Posting for another member Freckles who is in a crunch for time.
Fully patched XP SP2 with a clean Spybot scan, but w/ on-demand AdAware scan, it detected "purity scan"? (Not quite sure if that's what it was called), but couldn't remove it. Scan at re-boot w/ AdAware detected, but couldn't remove again.
F-Secure anti-virus also detected puirty scan, but also couldn't remove.
On attempt to run an HJT scan & save a log in the same limited user profile, got a message from HJT saying (paraphrase)
"system was denied write access to the host file...may not be able to fix...edit the file youself by doing...something to windows/system32/drives/etc/hosts"
So I had her run a HJT log in the administrator profile and here it is:
The other security software include Paid Counterspy, active, (also detected nothing), SpywareBlaster, F-Secure firewall, behind a netgear WGR614 wireless router (security configuration on the router/firewall enabled but not quite sure if it's optimally set). Router was just hooked up last week to new computer, and that would Freckles HJT log #2 coming in another topic.
Logfile of HijackThis v1.99.1
Scan saved at 5:38:40 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Support - {B527A16B-FB12-4049-96E0-C3ABF799D9F6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
ripley :)
This log is also clean :thumbsup:
I wonder about the message HJT gave you about the hosts file ?
Open HJT and click " Open Misc Tools Section > Open Host Files Manager" and open it in Notepad. Copy the contents of it here and let´s have a look.
Die Hard :)
Hopefully tommorrow Freckles will have some time to paste the hosts file.
In the meantime, what does she do about the purity scan detections?
Today Spybot scan and Counterspy scan was clean, but AdAware detected it again and said it couldn't remove, and F-Secure on-access scanner popped an alert about purity scan also but said it couldn't disinfect.
And what is that 010 entry: Broken internet access...that doesn't look good?
It would appear from talking with her that she thinks it is connected to a file in a temp folder. Told her to wait to use CCleaner til we heard from you. Should she run CCleaner, then try her scans?
ripley :)
QuoteAnd what is that 010 entry: Broken internet access...that doesn't look good?
Didn´t look at it close enough :shock:
Download WinsockFix from here: http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Now run HJT and fix this line:
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missingReboot.
After reboot run WinsockFix.
Die Hard :)
Die Hard,
Here's what HJT host manager lists:
127.0.0.1 localhost
Should there be more info? :uhm:
Downloaded WinsockFix, ran HJT and checked fix on the 010 entry. Got a prompt that HJT wouldn't be able to repair this entry...but fixed anyways. Re-booted.
Ran the WinsockFix. Had numerous errors attempting to select the backup option for the registry...not sure if the backup took place, but ran the WinsockFix and was told it did the repair.
Ran another HJT scan and the 010 Broken internet access was gone. :muahaha:
However, I noticed that this same 010 Broken internet access entry is also on Freckles log #2. :(
Go ahead w/ CCleaner and more AdAware scans now?
ripley :)
Yes, go on and do the same procedure with the O10-object in the other log. This one isn´t malicious, though, but could be a remnant from an earlier installed program.
You mentioned "Purity scan" which I believe is "PureSight" and this O10 item is just that: http://www.puresight.com/
Also run CCleaner, like you syggeseted ,which will make sure the temp folders are cleaned. Round up with AdAware until it tell the system is clean.
regards
Die Hard :)
Die Hard,
Want to make sure we understand "same procedure" for the other computer. You mean:
Quote from: Die Hard on January 15, 2006, 01:52:47 AM
Download WinsockFix from here: http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Now run HJT and fix this line:
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
Reboot.
After reboot run WinsockFix.
Quote from: Die Hard on January 15, 2006, 06:36:21 AM
ripley :)
You mentioned "Purity scan" which I believe is "PureSight" and this O10 item is just that: http://www.puresight.com/
I thought she was talking about purityscan associated with clickspring like here:
http://sarc.com/avcenter/venc/data/adware.purityscan.html (http://sarc.com/avcenter/venc/data/adware.purityscan.html)
Checking out that PureSight link it seems it is "partnered" with F-Secure as well as Microsoft, so that was a probable connection? This PureSight is confusing to me. If legit, why would F-Secure A/V detect it as a virus?
Someone else I was talking to today said their AdAware SE detected PurityScan a couple days ago too...must be making the rounds.
Will move on w/ CCleaner and run AdAware again.
No issues with the HJT hosts file manager right?
ripley wrote:
QuoteNo issues with the HJT hosts file manager right?
No, not at all. 127.0.0.1 is the IP# for the local machine and is added as an example.
Here´s an example of an edited hosts-file:
(https://www.landzdown.com/index.php?action=dlattach;topic=4453.0;attach=817)
The hosts-file is located in (XP) "C:\Windows\System32\Drivers\etc\hosts" (C:\ is variable, depending on the system configuration)
[attachment deleted by admin]
Helpful to see that an example of an edited host file. Thnx. Glad that isn't an issue, but this purityscan keeps coming back. Got better details.
Ran CCleaner, removed all that was quarantined in AdAware, did full system scan w/ AdAware and it found purityscan in windows/system32/t?skmgr.exe and still says it can't remove.
F-Secure A/V detects trojandownloader win32purityscan and says can't disinfect.
The computer is running pretty slow. Post AdAware log? Try online scan? Any ideas at this point?
Quotewindows/system32/t?skmgr.exe
That is Purity Scan/Clickspring .
Open the taskmanager (Ctrl+Alt+Del) and see if the file is among the running processes.Terminate it , if it is.
Then navigate to Windows\System32 and see if you can delete it.
NOTE: The Taskmanager is there also and has the name "TASKMGR.EXE" and that one mustn´t be touched.
To make the folders visible,click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"
I suggest you download Ewido and make a scan, preferably in safe mode.
Please go here and download Ewido Security Suit:
http://www.ewido.net/en/download/
A quick guide is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
- Install ewido security suite
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Reboot into safe mode (press the F8-key repetedly on bootup)
Once in safe mode open Ewido.
- Click on scanner
- Click on Complete System Scan and the scan will begin.
On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
Then please go here and make an online scan.
Panda ActiveScan http://www.pandasoftware.com/activescan/
Trend Micro HouseCall http://housecall.trendmicro.com/
Hopefully they will come up clean :)
Die Hard :)
Ewido and 2 online scans will happen soon :flame:
Hopefully we'll have some joy!
