Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overall Slowness - Experienced But Worried User


  • This topic is locked This topic is locked
21 replies to this topic

#1 natedees

natedees

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 14 February 2006 - 12:42 AM

My computer is just having trouble keeping up with running any programs. It is getting worse and worse. I would normally reformat at this stage, but was hoping to learn how to use HijackThis and not have to. I use McAfee, Ad-Aware, and Spybot - Search and Destroy currently. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:03 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msdxmlc] C:\WINDOWS\System32\msdxmlc.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136492339265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136496386468
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A132AA-D8F0-4A24-8689-0C7CFA468F3A}: NameServer = 24.29.1.218,24.29.1.219
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Thanks,
natedees

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 15 February 2006 - 07:28 AM

Hello and welcome to the forum. You have a real nasty I will show you first: [Microsoft Windows Update] scvvhost.exe this worm is pretending to be a legit item and is even hiding where it is running from. It has seriously compromised your security, read about it: http://www.sophos.com/virusinfo/analyses/w32forbotfh.html You also have this: C:\WINDOWS\System32\msdxmlc.exe which Google can't identify, I have little doubt this is a trojan also. You can investigate it here before removing it if you wish:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Please post any findings for me to view, and I strongly suggest you stay offline until your are clean to deny this hacker access. Let's proceed like this.

1) Use search companion to locate scvvhost.exe <<< look closely at the spelling because legitimate files needed for the computer look similiar.

2) Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Run: [msdxmlc] C:\WINDOWS\System32\msdxmlc.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

scvvhost.exe >>> file

C:\WINDOWS\System32\msdxmlc.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

Empty the recycle bin and restart the computer. Post the ewido scan results, a new HJT log and your feedback. How are you running now.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 16 February 2006 - 03:01 AM

Ok - thanks for your response - I really enjoyed the websites and tools you linked. This might be a lengthy reply when I'm done.

The bad news is that the file "scvvhost.exe" cannot be found by the search companion, even after hidden files were exposed, and the search performed with attention to also looking at hidden material. The same was true for the msdxmlc.exe - these filenames exist in both the system32 folder and the i386 folder: msdxmlc.ocx and msdxmlc.dll, but I scanned them using the websites you posted for checking files and they came back clean.

Here is the report from the Ewido scan (I removed all of the cookies it pulled, and for the first file I chose no action, as this is a program I use, and I again used the internet scanning tools and they didn't come back with a positive result other than some identified the title you see below - "Not.a.virus...".) I will say the program doesn't work flawlessly though. It is hard to decipher, however - the computer is getting to the point where almost every program slows to a stop and ends up "not responding."

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:13:35 AM, 2/16/2006
+ Report-Checksum: 72EF05B9

+ Scan result:

C:\Program Files\Canon\MP Navigator 1.0\mpn.exe -> Not-A-Virus.NetTool.Win32.CalcDNet.d : Ignored
C:\Documents and Settings\Dees\Cookies\dees@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@e-2dj6wfliundjcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@e-2dj6wjk4cidzghp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@popunder.paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@www.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@y-1shz2prbmdj6wvny-1sez2pra2dj6wfliqkcjklpaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyuld5mkoqudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Dees\Cookies\dees@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\1WMMB3KV\wbk5A1.tmp -> Dropper.Zerolin : Cleaned with backup
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\CTU745YR\castlist[2].html -> Downloader.Iwill.m : Cleaned with backup


::Report End

Also, I deleted the prefetch folder contents, and here is a new hjt log, but i'm sure it isn't helpful at this point:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:31 AM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msdxmlc] C:\WINDOWS\System32\msdxmlc.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136492339265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136496386468
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A132AA-D8F0-4A24-8689-0C7CFA468F3A}: NameServer = 24.29.1.218,24.29.1.219
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

How do you think I can find the worm??

Thanks again for your help.

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 16 February 2006 - 05:34 AM

How do you think I can find the worm??


1) Thanks for the information, Please keep in mind that you are in front of the computer, not me. I can not do this for you. The worm is running: O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe and in order to remove it we must know where it is. You are the one that has to find it. First look at this manual information to make sure it has been done:
SHOW HIDDEN FILES: MANUAL INSTRUCTIONS
Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

2) Now use at least two of three online scans and scan these files:
C:\WINDOWS\System32\msdxmlc.exe
C:\Program Files\Canon\MP Navigator 1.0\mpn.exe
scvvhost.exe <<< once you locate it (very good chance it is in the C:\Windows\System32 folder, and be careful of the spelling)
Post the results so I can view them.

