, or something.

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2004-12-30T12:08:58+00:00

Yeah, the search found nothing. I tried running it again and this time saw that the log was put in the Temporary Internet folder, but I looked and it wasn't there. So I tried it again, but this time I saved it to a folder instead of just running it. This time I was able to find the log; here it is:

"Silent Runners.vbs", revision 28, launched at: 22:03
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WorksFUD" = "C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"QD FastAndSafe" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"PPMemCheck" = "C:\Utilities\PestPatrol\PPMemCheck.exe" [null data]
"PestPatrol Control Center" = "C:\Utilities\PestPatrol\PPControl.exe" [null data]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers" ["Microsoft® Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"CookiePatrol" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
"{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default)" = "Fax"
                                       \StubPath   = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
"{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default)" = "Fax Provider"
                                       \StubPath   = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{80F11BC6-310B-42AD-98E5-4AC76B43F42A}\(Default) = (no title provided)
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\msmn.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Media Players\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Photo Editing\Microsoft Image Composer\SERVER.DLL" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\upnpui.dll" [MS]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Common Files\stardock\MCPCore.dll" ["Stardock"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "MCPClient\DLLName" = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Aadministrator" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe  /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe  /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

IPv6 Helper Service, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

dlh6213 27 Posting Maven Team Colleague · Answer 7 · 2004-12-30T12:12:00+00:00

Here's the HJT log:
StartupList report, 12/29/2004, 10:10:56 PM
StartupList version: 1.52.2
Started from : C:\Utilities\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WorksFUD = C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
QuickTime Task = "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
QD FastAndSafe = C:\Utilities\PestPatrol\CookiePatrol.exe
PPMemCheck = C:\Utilities\PestPatrol\PPMemCheck.exe
PestPatrol Control Center = C:\Utilities\PestPatrol\PPControl.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
CookiePatrol = C:\Utilities\PestPatrol\CookiePatrol.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\system32\dllcache\notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\msmn.dll (file missing) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Aadministrator.job
Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
K56: System32\DRIVERS\k56nt.sys (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
RM DVD helper: System32\DRIVERS\rmdvd.sys (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V124: System32\DRIVERS\v124nt.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\Program Files\Common Files\stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 12,566 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2004-12-30T12:16:43+00:00

Here's the dllCompare log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6:21:24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
________________________________________________

1,275 items found: 1,275 files (7 H/S), 0 directories.
Total of file sizes: 245,905,816 bytes 234.51 M

Administrator Account = True

--------------------End log---------------------

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2004-12-30T12:17:45+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Just give us 5-10 minutes.

dlh6213 27 Posting Maven Team Colleague · Answer 10 · 2004-12-30T12:23:13+00:00

dlh6213 27 Posting Maven

19 Years Ago

Take your time, I'm taking a break for awhile :)

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2004-12-30T12:29:22+00:00

Is this one showing up in hijackthis?

(no name) - C:\WINDOWS\System32\msmn.dll (file missing) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A}

Seems to be the only thing there I cannot account for. Shows up in the startup list and silent runners.

dlh6213 27 Posting Maven Team Colleague · Answer 12 · 2004-12-30T13:55:49+00:00

Yes, it's an O2 entry; here's the whole log (without 'List all minor sections'):

Logfile of HijackThis v1.99.0
Scan saved at 11:50:28 PM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\dllcache\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A} - C:\WINDOWS\System32\msmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Utilities\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Utilities\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(I know I had IE open when I did this scan :) )

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2004-12-30T16:23:09+00:00

After all that, this is the only one that needs to go;

O2 - BHO: (no name) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A} - C:\WINDOWS\System32\msmn.dll (file missing)

dlh6213 27 Posting Maven Team Colleague · Answer 14 · 2004-12-31T10:16:06+00:00

What should I do with the things I put in my Temp folder (see post #2)?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 15 · 2004-12-31T10:26:34+00:00

Can you zip the dll's up and send them to number1dad2000atyahoo.com.au (replace at with @). I want to see what's in them :).

You can delete them then.

dlh6213 27 Posting Maven Team Colleague · Answer 16 · 2004-12-31T10:45:53+00:00

Guess what? When I tried to attach it (using Hotmail), I got a message saying "The file that you want to attach contains a virus that cannot be cleaned. The file cannot be attached to your message."

dlh6213 27 Posting Maven Team Colleague · Answer 17 · 2004-12-31T10:50:02+00:00

Got a similar message when trying Yahoo. The folder is zipped.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 18 · 2004-12-31T11:32:47+00:00

Can you upload it here as an attachment. I will delete it as soon as I get it.

dlh6213 27 Posting Maven Team Colleague · Answer 19 · 2004-12-31T11:43:24+00:00

Well, let's see...

Okay, it seems to have worked; it was too big at first though (2mb limit), so I removed a file called pav.sig.

dlh6213 27 Posting Maven Team Colleague · Answer 20 · 2004-12-31T11:54:41+00:00

Apparently pav.sig is a part of Panda's antivirus; I put it in that folder because it came up shortly after the rest of the bad stuff. But that's because I ran Panda shortly thereafter :). Should I move that back to the System32 folder?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 21 · 2004-12-31T11:57:47+00:00

Got the file.Thanks. Will have a look soon. I would restore that pav file from whence it came :).

dlh6213 27 Posting Maven Team Colleague · Answer 22 · 2004-12-31T13:13:54+00:00

Okay, I put pav.sig back where it came from and deleted everything that I had listed in Post #2. Thanks for the help!!

dlh6213 27 Posting Maven Team Colleague · Answer 23 · 2004-12-31T15:33:20+00:00

No worries. You do realise that we don't get paid for helping the helpers :D.

I appologize for diverting your revenue stream; is there any way I can make it up to you?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 24 · 2004-12-31T15:41:05+00:00

Yeah. Stop getting infected :D. You're only trying to get your post count up :).