Thanks Die Hard! :flowers:
Die Hard,
In Freckles' task manager, in processes, were 2 exact entries w/ only difference of the "mem usage:"
taskmgr.exe with mem usage 4,xxx
taskmgr.exe with with mem usage 17,xxx
Couldn't tell what was legit so nothing was done.
The purity scan pathway provided by F-Secure A/V of windows/system32/t?skmgr.exe
was not found in Windows/system32 folder.
Downloaded & updated Ewido, and a full system scan in safe mode detected nothing.
Doing 2 onlines scans now. In the meatime, any idea which taskmgr.exe to terminate?
Quote from: ripley on January 18, 2006, 02:41:55 AM
Die Hard,
In Freckles' task manager, in processes, were 2 exact entries w/ only difference of the "mem usage:"
taskmgr.exe with mem usage 4,xxx
taskmgr.exe with with mem usage 17,xxx
Couldn't tell what was legit so nothing was done.
The purity scan pathway provided by F-Secure A/V of windows/system32/t?skmgr.exe
was not found in Windows/system32 folder.
Downloaded & updated Ewido, and a full system scan in safe mode detected nothing.
Doing 2 onlines scans now. In the meatime, any idea which taskmgr.exe to terminate?
Try either of them. If you terminate the wrong one, the tool you´re watching disapperas :)
So you will have to (ctrl+alt+del) to start it again and choose the other one :P
Die Hard :)
Die Hard :)
Killed the process of the taskmgr.exe that had the highest mem usage and it went away (not the task manager), so it looked like she choose the right one.
Ran Ewido in normal mode this time and detected and removed the purity scan! :twak: Did another scan with AdAware (which previously always detected/couldn't remove) and it was clean! :muahaha:
Also did a full scan with F-Secure A/V and it was clean this time too. :exorcize:
For some reason, she says both online scan attempts (Panda & TrendMicro) met with extremely slow loading of website pages...30 minutes and still hadn't loaded :uhm: So they weren't completed.
Given above, assume purity scan is gone unless one of the on board scanners detects it, right?
ripley :)
QuoteGiven above, assume purity scan is gone unless one of the on board scanners detects it, right?
If AdAware previously detected it, but not any more I´m certain it´s gone. If you want to make sure for yourself, check the scanning log from AAW and see if it isn´t "t?skmgr.exe" it found.
Try to go to Trend once again, but first remove this item, using HJT:
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
Then go to their site again and see if it works You will have to allow an ActiveX-object to be installed, before the scan begins.
Regards
Die Hard :)
Grrrr...purity scan is back, or something is. Ewido said local settings/temp file/content/01G1W/!update-319 was cleaned, but then repeat scan with F-Secure A/V detected !update.exe, but couldn't disinfect.
Will check the AdAware log and see what was detected and try the TrendMicro online scan again after that one 016 line is fixed in HJT.
More frustration here. More info might be helpful.
The user profile that AdAware & F-Secure detect purity scan is called Vanessa and is a limited user account. CCleaner was run 3 times in this profile and in all other profiles. 2 of the 4 profiles were completely removed/deleted tonight. So there are only 2 profiles. One administrator and one limited user.
AdAware saves it's logs to Documents & Settings/Application Data folder of the administrator profile. (default location I think) In that folder, are numerous AdAware logs, last date being 01-15-06, w/ nothing noted as detecting purity scan, in that log, as well as previous logs. However, numerous AdAware scans have been initiated in this limited user profile since 01-15-06, with scan summary reports detecting purity scan. In this limited user profile, is no application data folder with Lavasoft or an AdAware log folder either.
Another AdAware scan was done tonight which detected purity scan in windows/system32/t?skmr.exe and said it could not remove.
I am trying to find a log, but there is no log in application data folder of the adminstrator or limited profile that indicates what it found and where that refers to purity scan.
F-Secure A/V alerted again tonight of a trojan downloader win32 purity scan in documents & settings/Vanessa/local settings/temp/!update.exe...but couldn't disinfect. This was after CCleaner removed all temp files.
Fixed 016 object for Trend in HJT and the TrendMicro online scan was able to be started and then halfway thru the scan the computer lost connection to the internet. :gah:
Still trying to get that accomplished. Will keep trying.
Why can't I find an AdAware log that records detecting purity scan, when at least 4 AdAware scans have taken place since 01-15-06 that indicate in the summary results that purity scan is found.
Checked the F-Secure A/V logs since it was installed on 12-03-05, which detects purity scan in the system volume folder on 12--05-05, and subsequently continues to detect thru today, but not in system volume, but other locations/profiles.
I know you'll be able to figure out what of the above info is helpful and what isn't, but that's as much as I know at this point.
I think the problem with the doing the online scans is more related to a low internet connection signal being indicated on this computer thru a recently installed router. Still working on that part too.
Not quite sure what happened w/ TrendMicro online scan, which started and 2 hours later when it looked like it was finishing, a prompt from IE came up concerning an error, don't know what error, and when the user selected don't send report to MS, the whole Trend page went away.
She found this log which I'm posting the beginning and end of, cuz it's way too long. It seems the scan wasn't finished, but does this log say why? Any ideas what is going on here with this computer?
Doing an online Panda scan now, I'm keeping my fingers crossed.
Here's the TrendMicro log:
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [SocketTimeout]
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [120]
---------------------------------------
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [ResumeDownload]
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [1]
---------------------------------------
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [CachePath]
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [C:\Documents and Settings\VANESSA\.housecall\Update]
---------------------------------------
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
key: [RetryCount]
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
value: [3]
---------------------------------------
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Start TmuGetUpdateInfo()
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Creating Temp dir [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612]
Info: Thu Jan 19 20:59:34 2006 P[404] T[3612]
Downloading [http://housecall65.trendmicro.com/housecall/activeupdate
/ini_xml.zip] to [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\ini_xml.zip]...
Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
HttpConnection: Client Error: HTTP 404 Not Found
Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
TmDownloader: Connection fail when try to open resource
Error: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Downloader returns: 4
Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Download ini_xml.zip fail, try plain file.
Info: Thu Jan 19 20:59:35 2006 P[404] T[3612]
Downloading [http://housecall65.trendmicro.com/housecall/activeupdate
/server.ini] to [C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\server.ini]...
Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
HttpConnection: Connect to source success
Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
Start Download...
