Author Topic: Freckles HJT log #1  (Read 27048 times)

0 Members and 1 Guest are viewing this topic.

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #45 on: January 27, 2006, 12:03:09 AM »
More info.
Both profiles were confirmed as Showing hidden files.

In Windows Explorer for Window/system32, a search was done using date,
and on Sept. 29 2005 those same 3 files were listed (w/o ?) but all 3 with 392 KB, not 401,408 KB.
The 4th file Panda detected, MYDLL.dll was found on 11-01 date (same date in dat.Find) but with 1,429 KB not 1,462,353 bytes.

And just so I understand what we are doing with these searches.  We are looking for the files with the name/pathway that Panda provided.  And then we are only looking to delete the same named files with the corresponding numbers of bytes provided by dat.Find.  And the dates listed by dat.Find that matches as well with those files names have helped find them.  But if we are looking for exact numbers of bytes, they haven't been found.

Did a search in all files and folders for robot.exe and nothing was found.

Did Start...Run...cmd...and in system32 nothing "unusual" was seen, but was kindofa foreign looking land...in other words, it just appeared to list files that were familiar.  Wish I knew how to comment better on that.

With Counterspy & Ewido, active monitors were disabled.  And temp. disabled F-Secure A/V.
Then did an online scan at a-squared trojan, of local disc c and no malware was found.

Did an online scan at F-Secure as well and no infections were found.

Here's an updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:56 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Support - {B527A16B-FB12-4049-96E0-C3ABF799D9F6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #46 on: January 27, 2006, 12:20:19 AM »
Also had Freckles do a scan and save a HJT log for the other profile, now given admin rights while we're doing this clean up, and seems like one of the files that Panda detected and AdAware detected: t?skmgr.exe is there now, when it wasn't in the HJT log on Jan 13th when we started this whole thread.  But this file isn't listed in the log above either, from the other profile, from as much as I can see.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:23:33 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\t?skmgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Prjdce] C:\WINDOWS\system32\t?skmgr.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Support - {D57D01A0-9BF2-48BC-A6F9-75EC53261314} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

And then as a last footnote, just as we were finishing up, F-Secure A/V alerted that trojan downloader purity scan was detected in local settings/temp/!update-319, and had user not disinfect, but take F-Secure's option to manually delete.  Which was done.  Temp Internet files folder was then checked and the same clickspring stuff from before was there and deleted.

Just an idea, is it possible this trojan is in the system restore and keeps coming back from there?

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #47 on: January 28, 2006, 01:23:24 PM »
Die Hard/Winchester 73  :)

Spent more time w/ Freckles on the phone, and I think we've located those 4 files.
I think we were confused by dat.Find log sizes in bytes and Windows Explorer sizes in KB.
I used an online conversion calculator and 401,408 bytes = 392 KB which is what user found for these 3 files.
The 4th file size (that Panda found) was 1,462,353 bytes which equals 1,428.0791016 KB and user found one 1,429 KB...so this is a match too, right?

Had user go back to System32 folder and in Windows Explorer searched by name again, and no files were out of sequence at the bottom, but user states seeing a taskmgr.exe w/ an icon AND right next to it a taskmgr.exe w/o an icon.  Same situation with javaw.exe and mshta.exe files.
There is only the one MYDLL.dll.

I know this will sound stupid, but just to be sure, based on above, delete these 4 files?  The 3 files w/ 392 KB w/ no icons, and the one MYDLL.dll.

If that's a yes, will manually delete them, run CCleaner in both profiles, then follow up with Ewido and AdAware scans.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Freckles HJT log #1
« Reply #48 on: January 28, 2006, 08:33:57 PM »
ripley :)

It seems like you finally have located the files,well done  :thumbsup:
Just to be sure , do not nuke them entirely, put them in a temp location for the time being, until you know the system doesn´t malfunction.Once you move them from their original place, they are most certain quite harmless .

Round it up, like you say, with both an Ewido and an AAW-scan and empty the temp folders.

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #49 on: January 28, 2006, 08:41:33 PM »
Just to be sure , do not nuke them entirely, put them in a temp location for the time being, until you know the system doesn´t malfunction.
To put in temp location, right click each file, select "cut" and paste them in a folder (that we'll name "crap") on the desktop?  Is that what you mean? 

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19823
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Freckles HJT log #1
« Reply #50 on: January 29, 2006, 12:14:16 AM »
Good way to handle it, Ripley! 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #51 on: January 29, 2006, 10:04:45 PM »
Once upon a time... in computerland...there was a damsel in distress.  She was a queen of one of the castles in computerland.  She had constructed a motte all around and built her fortress wall high around her castle.  She even had centurian guards patroling regularly, scanning every crook & cranny to keep her protected.
One day her young daughter met an enticing suitor at the castle gate and let him in.  But neither did this young girl know that this suitor concealed a foe named clickspring, and soon two of the trusted centurians named AdAware and Ewido approached the queen announcing that they knew there were trojans hiding in the castle, but were unable to completely slay them.
 
So a decree went out all over the land and a message was received that help would be arriving from a land, a land far far away, named Landzdown.  Soon a Knight in shining armor by the name of Die Hard and his trusted companion Winchester 73 examined many castle documents and logs and told the damsel what she needed to do.

The damsel was then able to roust out those trojans, and place them in a temporary dungeon.
They are waiting execution and now the castle is back to it's merry festivities.
This morning, AdAware & Ewido announced to the queen that a full castle search was conducted and no foes were hiding in the fortress.

