0

Hey, it's my turn for some help again! I got this hijacker that put a FreshBar toolbar on my computer, kept getting Strip Poker popups, and a balloon in the taskbar saying I needed to update my MS firewall.

I think I've got most of it fixed, just want some final cleanup advice. I'll tell you what I've done in case it will help -- or help someone else doing a search for any of the words listed (it's rather lengthy so you can probably skip the next few paragraphs if you like, to the *). This probably isn't the exact sequence either.

Ran HJT and had it fix some O17 entries that led to IP 69-50-166-94 and 69-31-80-244. I found out these were Atrivo Technologies and Nlayer Communications, respectively, by using Arin's "Whois." I also had it fix all the R0's & R1's that now said About:Blank, and an R3 (I think), that said FreshBar. I did some research (links at the end, at least one of them has a screen shot that matches my problem -- don't recall which one though), and found that this infection includes a package of the following files:
Unlodctl.exe
Nlsfuncs.exe
Pentxpl.exe
Openconf.exe
Iecust.exe

I found all of these in my System32 folder except for the pentxpl.exe. Interestingly, HJT didn't find any of these. I also found a number of other files in the same folder that were installed at about the same time, which is my primary request for assistance, but I'll get to that in a bit.

I also ran About:Buster, which found nothing; CWShredder, nothing; AdwareSE, which found 16 entries in various Favorites folders, which I had it fix; and Spybot, which found nothing, but took about an hour because the CPU was running at 97%-100%, all by Spybot (nothing else was running, I even disconnected from the internet, DSL, and disabled my AV and PestPatrol).

I reenabled my Norton AV and PestPatrol, and reconnected to the Net. I tried to run Norton AV, but it wouldn't work, so I ran Panda, which found nothing, and TrendMicro, which found three problems, one of which it fixed automatically, so I don't know what it was, and the other two were openconf.exe & iecust.exe.

I rebooted into Safe Mode, found the offending files, and put them along with several others that were created around the same time in my c:\windows\temp folder. Here are all the files I put in the temp folder:
Unlodctl.exe
Nlsfuncs.exe
Openconf.exe
Iecust.exe
Msij.dll
Msvw.dll
Spnping.dll
Icust.dll
Pv.sig
Dnsauth.dll
Qappsrvc32.exe
Taskopen.exe
Dx9vbc.dll
Dte.dat
Menu.txt
And about an hour later, these were installed:
Mwx.dll
Hdon.dll

I then rebooted normally, was able to get Norton AV working so I updated it and had it do a full scan. It found two entries:
Hdon.dll
Taskopen.exe

I went to Noton's website for removal instructions, rebooted into Safe Mode again, deleted the two entries, went to the registry, (hkey-local-machine, software, microsoft, windows, current version, run) but only found Taskopen, which I deleted. I did another scan with Norton while in Safe Mode of the C drive, which didn't find anything. Rebooted normally and here I am now.

*I would like to know if there is anything that I have left in the temp folder that should not be deleted:
Unlodctl.exe
Nlsfuncs.exe
Openconf.exe
Iecust.exe
Msij.dll
Msvw.dll
Spnping.dll
Icust.dll
Pv.sig
Dnsauth.dll
Qappsrvc32.exe
Dx9vbc.dll
Dte.dat
Menu.txt
Mwx.dll

I would also like to know if there is anywhere else I should look in the registry, or anything else I should look for anywhere else. So far it seems isolated to the System32 folder, but Norton says it can spread.

Also, when I rebooted last time, I got a message saying that qappsrvc32.exe could not be found (this is one of the files I put in the temp folder). The toolbar is gone; the popup and balloon, so far, have not reappeared.

Links to similar infection:
http://help.lockergnome.com/index.php?showtopic=28991&st=30&#entry214633
http://translate.google.com/translate?hl=en&sl=de&u=http://www.trojaner-board.de/showthread.php%3Ft%3D10772&prev=/search%3Fq%3Diecust.exe%26hl%3Den%26lr%3D
http://www.windowsbbs.com/showthread.php?t=38771

Thanks for any help you can offer!! :)

2
Contributors
31
Replies
32
Views
12 Years
Discussion Span
Last Post by crunchie
Featured Replies
0

Okay, I've done some more checking and I deleted what I was pretty sure should be. Below is what's left. I think the dll's should all go, but I can't find enough info to be sure. The others I'm not so sure about -- I just think they are bad because they were created at the same time as the rest of the junk.

date.dat (I had dte.dat before, I guess that must have been a typo)
dnsauth.dll
iecust.dll
menu.txt
msij.dll
msvw.dll
mswx.dll

0

Okay, now I got this one...

But right after that came up, a message popped up saying something about finding the results somewhere, but it disappeared too fast for me to see where.