Info: Thu Jan 19 20:59:39 2006 P[404] T[3612]
Successfully wrote [11214]B
Info: Thu Jan 19 20:59:40 2006 P[404] T[3612]
TmDownloader: Download Success
Here's the very end of it:
Error: Thu Jan 19 21:00:26 2006 P[3936] T[572]
phaseIniForBackup: fetch item count failed.
Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
phaseIniForBackup: error quit.
Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
mergeBackupIni: no backup done.
Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
Writing result file (C:\Documents and Settings\VANESSA\.housecall\AU_Temp
\404_3612\AuResult.ini), status = 0
Info: Thu Jan 19 21:00:26 2006 P[3936] T[572]
AuPatch end.
Info: Thu Jan 19 21:00:26 2006 P[404] T[3612]
UpdateManager endwith 0 (0): Success
Very little progress, but some.
Where AdAware detected but could not remove previously, now detected but said it successfully terminated the process. Here's the beginning of the AdAware log (found finally) and jumping to the description of the one critical object. Have the whole log if that is helpful.
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, January 20, 2006 8:32:54 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R88 20.01.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
PurityScan(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
1-20-2006 8:32:54 PM - Scan started. (Full System Scan)
#:60 [t?skmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3980
ThreadCreationTime : 1-20-2006 10:12:51 PM
BasePriority : Normal
PurityScan Object Recognized!
Type : Process
Data : t?skmgr.exe
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\
Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
Then an F-Secure A/V scan was run and where it detected purity scan before, did not detect this time.
Ran an online Panda scan and here are the results:
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\system32\Adult_Party-uninstall.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\j?vaw.exe
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\system32\MYDLL.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\m?hta.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\t?skmgr.exe
Right after Panda, went into TaskManager and terminated the process of the taskmgr.exe that had the highest mem usage.Then another online TrendMicro scan was started and before finishing the prompt/error from IE came up and couldn't be finished.
Not quite sure what to keep trying. Is there another online scan that isn't TrendMicro that does more than detect?
Ewido in safe mode again?
Of the 5 creepos that Panda points out, the first 2 are visible to the user, but the last 3 couldn't be seen.
:titanic:
ripley,
QuoteNot quite sure what to keep trying. Is there another online scan that isn't TrendMicro that does more than detect?
I would suggest F-Secure online scan (http://support.f-secure.com/enu/home/ols.shtml)
Please note the advice on that page:
QuoteF-Secure Online Scanner is able to remove viruses but it cannot disinfect Worms, Trojans, Backdoors, etc since there is nothing to disinfect. This type of malware needs to be removed manually from the hard drive.
ripley,,
Just to add you will need to use IE5 or higher
QuoteSupported web browsers:
* Microsoft Internet Explorer 5.0 or higher.
* JavaScript needs to be enabled.
* You need to have ActiveX enabled.
You may enable ActiveX and JavaScript from
Tools->Internet Options->Security->Custom Level
Notice: If JavaScript and ActiveX were disabled for security reasons, please remember the restore your original settings after scanning.
GR@PH;<'S :breakkie:
Quote from: Eric the Red on January 22, 2006, 11:15:06 PM
I would suggest F-Secure online scan (http://support.f-secure.com/enu/home/ols.shtml)
Please note the advice on that page:
QuoteF-Secure Online Scanner is able to remove viruses but it cannot disinfect Worms, Trojans, Backdoors, etc since there is nothing to disinfect. This type of malware needs to be removed manually from the hard drive.
EtR,
Light bulb with that last quote :idea: So if the scanner can't remove or disinfect, we at least have a road map to manually delete. It's just that these baddies are in the Windows and Windows32 folders and it would be easier if the scanning product would "just fix it." Makes us nervous to do anything in there.
There was some really helpful info/links on the F-Secure online scan page at the bottom concerning malware that couldn't be remove with the scanner.
In the meantime after futtzing with this wireless network connection, a TrendMicro WAS completed and "cleaned" a bunch and recommended scanning again, so a follow up one is happening now. This is what was found:
PAR_SE.3263
ADW_SE.10340
TRAK_SE.10419
TRAK_SE.77236
BHO_SE.57551
ADW_SE.73748
ADW_SE.73752
73753
73754
73755
73756
73757
73758
73762
55205
TRAK_SE.77235
So I have my fingers crossed this scan is able to finish and a report is produced that makes more sense than the one above. :uhm:
Quote from: GR@PH;<'S on January 22, 2006, 11:28:18 PM
ripley,,
Just to add you will need to use IE5 or higher
Thnx GR@PH;<'S, she's got IE6, and I warned her about the Active-X issues too.
The second TrendMicro scan (right after the first) came back clean.
Another AdAware scan was run and this one critical object is noted:
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
PurityScan(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:52 [t?skmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 1-23-2006 1:20:02 AM
BasePriority : Normal
PurityScan Object Recognized!
Type : Process
Data : t?skmgr.exe
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\
Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
Same entry in the AdAware log 2 days ago.
Of the 5 creepos that Panda detected, before the Trend scans, the same 2 files that were visible to the user are still there but there is no .exe at the end.
Will delete those 2 files, but still don't know if there is more to be done to make sure it's gone.
ripley :)
There seems to be something left in the system that wont be easily deleted since this Purity Scan object returns all the time.
I want you to do this for us.
1. Download "BlackLight" from F-Secure:
http://www.f-secure.com/blacklight/
Put it in a folder of its own and doubleclick the "blbeta.exe" and then "scan".
When the scan has finished a log is produced in the same folder labelled something like : "fsbl-20060123xxxxx.log" (Date and a number)
Copy that log and post it here and lets have a look.
2. Download "datFind" from here: http://virus-protect.net/bat/datFind.bat
Put it on the desktop, doubleclick the "datfind.bat" and hit any key to produce the first log. Minimize that log and hit any key again to produce the next one and repeat until four logs are created. Copy the contents (by date) from the last 2 months of each log and post it here.
Note: Should the logs not be found in the taskbar, they are stored directly under C:\ as "System.txt", "System32.txt" "Windows.txt" and "Temp.txt"
Regards
Die Hard :)
Die Hard :)
Thanks for looking this over and the suggestions. :flowers:
We'll proceed as recommended.
Be back soon.
ripley
Die Hard,
Deleted those 2 files that Panda detected and user could find:
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\system32\Adult_Party-uninstall
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl
Ran the datFind.bat and created 4 logs which I'm posting. You said go back 2 mos on each log...but I looked them over before posting. Man, your eyes must go batty looking at these logs. :shock:
And I noticed that 3 of the 4 files that Panda detected, but user couldn't find almost 4 mos back at the end of Sept. 2005, so I'm posting all 4 of the logs to that date, so you could see these files.
