Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why Does Wmpccs2 Show Twice In Scu?


  • Please log in to reply
8 replies to this topic

#1 sandman1374

sandman1374

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids Michigan
  • Local time:04:10 PM

Posted 16 September 2008 - 04:52 AM

First off let me apologize for my ignorance! I'm a newbie to this computer world and have always been able to receive help from my son (who now after 5yrs of collage in this field) I hate to bother all the time and figure it's time for dad to learn to do things on my own. My concern is after sometime of just noticing what the system configuration utility (start up) list's, that has always contained only 5 activated items, is all of a sudden listing two additional (unremoveble) items called wmpccs2. Command reads C:\WINDOWS\wmpccs2.exe and location is HKCU\SOFTWARE\Microsoft\Windows\CurrentVer... I honestly haven't noticed any speed reduction or other problems other then Firefox is always showing up twice in the task manager processes after first logging into my account. After reading through several other post's on this site I did run SDFix and found it located a Trojan (C:\WINDOWS\syspr.prx - Deleted) at which point it told me to re-immunize my anti-spyware program. I ran Spybot as recommended and it listed a Bifouse.gen trojan was found and i removed it and then re-immunized. After all this nothing has changed I still have 2 items as I mentioned above in the same places and now I'm even more concerned that i really don't know what the heck I'm doing! Or even what I've found. Can anybody help this old school father or give me a direction to follow or a least a place to start? Thank you and any advice would be greatly appreciated.

Custom, AMD R7 1800x @ 3925MHz. ASUS Crosshair VI Hero, 2 x 8GB G-Skill Flare-X @ 3466MHz 14-13-13-26-1T, Samsung 960 m.2 NVMe OS. Samsung 840 Pro 120GB SSD OC OS. 2TB WD Blck data, 4TB WD Red Storage, EVGA G2 850 PSU, HD7970 3GB w/XSPC Razor WB. EK C6H Monoblock,  D5 Vario, RX360 rad,RS360 rad, EX140 rad, Xigmatek Elysium. Win10 Pro x64, Linksys WRT1900 ACS, Firefox Beta, Avast Free, Malwarebytes Pro, CCleaner,


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:10 PM

Posted 16 September 2008 - 05:35 AM

I can't find any information on the file wmpccs2.exe. Coupled with the fact that you have already had trojans identified I
think that you should post this query in the "Am I Infected" forum
Posted Image
m0le is a proud member of UNITE

#3 sandman1374

sandman1374
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids Michigan
  • Local time:04:10 PM

Posted 20 September 2008 - 11:35 PM

Well just thought I'd share that after 5 days and nights of not finding anything new on this wmpccs2.exe file and being concerned about the fact I couldn't remove it from the C:\WINDOWS (Windows cannot remove) or after removing (two applications) of it from the SCU window start up tab where it just showed up again after rebooting, I continued reading the tutorials on here. My PC hasn't ever given me any signs of being slow or error messages of any kind, just the one scan of SDFix mentioned in my first post above which as I understand it removed one Trojan. Before i ran the SDFix scan neither Spybot, Ad-Aware or Symantec programs ever showed any findings. Must have just been the paranoid feeling of this wpmccs2 showing up in the system configuration start up just wouldn't let me sleep at night. Being the rookie I am I decided to do the following as my only choice at this point. I uninstalled Spybot and Ad-Aware and all associated files. Then reinstalled Spybot using the settings instructions and down load link from BC's tutorial and ran the program, also did the same and added SpywareBlaster, then reinstalled Ad-Aware using the recommended settings from the BC tutorials and finally finished off with a manual scan of the Symantec anti virus where i included the advanced option to "scan files when" "Opened for backup" and "Accessed or modified". To my disbelief after running all this i found that i could finally delete wmpccs2 from the C:\WINDOWS file and stored it in the recycle bin temporarily and then used CCleaner to remove it from the system configuration utility. At this point I really don't understand what all has happened but it's finally gone and haven't noticed any kind of trouble since. Unless I hear something diferent from a true professional from BC I'm taking it for granted the problem is gone and I'll finally sleep again! If anyone after reading this knows of anything I might have screwed up on please don't hesitate to let me know! I love this place...