Attachments Silent_Runners_Warning2.JPG 134.94 KB
0

OK. Am not that familiar with how silent runners works, so it will not hurt to email the guy (although I think he charges for any help).

Do this; Click on Config in hijackthis and then click on Miscellaneous Tools. Check "List also minor sections" and then click on "Generate Startup List Log"
Post away.

0

Okay, now I got this one...

But right after that came up, a message popped up saying something about finding the results somewhere, but it disappeared too fast for me to see where.

The log that is saved is called *Startup Programs* with todays date. Try a search for it.

0

Try running silent runners a couple of times. Another user here just tried it and got the same message as you but another pop up said it was ok the 2nd time, or something.

0

Yeah, the search found nothing. I tried running it again and this time saw that the log was put in the Temporary Internet folder, but I looked and it wasn't there. So I tried it again, but this time I saved it to a folder instead of just running it. This time I was able to find the log; here it is:

"Silent Runners.vbs", revision 28, launched at: 22:03
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WorksFUD" = "C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"QD FastAndSafe" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"PPMemCheck" = "C:\Utilities\PestPatrol\PPMemCheck.exe" [null data]
"PestPatrol Control Center" = "C:\Utilities\PestPatrol\PPControl.exe" [null data]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers" ["Microsoft® Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"CookiePatrol" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
"{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default)" = "Fax"
                                       \StubPath   = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
"{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default)" = "Fax Provider"
                                       \StubPath   = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{80F11BC6-310B-42AD-98E5-4AC76B43F42A}\(Default) = (no title provided)
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\msmn.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Media Players\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Photo Editing\Microsoft Image Composer\SERVER.DLL" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\upnpui.dll" [MS]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Common Files\stardock\MCPCore.dll" ["Stardock"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "MCPClient\DLLName" = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Aadministrator" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe  /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe  /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

IPv6 Helper Service, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Edited by Reverend Jim: Fixed formatting

0

Here's the HJT log:
StartupList report, 12/29/2004, 10:10:56 PM
StartupList version: 1.52.2
Started from : C:\Utilities\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WorksFUD = C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
QuickTime Task = "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
QD FastAndSafe = C:\Utilities\PestPatrol\CookiePatrol.exe
PPMemCheck = C:\Utilities\PestPatrol\PPMemCheck.exe
PestPatrol Control Center = C:\Utilities\PestPatrol\PPControl.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
CookiePatrol = C:\Utilities\PestPatrol\CookiePatrol.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\system32\dllcache\notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\msmn.dll (file missing) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Aadministrator.job
Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
K56: System32\DRIVERS\k56nt.sys (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
RM DVD helper: System32\DRIVERS\rmdvd.sys (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V124: System32\DRIVERS\v124nt.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\Program Files\Common Files\stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 12,566 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

0

Here's the dllCompare log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6:21:24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
________________________________________________

1,275 items found: 1,275 files (7 H/S), 0 directories.
Total of file sizes: 245,905,816 bytes 234.51 M

Administrator Account = True

--------------------End log---------------------

0

Is this one showing up in hijackthis?

(no name) - C:\WINDOWS\System32\msmn.dll (file missing) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A}

Seems to be the only thing there I cannot account for. Shows up in the startup list and silent runners.

0

Yes, it's an O2 entry; here's the whole log (without 'List all minor sections'):

Logfile of HijackThis v1.99.0
Scan saved at 11:50:28 PM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\dllcache\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A} - C:\WINDOWS\System32\msmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Utilities\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Utilities\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(I know I had IE open when I did this scan :) )

0

After all that, this is the only one that needs to go;

O2 - BHO: (no name) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A} - C:\WINDOWS\System32\msmn.dll (file missing)

0

What should I do with the things I put in my Temp folder (see post #2)?

0

Guess what? When I tried to attach it (using Hotmail), I got a message saying "The file that you want to attach contains a virus that cannot be cleaned. The file cannot be attached to your message."

0

Well, let's see...

Okay, it seems to have worked; it was too big at first though (2mb limit), so I removed a file called pav.sig.

0

Apparently pav.sig is a part of Panda's antivirus; I put it in that folder because it came up shortly after the rest of the bad stuff. But that's because I ran Panda shortly thereafter :). Should I move that back to the System32 folder?

0

Okay, I put pav.sig back where it came from and deleted everything that I had listed in Post #2. Thanks for the help!!

1

No worries. You do realise that we don't get paid for helping the helpers :D.

Votes + Comments
Thanks once again for everything!! :) - dlh
0

No worries. You do realise that we don't get paid for helping the helpers :D.

I appologize for diverting your revenue stream; is there any way I can make it up to you?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.