Had the user go into the Windows/system32 folder again right after, and these 3 files, according to the user, are not there.
That 4th file Panda detected:
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\system32\MYDLL.dll
I did find in the system32 log, but WAY back dated 11-01. Here's the single entry, cause there were 2109 files listed here total, according to the summary at the end.
11/20/2001 01:36 PM 1,462,353 MYDLL.dll
One more thing, the temp.txt log that was produced/posted here was not the profile that typically triggered the alerts from on board F-Secure A/V and profile that AdAware was run in when the last 2 AdAware logs where posted above.
Should we run that datFind.bat in the one other profile? If so, can we run the one that's already downloaded or dl again?
Have downloaded the F-Secure Blacklight but no time to run the scan yet. Probably tomorrow PM.
Lastly, during this process F-Secure A/V alerted user of detecting and sucessfully(???)removing purity scan. At least we are getting detections. :|
Here's the dat batty logs:
Volume in drive C has no label.
Volume Serial Number is 304E-C1B1
Directory of C:\WINDOWS
01/23/2006 04:50 PM 363 wiadebug.log
01/23/2006 03:27 PM 0 0.log
01/23/2006 03:27 PM 2,018,454 WindowsUpdate.log
01/23/2006 03:27 PM 49 wiaservc.log
01/23/2006 03:26 PM 2,048 bootstat.dat
01/22/2006 09:11 PM 54,156 QTFont.qfn
01/22/2006 03:12 PM 73,499 setupapi.log
01/22/2006 01:12 PM 32,618 SchedLgU.Txt
01/22/2006 12:37 PM 382 setupact.log
01/22/2006 11:51 AM 0 wplog.txt
01/22/2006 11:14 AM 0 setuperr.log
01/22/2006 10:51 AM 227 system.ini
01/22/2006 10:43 AM 617 win.ini
01/21/2006 07:01 PM 461 nsw.log
01/21/2006 10:09 AM 1,409 QTFont.for
01/17/2006 07:34 PM 227 system.BAK
12/26/2005 07:38 PM 602 wininit.ini
12/18/2005 09:11 AM 2,359,350 wallpaper.bmp
12/08/2005 07:01 PM 32 pavsig.txt
12/04/2005 09:40 AM 118,784 bwUnin-6.3.2.62-3528733L.exe
12/01/2005 08:32 PM 679 TSC.ini
12/01/2005 08:32 PM 4 RM_RESULT.DAT
12/01/2005 07:15 PM 170 GetServer.ini
12/01/2005 07:12 PM 1,142,784 TMUPDATE.DLL
12/01/2005 07:12 PM 69,689 UNZIP.DLL
12/01/2005 07:12 PM 208,896 PATCH.EXE
11/30/2005 01:02 PM 16,642,295 VPTNFILE.979
11/30/2005 01:02 PM 16,642,295 lpt$vpn.979
11/29/2005 09:22 PM 2,459,627 tsc.ptn
11/23/2005 05:35 PM 2,168 eReg.dat
11/16/2005 07:22 PM 30 POTATO.INI
11/16/2005 04:08 PM 588 SIERRA.INI
11/16/2005 04:06 PM 338 KA.INI
11/09/2005 12:40 AM 47,098 TMVAmain.ptn
11/09/2005 12:35 AM 181,880 TMVAINFO.xml
10/02/2005 12:12 AM 3,386,984 tmadce.ptn
09/13/2005 03:03 PM 994 hegames.ini
Volume in drive C has no label.
Volume Serial Number is 304E-C1B1
Directory of C:\
01/23/2006 05:03 PM 0 sys.txt
01/23/2006 05:03 PM 10,795 system.txt
01/23/2006 05:03 PM 3,895 systemtemp.txt
01/23/2006 05:02 PM 109,357 system32.txt
01/23/2006 03:26 PM 266,850,304 hiberfil.sys
01/23/2006 03:26 PM 402,653,184 pagefile.sys
01/17/2006 07:34 PM 211 boot.ini
08/13/2005 01:19 PM 1,213 ImgData.ini
Volume in drive C has no label.
Volume Serial Number is 304E-C1B1
Directory of C:\WINDOWS\system32
01/22/2006 01:40 PM 6,675 jupdate-1.5.0_06-b05.log
01/22/2006 11:05 AM 369,688 FNTCACHE.DAT
01/22/2006 07:38 AM 2,550 Uninstall.ico
01/22/2006 07:38 AM 1,406 Help.ico
01/22/2006 07:38 AM 30,590 pavas.ico
01/21/2006 06:54 PM 311,934 perfh009.dat
01/21/2006 06:54 PM 40,196 perfc009.dat
01/21/2006 06:54 PM 355,944 PerfStringBackup.INI
01/16/2006 08:04 PM 0 Biport
01/12/2006 08:12 PM 1,158 wpa.dbl
01/08/2006 11:28 AM 2,577 CONFIG.NT
01/04/2006 09:41 PM 2,827,616 MRT.exe
12/28/2005 08:54 PM 280,064 gdi32.dll
12/28/2005 06:16 PM 1,155,072 winsflt.dll
12/20/2005 06:21 AM 481,280 aswBoot.exe
12/02/2005 07:12 PM 1,718 Open.ico
12/02/2005 07:12 PM 5,350 IE.ico
12/02/2005 07:12 PM 1,718 Quick.ico
12/02/2005 07:24 AM 90,112 AVASTSS.scr
12/01/2005 08:41 PM 0 asfiles.txt
11/30/2005 09:59 PM 1,492,480 shdocvw.dll
11/23/2005 07:06 PM 3,015,680 mshtml.dll
11/23/2005 07:06 PM 1,022,464 browseui.dll
11/10/2005 01:03 PM 127,078 javaws.exe
11/10/2005 01:03 PM 49,265 jpicpl32.cpl
11/10/2005 11:27 AM 49,250 javaw.exe
11/10/2005 11:27 AM 49,248 java.exe
11/04/2005 09:16 PM 609,280 urlmon.dll
11/04/2005 09:16 PM 1,054,208 danim.dll
10/20/2005 09:39 PM 658,432 wininet.dll
10/20/2005 09:39 PM 473,600 shlwapi.dll
10/20/2005 09:39 PM 39,424 pngfilt.dll
10/20/2005 09:39 PM 530,944 mstime.dll
10/20/2005 09:39 PM 448,512 mshtmled.dll
10/20/2005 09:39 PM 146,432 msrating.dll
10/20/2005 09:39 PM 251,392 iepeers.dll
10/20/2005 09:39 PM 96,256 inseng.dll
10/20/2005 09:39 PM 205,312 dxtrans.dll
10/20/2005 09:39 PM 55,808 extmgr.dll
10/20/2005 09:39 PM 151,040 cdfview.dll
10/20/2005 04:20 PM 1,082,368 esent.dll
10/17/2005 03:14 PM 118,272 t2embed.dll
10/17/2005 03:14 PM 80,896 fontsub.dll
10/12/2005 05:12 PM 14,048 spmsg.dll
10/05/2005 06:05 PM 1,839,488 win32k.sys
09/29/2005 07:33 AM 401,408 t?skmgr.exe
09/29/2005 07:29 AM 401,408 j?vaw.exe
09/29/2005 07:29 AM 401,408 m?hta.exe
09/22/2005 09:05 PM 8,450,560 shell32.dll
Volume in drive C has no label.