3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

4) Read the directions then download and run this tool...post the results
http://www.microsoft.com/security/malwareremove/default.mspx

5) Follow these directions to download and run: http://www.kaspersky.com/virusscanner then post the results for me to view.
Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.

Once the scanner is installed and the definitions downloaded, click Next.

Now click on Scan Settings

In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

*Scan Options:

*Scan Archives

*Scan Mail Bases

Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Thanks...Phil

Edited by pskelley, 16 February 2006 - 05:36 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 23 February 2006 - 07:56 AM

This member has not responded to their topic since Feb 16 2006, 05:34 AM :thumbsup:

Topic is closed

Thanks...pskelley
BleepingComputer

Edited by pskelley, 23 February 2006 - 02:18 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 23 February 2006 - 11:24 AM

PSKelley - Sorry for not responding - I had the email notification set up which alerted me of your first set of instructions, and was waiting to see another email prompt, which did not come after the second set of instructions. I only check my email at work, not other websites, and my computer at home i'm trying to fix is almost frustratingly inoperable, so I was just waiting for that email. Sorry. I will follow your instructions tonight and post results.

Edited by natedees, 23 February 2006 - 11:25 AM.


#7 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:20 PM

Posted 23 February 2006 - 02:11 PM

I've reopened this topic.
Awaiting your post response.
And I'll PM the HJT Team member of such.

Regards,
Koan
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 23 February 2006 - 02:23 PM

No problem Nate, even though it has been a while, complete the instructions posted here:
Feb 16 2006, 05:34 AM and then post the uninstall list, the Kaspersky scan results and a new HJT log so I can make sure nothing has changed since I last saw one.

Thanks...Phil :thumbsup:
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 24 February 2006 - 10:22 PM

OK, thanks very much - I have wordpad open, going to run down the list of instructions. Sorry this took a while.

1) Hidden files are shown - for all folders. check.

2) msdxmlc.exe: Folder C:\WINDOWS\system32 does not contain a file called msdxmlc.exe. Search companion verifies as such. The folder does contain msdxmlc.dll, however. Kaspersky scan proclaims: You're clean! Jotti's scan proclaims: Found nothing (on all accounts).

mpn.exe: Every time I tried to scan this file with the online scanning sites, it seemed to freeze the site. I tried from 6 a.m. to 6 p.m. and other times at night. I was also bothered by the finding of another file called mpncopy.exe in the same folder – neither would scan online. In the end, I just uninstalled this program (a program to interface with my multifunction printer/scanner/copier) and other cannon programs. (Have you ever heard of a .exe file duplicated with the name “copy”?)

scvvhost.exe: system32 folder does not contain a file by this name. Search Companion cannot find a file by this name on drive C:\. I really can't find a file by this name on my system at this time. disquised perhaps?

3) At the risk of sounding like an idiot - I do not see a button for "open the misc tools" on HJT. My buttons are: (v 1.99.1) scan, fix checked, info on selected item, info..., config..., add checked to ignore list.
4) The Microsoft scan produced this result: No malicious software was detected. I checked for some of the filenames we are targeting, and did not see any - it would not allow me to copy and paste all filenames and their "not infected" result.
5) Here is the report from Kaspersky (I took no action yet)
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, February 24, 2006 9:18:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/02/2006
Kaspersky Anti-Virus database records: 178471
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 147806
Number of viruses found: 7
Number of infected objects: 7
Number of suspicious objects: 1
Duration of the scan process: 01:11:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\1WMMB3KV\wbk7DD.tmp Infected: Trojan-Spy.HTML.Paylap.ao skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\AENST5HK\wbkC0.tmp Infected: Trojan-Spy.HTML.Paylap.bg skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\GH2JOLQV\wbk1480.tmp Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\I14NM9YH\wbkF3.tmp Infected: Trojan-Spy.HTML.Wamufraud.ao skipped
C:\System Volume Information\_restore{CCDCC7E9-6C33-4277-B910-620FF3A3191B}\RP652\A0049538.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak skipped
C:\System Volume Information\_restore{CCDCC7E9-6C33-4277-B910-620FF3A3191B}\RP652\A0049538.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{CCDCC7E9-6C33-4277-B910-620FF3A3191B}\RP652\A0049539.exe Infected: not-a-virus:AdWare.Win32.EZula.by skipped
C:\System Volume Information\_restore{CCDCC7E9-6C33-4277-B910-620FF3A3191B}\RP680\A0054244.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.d skipped

Scan process completed.