Custom, AMD R7 1800x @ 3925MHz. ASUS Crosshair VI Hero, 2 x 8GB G-Skill Flare-X @ 3466MHz 14-13-13-26-1T, Samsung 960 m.2 NVMe OS. Samsung 840 Pro 120GB SSD OC OS. 2TB WD Blck data, 4TB WD Red Storage, EVGA G2 850 PSU, HD7970 3GB w/XSPC Razor WB. EK C6H Monoblock,  D5 Vario, RX360 rad,RS360 rad, EX140 rad, Xigmatek Elysium. Win10 Pro x64, Linksys WRT1900 ACS, Firefox Beta, Avast Free, Malwarebytes Pro, CCleaner,


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:10 PM

Posted 21 September 2008 - 12:09 AM

SDFix is more a specialty tool reserved for infections after the more common scanners fail to remove a component.
AdAware and spybot don't perform well with newer infections.

http://www.bleepingcomputer.com/forums/ind...st&p=944365

MBAM from normal mode boot supplemented with ATFCleaner and SAS from safe mode boot are much more effective

http://www.bleepingcomputer.com/forums/ind...st&p=948894

scan a sample of several longer threads here

Your method could still work but would take longer and might fail with stronger infections

Edited by DaChew, 21 September 2008 - 12:11 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 sandman1374

sandman1374
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids Michigan
  • Local time:04:10 PM

Posted 22 September 2008 - 12:22 AM

Thank you very much for the help and suggestions! Here is a copy of the mbam log and SUPERAntiSpyware log.

Malwarebytes' Anti-Malware 1.28
Database version: 1188
Windows 5.1.2600 Service Pack 3

9/21/2008 6:26:50 PM
mbam-log-2008-09-21 (18-26-50).txt

Scan type: Quick Scan
Objects scanned: 51946
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 41
Files Infected: 94

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware381\bin (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware381\icons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_Info_Search (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_News (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB4 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB5 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB6 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB7 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_Info_Search (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_News (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB4 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB5 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB6 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB7 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Starware381\Starware381Config.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware381\Starware381Uninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware381\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1317_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\TMB40.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\TMB50.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\TMB60.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\TMB70.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_Info_Search\Music_Info_SearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_Info_Search\Music_Info_SearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_News\Music_NewsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Music_News\Music_NewsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB4\TMB4Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB4\TMB4Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB5\TMB5Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB5\TMB5Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB6\TMB6Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB6\TMB6Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB7\TMB7Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TMB7\TMB7Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\Starware381\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_Info_Search\Music_Info_SearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_Info_Search\Music_Info_SearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_News\Music_NewsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Music_News\Music_NewsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB4\TMB4Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB4\TMB4Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB5\TMB5Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB5\TMB5Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB6\TMB6Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB6\TMB6Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB7\TMB7Options.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TMB7\TMB7Options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Application Data\Starware381\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Local Settings\Temp\Image.jpg (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Local Settings\Temp\c4ad_appcompat.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Desktop\DSCN0853.JPG (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Desktop\desktop.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/21/2008 at 11:44 PM

Application Version : 4.21.1004

Core Rules Database Version : 3575
Trace Rules Database Version: 1563

Scan type : Complete Scan
Total Scan Time : 02:43:03

Memory items scanned : 163
Memory threats detected : 0
Registry items scanned : 5823
Registry threats detected : 0
File items scanned : 58712
File threats detected : 0

Do I still have a problem? Also,do I leave this in quarantine or delete it? And lastly can you offer any suggestions on how we got this? My other half is currently an online student and occasionally has to use CD's from her school, could this be the problem?

Custom, AMD R7 1800x @ 3925MHz. ASUS Crosshair VI Hero, 2 x 8GB G-Skill Flare-X @ 3466MHz 14-13-13-26-1T, Samsung 960 m.2 NVMe OS. Samsung 840 Pro 120GB SSD OC OS. 2TB WD Blck data, 4TB WD Red Storage, EVGA G2 850 PSU, HD7970 3GB w/XSPC Razor WB. EK C6H Monoblock,  D5 Vario, RX360 rad,RS360 rad, EX140 rad, Xigmatek Elysium. Win10 Pro x64, Linksys WRT1900 ACS, Firefox Beta, Avast Free, Malwarebytes Pro, CCleaner,


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:10 PM

Posted 22 September 2008 - 01:26 AM

ADAPT_Installer.exe


that was in the recycle bin, it's as likely a candidate as any for the prime infector

Someone executed it?

Noone ever wants to admit it tho

CD's from other students would be dangerous or stupid or both

I would like to see the original sdfix log

should still be in the sdfix folder
Chewy

No. Try not. Do... or do not. There is no try.

#7 sandman1374

sandman1374
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids Michigan
  • Local time:04:10 PM

Posted 22 September 2008 - 02:19 PM

Thanks once again for your help, first let me mention that the disc i mentioned was received with online course books from school and not from a student, but as part of class resource materials. Here is the log from SDFix scan I ran, and not sure if it's any assistance but I've also included a list of what Symantec anti virus has in it's "Quarantin" and "Backup items".