Volume Serial Number is 304E-C1B1
Directory of C:\DOCUME~1\PAM\LOCALS~1\Temp
01/23/2006 05:00 PM 351 jusched.log
01/23/2006 04:51 PM 32,768 ~DF3AFD.tmp
01/23/2006 04:51 PM 16,384 ~DFC7BF.tmp
01/23/2006 04:50 PM 49,152 ~DF7E99.tmp
01/22/2006 03:47 PM 2,460 java_install_reg.log
01/22/2006 01:40 PM 23,568 java_install.log
01/22/2006 01:36 PM 884 jinstall.cfg
01/22/2006 01:17 PM 32,768 ~DFC528.tmp
01/22/2006 01:16 PM 16,384 ~DFFA4D.tmp
01/22/2006 01:15 PM 49,152 ~DFB09C.tmp
01/22/2006 01:14 PM 32,768 ~DF8CB1.tmp
01/22/2006 01:14 PM 16,384 ~DF6C9E.tmp
01/22/2006 11:35 AM 32,768 ~DF9874.tmp
01/22/2006 11:35 AM 16,384 ~DF2495.tmp
01/22/2006 11:33 AM 49,152 ~DFD901.tmp
01/22/2006 11:31 AM 32,768 ~DF9714.tmp
01/22/2006 11:31 AM 16,384 ~DFAC75.tmp
01/22/2006 11:25 AM 32,768 ~DF6608.tmp
01/22/2006 11:25 AM 16,384 ~DFB277.tmp
01/22/2006 11:23 AM 49,152 ~DF4D1A.tmp
01/22/2006 11:22 AM 32,768 ~DFBD36.tmp
01/22/2006 11:22 AM 16,384 ~DFA897.tmp
01/22/2006 11:12 AM 32,768 ~DF3D76.tmp
01/22/2006 11:10 AM 16,384 ~DF9C9D.tmp
01/22/2006 11:09 AM 49,152 ~DF163B.tmp
01/22/2006 11:07 AM 32,768 ~DF7EC3.tmp
01/22/2006 11:06 AM 16,384 ~DF18BA.tmp
01/21/2006 06:32 PM 32,768 ~DF1029.tmp
01/21/2006 06:30 PM 16,384 ~DFB112.tmp
01/21/2006 06:29 PM 49,152 ~DF6640.tmp
01/21/2006 06:14 PM 32,768 ~DF776.tmp
01/21/2006 06:13 PM 16,384 ~DFC715.tmp
01/21/2006 06:12 PM 49,152 ~DFE40.tmp
01/21/2006 05:58 PM 32,768 ~DF14F5.tmp
01/21/2006 05:57 PM 16,384 ~DF8506.tmp
01/21/2006 05:56 PM 49,152 ~DF2AA4.tmp
01/20/2006 04:06 PM 32,768 ~DF8399.tmp
01/20/2006 04:05 PM 16,384 ~DF73C7.tmp
01/20/2006 04:05 PM 49,152 ~DF1119.tmp
01/19/2006 07:26 PM 32,768 ~DFE64D.tmp
01/19/2006 07:25 PM 16,384 ~DF4708.tmp
01/19/2006 07:25 PM 49,152 ~DFCA32.tmp
01/19/2006 05:05 PM 16,384 ~DFF4AF.tmp
01/19/2006 05:02 PM 49,152 ~DF8F3E.tmp
01/17/2006 06:23 PM 49,152 ~DF1CDD.tmp
01/17/2006 06:22 PM 32,768 ~DFA3D1.tmp
01/17/2006 06:21 PM 16,384 ~DF6BED.tmp
01/17/2006 04:55 PM 49,152 ~DF4865.tmp
01/17/2006 04:53 PM 32,768 ~DF59A4.tmp
01/17/2006 04:53 PM 16,384 ~DF3E3C.tmp
12/27/2005 04:58 PM 24,576 IadHide4.dll
12/01/2005 08:24 PM 8,928 hcScan.html
10/11/2005 05:24 PM 559,784 gtb2k1033.exe
09/12/2005 01:52 PM 381,480 msgr7us.exe
Thanks so much for taking the time on this!
ripley :)
ripley :)
QuoteShould we run that datFind.bat in the one other profile? If so, can we run the one that's already downloaded or dl again?
It´s such a small file, the simpliest way is to dl it again from the account you want to scan.
Here are three files you need to remove. Note the question-mark, it´s a "wildcard" so if you make a search for the files you will get a hit for files with a letter where the "?" is, for instance , searching for
m?hta.exe will bring up hits for
mshta.exe. Be careful and check the length of the files, they are all 401,408 bytes.
09/29/2005 07:33 AM 401,408 C:\WINDOWS\system32\t?skmgr.exe
09/29/2005 07:29 AM 401,408 C:\WINDOWS\system32\j?vaw.exe
09/29/2005 07:29 AM 401,408 C:\WINDOWS\system32\m?hta.exeAlso look for the files Panda detected and remove them as well at the same time.
About being paranoid, you are completely entitled being it. When hit by rootkits the authoroties in the field (the ones I listen to unconditionally :) ) say; "if you store or share delicate information on the system , the only safe way to clean it is a reformat and reinstall."