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 25 February 2006 - 06:56 AM

Hi Nate, first I need to ask you to read the instructions very carefully, review them a couple of times. Here Feb 23 2006, 02:23 PM I asked for:

No problem Nate, even though it has been a while, complete the instructions posted here:
Feb 16 2006, 05:34 AM and then post the uninstall list, the Kaspersky scan results and a new HJT log so I can make sure nothing has changed since I last saw one.

I need to look at that log to see how it relates to the information you provided about the items you searched for and to see what has changed in over a week.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Detailed instructions for doing this:

1) Open HJT

2) Click the fourth button down "Open the Misc Tools section"

3) Click the last button down "Open Uninstall Manager"

4) After the list is generated and visable, Locate and click the "Save list" button and click it.

5) Save in: save to the Desktop

6) Open the notepad on the Desktop and copy/paste it to this thread like you do a HJT log.

Recap: post a new HJT log along with the uninstall list. Since a good bit of time has passed I would appreciate it if you would describe the problems you are having now in as much detail as possible and post any error messages you are receiving "word for word"

Now I will look at the Kaspersky scan and you should complete the above instructions before starting this:

So you will know, Kaspersky is a very good scanner but it does not remove the stuff unless you own it. We, however, can remove it manually. The items like this: C:\System Volume Information\_restore are of course your System Restore files and we will clean them out before we are finished, just do not use system restore for any reason until then.
These are infected files that you are storing in the Temporary Internet Files Folder. Open that folder which I will highlite in red and delete all of the contents. This is a favorite area for malware, keep it clean, it is necessary during routine operation but I clean mine at least at the end of each session. If any of the temporary files resist deletion, remove them in safe mode. DO NOT delete the folder just the contents. http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
When this is complete, please scan again with Kaspersky, edit out any System Restore files and post the balance of the scan in this thread.
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\1WMMB3KV\wbk7DD.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\AENST5HK\wbkC0.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\GH2JOLQV\wbk1480.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\I14NM9YH\wbkF3.tmp

Empty the recycle bin and restart the computer.

Thanks...Phil

Edited by pskelley, 25 February 2006 - 06:58 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 25 February 2006 - 09:29 PM

Ok Phil - thanks. Forgot the HJT log, sorry. For future reference with other clients - the Uninstall list on HJT is now under the "Config..." button.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:19 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msdxmlc] C:\WINDOWS\System32\msdxmlc.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136492339265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136496386468
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A132AA-D8F0-4A24-8689-0C7CFA468F3A}: NameServer = 24.29.1.218,24.29.1.219
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

And the Uninstall list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
Blackjack Counter
Blackjack Expert for Windows
Broadcom 440x Driver Installer
Canon MP Drivers 6.0
Canon Utilities Easy-PhotoPrint
Charter Pipeline® Self-Installation
Conexant D480 MDC V.92 Modem
Dell ResourceCD
Dell TrueMobile 1300 WLAN Mini-PCI Card
Easy-WebPrint
ewido anti-malware
HijackThis 1.99.1
InCD (ahead software)
InterVideo WinDVD
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.2
Kaspersky On-line Scanner
LimeWire 4.9.41
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Shockwave Player
Mathematica 4
MATLAB 6.1
McAfee VirusScan Enterprise
Microsoft Office XP Professional
MSN Music Assistant
Nero - Burning Rom
OmniPage SE 2.0
Presto! PageManager 6.03
QuickTime
RealPlayer
Rio Music Manager
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SigmaTel AC97 Audio Drivers
Spybot - Search & Destroy 1.4
SSH Secure Shell
Starry Night Backyard (Freeman Edition)
Synaptics Pointing Device Driver
TaxCut Deluxe 2005
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VPN Client
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip

I deleted all Temporary Internet files. Emptied Recycle Bin. Restarted. Kaspersky scan results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, February 25, 2006 8:23:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/02/2006
Kaspersky Anti-Virus database records: 178665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 145255
Number of viruses found: 7
Number of infected objects: 7
Number of suspicious objects: 1
Duration of the scan process: 01:09:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\1WMMB3KV\wbk7DD.tmp Infected: Trojan-Spy.HTML.Paylap.ao skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\AENST5HK\wbkC0.tmp Infected: Trojan-Spy.HTML.Paylap.bg skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\GH2JOLQV\wbk1480.tmp Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\I14NM9YH\wbkF3.tmp Infected: Trojan-Spy.HTML.Wamufraud.ao skipped

I removed the four restore file lines as you asked.