SDFix: Version 1.224
Run by Kevin on Fri 09/12/2008 at 08:40 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\syspr.prx - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 20:46:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\system32\\lxctcoms.exe"="C:\\WINDOWS\\system32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"="C:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe:*:Enabled:Itiva Media Accelerator"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:VNC Server"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 14 Apr 2008 96,518 ...H. --- "C:\Program Files\WinsMedia\wmpec.exe"
Sat 30 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 29 Feb 2008 21,372 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAB8.tmp"
Fri 29 Feb 2008 10,864 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RABA.tmp"
Fri 29 Feb 2008 19,116 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RABC.tmp"
Fri 29 Feb 2008 6,612 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RABE.tmp"
Fri 29 Feb 2008 6,668 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAC0.tmp"
Fri 29 Feb 2008 23,008 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAC2.tmp"
Fri 29 Feb 2008 24,168 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAC4.tmp"
Fri 29 Feb 2008 6,588 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAC6.tmp"
Fri 29 Feb 2008 101,580 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RAC8.tmp"
Fri 29 Feb 2008 4,604 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RACA.tmp"
Fri 29 Feb 2008 15,184 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RACC.tmp"
Fri 29 Feb 2008 10,192 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@RACE.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAB9.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SABB.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SABD.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SABF.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAC1.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAC3.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAC5.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAC7.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SAC9.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SACB.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SACD.tmp"
Fri 29 Feb 2008 1,409 ...H. --- "C:\Documents and Settings\Guest\Local Settings\Temp\Z@SACF.tmp"

Finished!



Symantec Quarantine list

date file name threat original location Status
4/9/2008 lae.exe Trojan Horse C:Program Files\Internet Explorer infected
4/24/2008 ieh.exe Trojan Horse C:\Program Files\Internet Explorer infected

under properties it says, Action Taken-Quarantined, Action description-quarantined successfully, Set Action- Clean virus from file, Set Backup Action-Quarantine infected file



Symantec Backup Items

date file name threat original location

7/27/2008 A0034329.scr Backdoor.Bifrose C:\System Volume Information\_restore{25DD9D2D-E4A6-4A1D-8B20-44A90CE83DD8}\RP66\
5/1/2008 OpenLink.exe Downloader C:\Documents and Settings\Kevin\Local Settings\Temp\
5/16/2008 index[1].hmt Downloader C:\Documents and Settings\Kathy\Local Settings\Temporary Internet Files\Content.IE5\02628FNF\
4/6/2008 4kdu3qy4.exe Trojan.Zlob C:\Docume~1\Kevin\LOCALS~1\Temp\
4/6/2008 v004q4iv.exe Trojan.Zlob C:\Docume~1\Kevin\LOCALS~1\Temp\

under properties it says, Action Taken-Backup, Action description-The file was left unchanged. Set Action-Clean virus from file, Set Backup Action-Quarantine infected file



I copied info from SDFix folder\Report\Notepad and hope this what you asked for.
Once again I do appreciate all your help and I do apologize for my computer illiteracy and hope you'll bare with me with any foolish questions or actions I might have asked or preformed.

Custom, AMD R7 1800x @ 3925MHz. ASUS Crosshair VI Hero, 2 x 8GB G-Skill Flare-X @ 3466MHz 14-13-13-26-1T, Samsung 960 m.2 NVMe OS. Samsung 840 Pro 120GB SSD OC OS. 2TB WD Blck data, 4TB WD Red Storage, EVGA G2 850 PSU, HD7970 3GB w/XSPC Razor WB. EK C6H Monoblock,  D5 Vario, RX360 rad,RS360 rad, EX140 rad, Xigmatek Elysium. Win10 Pro x64, Linksys WRT1900 ACS, Firefox Beta, Avast Free, Malwarebytes Pro, CCleaner,


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:10 PM

Posted 22 September 2008 - 02:59 PM

Thanks for posting those logs, I have asked a far more experienced person to look at them
Chewy

No. Try not. Do... or do not. There is no try.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 PM

Posted 23 September 2008 - 07:02 AM

Symantec Antivirus Chapter 4: What to do if a virus or security risk is found: About the Quarantine, Managing the Quarantine

Table 2-1: View category
Delete backup copies of infected files. As a data safety precaution, Symantec AntiVirus makes a backup copy of infected items before attempting a repair. After verifying that Symantec AntiVirus cleaned an item infected by a virus, you should delete the copy in Backup Items.

Symantec AntiVirus backs up files that are infected by security risks when the files are put into Quarantine. It also keeps copies of the registry settings and system load points that are affected by security risks such as spyware and adware. System load points are areas of software that are particularly vulnerable to security risks.


When an anti-virus quarantines a file by moving it into a virus vault, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them while in the quarantined area.

IMPORTANT NOTE: syspr.prx was a backdoor Trojan and so was wmpccs2.exe. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users