The nature of the rootkits are that they should be hidden and their tasks are also designed to be hidden.
Let´s see what the Blacklight scan shows .
Die Hard :)
OK, searching for Panda detection files :Win73: and getting that Blacklight scan done.
Fingers crossed there isn't a rootkit here.
ripley
Die Hard :)
Before anything, Freckles ran CCleaner in both of the 2 profiles. Then re-booted.
She then did a search on the 4 remaining files that Panda detected.
She searched in "files & folders"
using the file name and .exe at the end.
Multiple instances of these files were found, but none of them had the corresponding bytes as recorded w/ datFind log...so none were deleted.
Here they are individually.
m?hta.exe
Found here:
29 KB c/windows/system32
24 KB c/windows/$NTservicepackuninstaller$
29 KB c/windows/servicepackfiles/i386
30 KB c/program files/compact/works 6.0/redist/IE5/Iemil_2.cab
30 KB c/program files/compact/works 6.0/redist/IE5/Iew2k_1.cab
(Since we are looking for an instance of 401,408 bytes, didn't in system32, we left alone.)
t?skmgr.exe
Found here:
126 KB c/windows/$NTservicepackuninstall$
133 KB c/windows/system32
133 KB c/windows/servicepackfiles/i386
(Since we are looking for 401,408 bytes in system32, we left it alone)
j?vaw.exe
Found here:
49 KB c/windows/system32
49 KB c/programfiles/java/jre.1.5.0_06/bin
49 KB bin (no pathway given)
(Once again no 401,408 so it's still there)
MYDLL.dll
Found here only:
1,429 KB c/windows/system32
(Looking for one with 1,462,353...once again left there.
Ran the Blacklight scan in both profiles and it indicated no hidden files.
Here's the logs of both:
01/24/06 16:51:06 [Info]: BlackLight Engine 1.0.30 initialized
01/24/06 16:51:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/24/06 16:51:07 [Note]: 7019 4
01/24/06 16:51:07 [Note]: 7005 0
01/24/06 16:51:44 [Note]: 7006 0
01/24/06 16:51:44 [Note]: 7011 368
01/24/06 16:51:45 [Note]: FSRAW library version 1.7.1014
01/24/06 16:54:03 [Note]: 7007 0
01/24/06 17:03:38 [Info]: BlackLight Engine 1.0.30 initialized
01/24/06 17:03:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/24/06 17:03:39 [Note]: 7019 4
01/24/06 17:03:39 [Note]: 7005 0
01/24/06 17:03:46 [Note]: 7006 0
01/24/06 17:03:46 [Note]: 7011 2352
01/24/06 17:03:50 [Note]: FSRAW library version 1.7.1014
01/24/06 17:05:36 [Note]: 7007 0
Maybe 45 minutes since running CCleaner & re-bootingand starting this whole process, and F-Secure A/V alerts purityscan detected in temp internet files/!update.
Went there and there was also a clickspring one.
Ran CCleaner again.
Doing another Ewido scan in safe mode right now. Were there any of those 4 files above that we can safely delete?
So if Blacklight says no hidden files then we can't we find the same named files with the same number of bytes that datFind does? Or did we, and we just interpreted the numbers incorrectly.
Anyone need a good boat anchor???!!!
I know you'll come up with a reasonable path here. Should we try the F-Secure online scan or just take the computer out back to the lake?
Another added note after the last post 1 hour ago or so, Ewido in safe mode came back clean. We haven't deleted anything or done anything different.
AdAware in safe mode came back clean. And we still haven't deleted anything or done anything different.
Trying AdAware in normal mode now.
Arghhhh. For some reason, I just think it's still there.
Maybe this user needs a fox... :firefox:
Or heading out to the lake...or the auction... :beg:
We'll take any suggestions.
Oh, the saga continues.
Spybot scan was clean as it always had been during this infection.
But AdAware in normal mode detected purity scan in memory as it did in the previous AdAware logs posted above. :(
ripley ...
Die Hard has had some computer issues of his own ... :shock: ... so I thought I'd look in on this thread.
When searching for those three files, did you have Windows show the hidden files?
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Hey winchester 73 :)
I thought about that too. To my knowlegde, and discussion with Freckles, this was done:
Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
But to be sure I'll verify that. Thanks for dropping in.
ripley
It seemed odd that a search for these didn't produce what you were looking for ...
t?skmgr.exe
j?vaw.exe
m?hta.exe
How about you post the snippet from the Ad-Aware log that finds Purity Scan.
1-20-2006 8:32:54 PM - Scan started. (Full System Scan)
#:60 [t?skmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3980
ThreadCreationTime : 1-20-2006 10:12:51 PM
BasePriority : Normal
PurityScan Object Recognized!
Type : Process
Data : t?skmgr.exe
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\
Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
The user isn't at her computer til later, but the entry above from AdAware log a few days ago has been what she's been getting last 4-5 scans.
I know it was odd. That's why I posted exactly what the user was telling me she was seeing when she did the search and how she did the search.
What if she deleted them even if the number of bytes doesn't match?
QuoteWhat if she deleted them even if the number of bytes doesn't match?
I wouldn't delete things in that manner ...
The "?" means the character is not in the standard set. The names of valid Windows files will be found if you replace the "?" with the correct character. To delete these files, you have to manually look for them, as searching is often a problem because of the wildcard character. A search will show valid files that you DO NOT want to delete.
You might try this trick to spot the rogue files ... open up the C:\windows\system32 directory and sort the files by name. The valid files will be in the proper order and the invalid files will be in the bottom, out of order. They will also have a newer date than the valid files.
You could also try Start > Run > cmd ... navigate to the system32 directory and then type dir /a ... that might see the weird ones.
The exploit using '?' in filename is a purity scan trojan. You might try Ewido ...
Let's also see a fresh HJT log.
Will check looking for those rogue files w/ those 2 suggestions above and post a new HJT log.
As far as Ewido, here's the history:
1-18-06 in safe mode detected nothing, but AdAware did.
1-19-06 in normal mode detected !update (purity scan?) and said cleaned.
1-20-06 in normal mode detected local settings/temp file/content/01G1W/!update-319 was cleaned,
but then repeat scan with F-Secure A/V right after detected !update.exe, but couldn't
disinfect.
1-25-06 in safe mode detected nothing.