You also asked to describe my problems and error messages - I don't get any error messages, really - the computer is just bogged down all the time, and for no reason. It's performance has degraded, and I thought the system was fairly clean - everything installed and uninstalled as recommended, etc. Obviously I have some infections, but the computer is almost unusable it is so slow now. That is the best description of my problem I can muster.

Thx again,
Nate

#12 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 26 February 2006 - 08:12 AM

OK Nate, let's you and I work together to overcome this problem. First, please look to see the items you posted just now are the same items you just removed manually if you cleaned everything in the Temporary Internet files. Did you restart the computer after you deleted them before you ran Kaspersky again? This is a trojan and it is running from your TIF and it must be removed. So you can look at them:
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\1WMMB3KV\wbk7DD.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\AENST5HK\wbkC0.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\GH2JOLQV\wbk1480.tmp
C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files\Content.IE5\I14NM9YH\wbkF3.tmp

***sorry, I saw this information late:

I deleted all Temporary Internet files. Emptied Recycle Bin. Restarted. Kaspersky scan results:

Cleaning TIF files in Internet Explorer "Options" is not enough and you must delete these manually to be sure. As you can see they are still there in the second Kaspersky scan

Check again here:
C:\Documents and Settings\
Dees\
Local Settings\
Temporary Internet Files\ <<< delete everything in that file, then run a Kaspersky and post it, until they are gone we must assume they are our problem.

If you wish to clean the System Restore files now, use this information:
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Believe me Nate, while this may not be the problem, it only takes one trojan to seriously effect how a computer runs. Once you are running a clean Kaspersky scan, post the results showing "0". Post a new HJT log along with it and tell me if that fixed the problem. If not, we move on from there.
Here are links with information that may also help:
http://www.microsoft.com/windows/IE/commun...s/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Ea...rs_article.html

Uninstall list: I am looking for security issues, or bad programs, and I may not know all of them. You should look for programs you do not know (find out what they are) and programs you no longer use to clean it off your drive.

Adobe Acrobat 5.0: no security issue, but if you use it, version 7.0 has been available for a while free.
AOL Instant Messenger: many nasties are spreading via this program. Caution all users to be extremely careful. Just because a file says it is from someone they know, does not mean it is. The trojans know their names.
LimeWire 4.9.41: Please see this information - http://www.spywareinfo.com/articles/p2p/ Limewire (The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean. Older and newer version may not be.) http://www3.ca.com/securityadvisor/pest/Pe...px?id=453088059

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#13 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 26 February 2006 - 01:49 PM

Phil - Thanks for all of this information - I am going to read through the links, etc carefully and really work with this until I get a clean Kaspersky scan - That may take a while so I hope that will be ok. For instance, since I know that I definitely did manually delete everything in the TIF folder, I was shocked to see the scan reveal a virus still there - I went back to look - there are new files based on kaspersky and anything I have done since that deletion+restart, but no folders for example, and none called Content.IE5. So I let search companion search for this folder Content.IE5 and it turned up nothing - I think that this Trojan is hiding and remanifesting itself or something. Maybe if i clean the system restore files first... I'll work with it for a little while and make the clean Kaspersky scan the goal.

Thanks again,
Nathan

#14 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 26 February 2006 - 06:49 PM

OK Nathan, thanks for the information, keep me posted and if you come up with questions I may be able to help with post them.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#15 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 27 February 2006 - 01:38 AM

Ok, Phil - Here's what I have: I'm down to the files that Kaspersky claim are in the Temporary Internet Files folder. This situation is baffling -

I can go directly to the folder C:\Documents and Settings\Dees\Local Settings\Temporary Internet Files and delete all of the contents, empty the recycle bin (which actually the last time didn't seem to show these files - do TIF get removed permanently when deleted?), restart, and the kaspersky scan will show the same files in the same folder, "Content.IE5", which, if i go back to the location, will still not be there - it is like a hidden folder (all hidden are shown) that cannot be deleted - is this normal behavior of Trojan? Is the scan incorrect (I believe it's correct considering the symptoms are still there)?

Do you recommend just starting over - reformatting? I was trying to avoid that.

Thanks,
Nate

Edited by natedees, 27 February 2006 - 01:40 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users