Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Kids Computer Infected? "microsoft Security Adviser"


  • Please log in to reply
9 replies to this topic

#1 tair

tair

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 18 June 2007 - 11:10 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:06:32 PM, on 6/18/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVAE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKLM\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [mssadv.exe] أق
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] $SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] $SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKCU\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [mssadv.exe] أق
O4 - HKCU\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O21 - SSODL: auditioned - {44e670f2-d57b-4815-a576-955d17dbbf2d} - C:\WINDOWS\SYSTEM\eeuydc.dll (file missing)

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 19 June 2007 - 12:27 AM

Hello tair and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible. ( I will be off to work now but shall reply in bout 12 hrs when I am back from work).

Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 20 June 2007 - 01:35 PM

Hi tair,

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread: http://www.bleepingcomputer.com/forums/t/96521/my-kids-computer-infected-microsoft-security-adviser/
  • Browse for these filenames:
    • C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
    • C:\Microsoft Security Adviser\msctrl.exe
    • C:\Microsoft Security Adviser\msavsc.exe
    • C:\Microsoft Security Adviser\msscan.exe
    • C:\Microsoft Security Adviser\msiemon.exe
    • C:\Microsoft Security Adviser\msfw.exe
  • In the comments, please mention that I asked you to upload this file: Yourhighness
  • Click on Send File
Please download SmitfraudFix (by S!Ri), alternate (with instructions as well) and extract the content (a folder named SmitfraudFix) to your Desktop.

Please download this file - combofix.exe
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please report back with your combofix.txt, a new HijackThis log, and C:\rapport.txt.

Thanks Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#4 tair

tair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 June 2007 - 10:42 PM

Hi Johannes,

Thanks for your help. I am having some trouble. First, I cannot locate any of the files execpt "C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE". I uploaded it as you said. The rest may have been removed by lavasoft or spybot.

Second, the link "http://download.bleepingcomputer.com/sUBs/combofix.exe" results in a 404 error.

I won't do anything else until I hear from you.

Thanks again,

Tair

#5 tair

tair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 June 2007 - 10:50 PM

Hi again Johannes,

I do find the rest of the file names in the folder "C:\windows\applog", but they are all LGC files. I cannot find any of these as ".exe" files.

Thanks again,

Tair

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 20 June 2007 - 11:00 PM

Hi tair,

please try http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe meanwhile.

As for the other files in "C:\windows\applog", that is fine. Please do upload them regardless of their file extension. I will be off to work soon, but should reply back in latest 24 hrs.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 25 June 2007 - 11:59 AM

hi tair,

just wondering how you are doing?

Regards,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 tair

tair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 01 July 2007 - 03:11 PM

Johannes,

Thanks for your help. I wasn't around last week and was unable to work on the computer. I was able to download "ComboFix" from the link that you sent, but when I run it I get two errors. First, "C:\windows\command.com", "The program issued a command, but the command length is incorrect". When I click "OK" I get this error "cmd.exe", "Windows cannot find 'cmd.exe'. You may have typed the name incorrectly in the Run dialog, or another open program cannot find a system file. To search for a file click the Start button, than click Search."

Also, I downloaded Sygate Personal Firewall and it is constantly blocking "mssadv.exe".

Looking forward to hearing from you,

Tair

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 01 July 2007 - 03:56 PM

Hi tair,

thanks for posting back. I am just posting so you know this thread is still being monitored. I am in process of checking what this error could be.
Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:44 AM

Posted 02 July 2007 - 02:04 PM

Hi tair,

unfortunately Combofix is not supporting your Operating System, therefore we will have to do it in another way.

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKLM\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKLM\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [mssadv.exe] أق
O4 - HKCU\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKCU\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [mssadv.exe] أق
O4 - HKCU\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
O21 - SSODL: auditioned - {44e670f2-d57b-4815-a576-955d17dbbf2d} - C:\WINDOWS\SYSTEM\eeuydc.dll (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Step #2
  • Download KillBox from here
  • Unzip the folder to your desktop.
  • Start Killbox.exe
  • Select the Delete on Reboot option.
  • Click on the All Files button(!important!),which will then flash green.
  • Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

    C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
    C:\Microsoft Security Adviser\msctrl.exe
    C:\Microsoft Security Adviser\msavsc.exe
    C:\Microsoft Security Adviser\msscan.exe
    C:\Microsoft Security Adviser\msiemon.exe
    C:\Microsoft Security Adviser\msfw.exe
    C:\WINDOWS\SYSTEM\eeuydc.dll


  • Go to the File menu of Killbox, and choose Paste from Clipboard.
    NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
  • Click the Delete File button that is a red circle with the white X in it. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Step #3

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #4

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Please report back with: a fresh HijackThis log, the OTMoveit log, the F-Secure log, and the Smitfraud fix log I asked in my earlier post.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users