And w/ the rest of the thread you can see the additional scanning in between Ewido scans. It seems Ewido detects this problem in normal mode, but not safe mode. We can try again in normal mode if you think that will help. Any thing that might have been quarantined w/ any scanner was purged too.
To explain the sorting in more detail ... go into Windows Explorer and open the system32 folder.
Go to View > Details. You'll be presented with Name, Type, Size, Modified.
You could also sort your files by the date they were modified, and look for 09/29/2005 ...
I was typing while you were ... :D
Any interference from a real time monitor?
She has Spybot with tea-timer not on, Counterspy which I had her disable, and looking thru notes, she has SpywareBlaster, which I thought was disabled, but not sure now...we've done so many scans!
Will make sure SpywareBlaster is disabled too.
What about the F-Secure A/V? Should we disable that during Ewido or AdAware scans? I know we started out having it disabled, but not sure if for all of the scans, or if it makes a difference. I personally am unfamiliar w/ F-Secure security products.
You can leave SpywareBlaster alone ... it sets Active-X killbits, and won't interfere with this ...
Also search the computer for: robot.exe
I don't know much about F-Secure either. Let's see what the ^^^ suggestions turn up.
Have you tried the a2 trojan scanner yet?
http://www.windowsecurity.com/trojanscan/checksystem.asp
Pray tell
Quote^^^ suggestions
?????
:tease: Just kidding, I assume you mean, the 3 suggestions above on searching differently.
But if it some secret forum code I haven't learned yet, be sure to get back to me.
Have not tried an a-squared trojan scan, but we will do it. Just went there, and it says if trojans are found to go the the a-squared home page. Do we do that, or just post the log here. And does it give us the option of saving a log? Couldn't tell by reviewing the link you posted.
Also it says choose a folder to scan. Do we choose windows/system32 folder or the whole c drive?
I've not done one of these before.
Scan the whole computer ...
I just ran the scan on this box ... C:\ was the default presentation. I didn't add any folders, just scanned.
QuoteIt seemed odd that a search for these didn't produce what you were looking for ...
t?skmgr.exe
j?vaw.exe
m?hta.exe
FYI, we're also looking for this one according to Panda online scan:
Adware:adware/swimsuitnetwork C:\WINDOWS\system32\MYDLL.dll (with 1,462,353 bytes according to the dat.Find log.)
There were 2 others that Panda detected, but user was able to find and delete those.
Just got your post while I was adding this.
Will scan whole computer.
More info.
Both profiles were confirmed as Showing hidden files.
In Windows Explorer for Window/system32, a search was done using date,
and on Sept. 29 2005 those same 3 files were listed (w/o ?) but all 3 with 392 KB, not 401,408 KB.
The 4th file Panda detected, MYDLL.dll was found on 11-01 date (same date in dat.Find) but with 1,429 KB not 1,462,353 bytes.
And just so I understand what we are doing with these searches. We are looking for the files with the name/pathway that Panda provided. And then we are only looking to delete the same named files with the corresponding numbers of bytes provided by dat.Find. And the dates listed by dat.Find that matches as well with those files names have helped find them. But if we are looking for exact numbers of bytes, they haven't been found.
Did a search in all files and folders for robot.exe and nothing was found.
Did Start...Run...cmd...and in system32 nothing "unusual" was seen, but was kindofa foreign looking land...in other words, it just appeared to list files that were familiar. Wish I knew how to comment better on that.
With Counterspy & Ewido, active monitors were disabled. And temp. disabled F-Secure A/V.
Then did an online scan at a-squared trojan, of local disc c and no malware was found.
Did an online scan at F-Secure as well and no infections were found.
Here's an updated HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:45:56 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Support - {B527A16B-FB12-4049-96E0-C3ABF799D9F6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
Also had Freckles do a scan and save a HJT log for the other profile, now given admin rights while we're doing this clean up, and seems like one of the files that Panda detected and AdAware detected: t?skmgr.exe is there now, when it wasn't in the HJT log on Jan 13th when we started this whole thread. But this file isn't listed in the log above either, from the other profile, from as much as I can see.
Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:23:33 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\t?skmgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Prjdce] C:\WINDOWS\system32\t?skmgr.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Support - {D57D01A0-9BF2-48BC-A6F9-75EC53261314} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
And then as a last footnote, just as we were finishing up, F-Secure A/V alerted that trojan downloader purity scan was detected in local settings/temp/!update-319, and had user not disinfect, but take F-Secure's option to manually delete. Which was done. Temp Internet files folder was then checked and the same clickspring stuff from before was there and deleted.
Just an idea, is it possible this trojan is in the system restore and keeps coming back from there?
Die Hard/Winchester 73 :)
Spent more time w/ Freckles on the phone, and I think we've located those 4 files.
I think we were confused by dat.Find log sizes in bytes and Windows Explorer sizes in KB.
I used an online conversion calculator and 401,408 bytes = 392 KB which is what user found for these 3 files.
The 4th file size (that Panda found) was 1,462,353 bytes which equals 1,428.0791016 KB and user found one 1,429 KB...so this is a match too, right?
Had user go back to System32 folder and in Windows Explorer searched by name again, and no files were out of sequence at the bottom, but user states seeing a taskmgr.exe w/ an icon AND right next to it a taskmgr.exe w/o an icon. Same situation with javaw.exe and mshta.exe files.
There is only the one MYDLL.dll.
I know this will sound stupid, but just to be sure, based on above, delete these 4 files? The 3 files w/ 392 KB w/ no icons, and the one MYDLL.dll.
If that's a yes, will manually delete them, run CCleaner in both profiles, then follow up with Ewido and AdAware scans.
ripley :)
It seems like you finally have located the files,well done :thumbsup:
Just to be sure , do not nuke them entirely, put them in a temp location for the time being, until you know the system doesn´t malfunction.Once you move them from their original place, they are most certain quite harmless .
Round it up, like you say, with both an Ewido and an AAW-scan and empty the temp folders.
Die Hard :)
Quote from: Die Hard on January 28, 2006, 10:33:57 PM
Just to be sure , do not nuke them entirely, put them in a temp location for the time being, until you know the system doesn´t malfunction.
To put in temp location, right click each file, select "cut" and paste them in a folder (that we'll name "crap") on the desktop? Is that what you mean?
Good way to handle it, Ripley!
Once upon a time... in computerland...there was a damsel in distress. She was a queen of one of the castles in computerland. She had constructed a motte all around and built her fortress wall high around her castle. She even had centurian guards patroling regularly, scanning every crook & cranny to keep her protected.