And she lived happily ever after...thanks to her Knights in shining armor from Landzdown!   :flowers:

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Freckles HJT log #1
« Reply #52 on: January 29, 2006, 10:47:22 PM »
I´m so glad the problems are sorted out and the computer is back to normal.  :thumbsup:

Your poem is beautiful, I´d say it´s the best thank you we´ve ever had, thank you very much  :flowers:
I´m glad I have ears as stoppers, or the smile I have would cut my head in two halfs. :lol:

Die Hard :)

I create and edit my posts in GS-NOTES

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19823
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Freckles HJT log #1
« Reply #53 on: January 29, 2006, 11:51:26 PM »
Ripley, you cannot know how much it means that you took the time to write this.  It is very, very special!  (Of course, we have all known that Die Hard and Winchester are Knights in shining armor for a long time.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #54 on: January 30, 2006, 01:42:43 AM »
Actually, writing that little ditty was nothing compared to the guidance that comes from Die Hard or Winchester 73 or whatever member of LzD that takes the time to help another member.  :)

And if I had known how to use the modify/edit options I would have inserted this paragragh here:

Once upon a time... in computerland...there was a damsel in distress.  She was a queen of one of the castles in computerland.  She had constructed a motte all around and built her fortress wall high around her castle.  She even had centurian guards patroling regularly, scanning every crook & cranny to keep her protected.
One day her young daughter met an enticing suitor at the castle gate and let him in.  But neither did this young girl know that this suitor concealed a foe named clickspring, and soon two of the trusted centurians named AdAware and Ewido approached the queen announcing that they knew there were trojans hiding in the castle, but were unable to completely slay them.
 
So a decree went out all over the land and a message was received that help would be arriving from a land, a land far far away, named Landzdown.  Soon a Knight in shining armor by the name of Die Hard and his trusted companion Winchester 73 examined many castle documents and logs and told the damsel what she needed to do.

And yet the queen was unfamiliar with dealing with these trojans.  She listen to the Knights, but she floundered and yet these Knights were patient...they knew when to say something and when to let the queen figure some things out for herself, (because it was HER castle)...in this way, she still felt like a queen, and she LEARNED how to deal with trojans which helped the future of her Queendom.

The damsel was then able to roust out those trojans, and place them in a temporary dungeon.
They are waiting execution and now the castle is back to it's merry festivities.
This morning, AdAware & Ewido announced to the queen that a full castle search was conducted and no foes were hiding in the fortress.

And she lived happily ever after...thanks to her Knights in shining armor from Landzdown!

Bottom line, I think it takes a certain type of magic to help a member because we are all at such different levels of experience and understanding in this computer world.  For members with an extensive amount of computer experience it takes a special gift to DIG DOWN DEEP and respond to the same issue they've seen a hundred times before. 

What I've found is, that if time is taken, to search this forum, or Google some keywords, it's amazing the information, answers, solutions that's provided. 

For me, I usually search this forum first, cuz I know if I don't find the answers right away, I'll get it eventually with guidance from a member, or doing a few searches. 

Offline JOSEPH

  • Blogging In 2006
  • Full Member
  • ***
  • Posts: 148
    • View Profile
Re: Freckles HJT log #1
« Reply #55 on: January 30, 2006, 08:40:17 AM »
This has got to be on of the Best! reads i have came across in a very long time!! if not ever!!

Very Well Spoken!







............................And They Lived Happily Ever After

Offline GR@PH;<'S

  • Administrator
  • Hero Member
  • *****
  • Posts: 20125
    • View Profile
    • http://www.taktmobiles.co.uk
Re: Freckles HJT log #1
« Reply #56 on: January 30, 2006, 11:02:20 AM »
ripley,
Very good inded
Quote
And she lived happily ever after...thanks to her Knights in shining armor from Landzdown!

GR@PH;<'S   :breakkie:
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7249
  • Liverpool FC - YNWA
    • View Profile
Re: Freckles HJT log #1
« Reply #57 on: January 30, 2006, 11:36:29 AM »
I'm glad that things are sorted out now ...  :D

You know where to find help should some pest attempt to wrestle control of your computer away from you.   :Win73:
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Ripley

  • Hero Member
  • *****
  • Posts: 2565
    • View Profile
Re: Freckles HJT log #1
« Reply #58 on: January 30, 2006, 10:10:24 PM »
You know where to find help should some pest attempt to wrestle control of your computer away from you.   :Win73:
You bet I do.  In reading this threads and other threads that you've posted in...your logic sometimes astounds me and in this thread helped me.  Thnx Winchester 73!

ripley,
Very good inded
GR@PH;<'S   :breakkie:
A beverage is in order in other words?  Boy, it looked like an active day here at the LzD!

This has got to be on of the Best! reads i have came across in a very long time!! if not ever!!

Very Well Spoken!

Thank you for these kind words.  Actually just observations, and wanting to find a different way of somehow trying to give back...to say how much I appreciate the efforts here at LzD.

Ripley, you cannot know how much it means that you took the time to write this.  It is very, very special!  (Of course, we have all known that Die Hard and Winchester are Knights in shining armor for a long time.)

And you, thanks for jumping in on my moment of lack of confidence.  Was just wanting this issue to be done, and I'm still learning this XP, so I didn't want any more "operator error."  It didn't take long to write, the words seemed to be inspired by the name Ewido...can't you just picture a guard named Ewido in some castle somewhere????

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19823
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Freckles HJT log #1
« Reply #59 on: January 30, 2006, 10:24:43 PM »
Quote
the words seemed to be inspired by the name Ewido...can't you just picture a guard named Ewido in some castle somewhere????

Absolutely -- its called EwidoGuard and is the name of the "real time protection" available during the initial trial and then via subscription to ewido anti-malware!!!  :hysterical:


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.