One day her young daughter met an enticing suitor at the castle gate and let him in. But neither did this young girl know that this suitor concealed a foe named clickspring, and soon two of the trusted centurians named AdAware and Ewido approached the queen announcing that they knew there were trojans hiding in the castle, but were unable to completely slay them.
So a decree went out all over the land and a message was received that help would be arriving from a land, a land far far away, named Landzdown. Soon a Knight in shining armor by the name of Die Hard and his trusted companion Winchester 73 examined many castle documents and logs and told the damsel what she needed to do.
The damsel was then able to roust out those trojans, and place them in a temporary dungeon.
They are waiting execution and now the castle is back to it's merry festivities.
This morning, AdAware & Ewido announced to the queen that a full castle search was conducted and no foes were hiding in the fortress.
And she lived happily ever after...thanks to her Knights in shining armor from Landzdown! :flowers:
I´m so glad the problems are sorted out and the computer is back to normal. :thumbsup:
Your poem is beautiful, I´d say it´s the best thank you we´ve ever had, thank you very much :flowers:
I´m glad I have ears as stoppers, or the smile I have would cut my head in two halfs. :lol:
Die Hard :)
Ripley, you cannot know how much it means that you took the time to write this. It is very, very special! (Of course, we have all known that Die Hard and Winchester are Knights in shining armor for a long time.)
Actually, writing that little ditty was nothing compared to the guidance that comes from Die Hard or Winchester 73 or whatever member of LzD that takes the time to help another member. :)
And if I had known how to use the modify/edit options I would have inserted this paragragh here:
Once upon a time... in computerland...there was a damsel in distress. She was a queen of one of the castles in computerland. She had constructed a motte all around and built her fortress wall high around her castle. She even had centurian guards patroling regularly, scanning every crook & cranny to keep her protected.
One day her young daughter met an enticing suitor at the castle gate and let him in. But neither did this young girl know that this suitor concealed a foe named clickspring, and soon two of the trusted centurians named AdAware and Ewido approached the queen announcing that they knew there were trojans hiding in the castle, but were unable to completely slay them.
So a decree went out all over the land and a message was received that help would be arriving from a land, a land far far away, named Landzdown. Soon a Knight in shining armor by the name of Die Hard and his trusted companion Winchester 73 examined many castle documents and logs and told the damsel what she needed to do.
And yet the queen was unfamiliar with dealing with these trojans. She listen to the Knights, but she floundered and yet these Knights were patient...they knew when to say something and when to let the queen figure some things out for herself, (because it was HER castle)...in this way, she still felt like a queen, and she LEARNED how to deal with trojans which helped the future of her Queendom.
The damsel was then able to roust out those trojans, and place them in a temporary dungeon.
They are waiting execution and now the castle is back to it's merry festivities.
This morning, AdAware & Ewido announced to the queen that a full castle search was conducted and no foes were hiding in the fortress.
And she lived happily ever after...thanks to her Knights in shining armor from Landzdown!
Bottom line, I think it takes a certain type of magic to help a member because we are all at such different levels of experience and understanding in this computer world. For members with an extensive amount of computer experience it takes a special gift to DIG DOWN DEEP and respond to the same issue they've seen a hundred times before.
What I've found is, that if time is taken, to search this forum, or Google some keywords, it's amazing the information, answers, solutions that's provided.
For me, I usually search this forum first, cuz I know if I don't find the answers right away, I'll get it eventually with guidance from a member, or doing a few searches.
This has got to be on of the Best! reads i have came across in a very long time!! if not ever!!
Very Well Spoken!
............................And They Lived Happily Ever After
ripley,
Very good inded (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsmilies.sofrayt.com%2Ffsc%2Fclap.gif&hash=447bd0e07c703d8d49d1be8c257c219a726d1a05)
QuoteAnd she lived happily ever after...thanks to her Knights in shining armor from Landzdown!
GR@PH;<'S :breakkie:
I'm glad that things are sorted out now ... :D
You know where to find help should some pest attempt to wrestle control of your computer away from you. :Win73:
Quote from: winchester73 on January 30, 2006, 01:36:29 PM
You know where to find help should some pest attempt to wrestle control of your computer away from you. :Win73:
You bet I do. In reading this threads and other threads that you've posted in...your logic sometimes astounds me and in this thread helped me. Thnx Winchester 73!
Quote from: GR@PH;<'S on January 30, 2006, 01:02:20 PM
ripley,
Very good inded
GR@PH;<'S :breakkie:
A beverage is in order in other words? Boy, it looked like an active day here at the LzD!
Quote from: JOSEPH on January 30, 2006, 10:40:17 AM
This has got to be on of the Best! reads i have came across in a very long time!! if not ever!!
Very Well Spoken!
Thank you for these kind words. Actually just observations, and wanting to find a different way of somehow trying to give back...to say how much I appreciate the efforts here at LzD.
Quote from: Corrine on January 30, 2006, 01:51:26 AM
Ripley, you cannot know how much it means that you took the time to write this. It is very, very special! (Of course, we have all known that Die Hard and Winchester are Knights in shining armor for a long time.)
And you, thanks for jumping in on my moment of lack of confidence. Was just wanting this issue to be done, and I'm still learning this XP, so I didn't want any more "operator error." It didn't take long to write, the words seemed to be inspired by the name Ewido...can't you just picture a guard named Ewido in some castle somewhere????
Quotethe words seemed to be inspired by the name Ewido...can't you just picture a guard named Ewido in some castle somewhere????
Absolutely -- its called EwidoGuard and is the name of the "real time protection" available during the initial trial and then via subscription to ewido anti-malware!!! :hysterical:
Quote from: Die Hard on January 28, 2006, 10:33:57 PM
ripley :)
Just to be sure , do not nuke them entirely, put them in a temp location for the time being, until you know the system doesn´t malfunction.
Die Hard :)
Die Hard! :D
Just wanted to let you know that all well that ends well. This computer has not only experienced no new problems or "malfunctioning," but is running ALOT faster. :boat:
Just wanted to let you know the "foes" are being led from their dungeon to the guillotine. :muahaha:
Thnx again, for helping clean up this compter! :exorcize:
ripley :)
I´m glad the operation was successful and the system is running well :thumbsup:
Lead the offenders to the giljontine and chop their heads off :muahaha:
Die Hard :)