Post by: Michael McCawley on November 23, 2004, 11:35:57 AM
Some supporting documentation:
Logfile of HijackThis v1.98.2
Scan saved at 10:36:24 AM, on 11/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TWarnMsg.exe
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\WINNT\dslaunch.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINNT\System\MSMSGSVC.exe
C:\WINNT\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (http://\"http://www.e-finder.cc/search/\") (obfuscated)
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINNT\dslaunch.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINNT\System\MSMSGSVC.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\Toshiba\TME\TMESRV.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE5} - https://www.nationallife.com/Corporate/citr...trix/Wficat.cab (http://\"https://www.nationallife.com/Corporate/citrix/Wficat.cab\")
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://scpwoa.ops.placeware.com/etc/place/...quicksilver.cab (http://\"https://scpwoa.ops.placeware.com/etc/place/OSCAR/SCOpws-a3s/5.1.5.222/lib/quicksilver.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
Also a CompareDLL log:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,075 items found: 1,075 files, 0 directories.
Total of file sizes: 190,212,929 bytes 181.40 M
Administrator Account = True
--------------------End log---------------------
Earlier CompareDLL found NTIEMBED.DLL, that has been deleted, yet CWS still reinstalls. Suggestions?
Thanks, Mike McCawley
Post by: Michael McCawley on November 23, 2004, 11:45:20 AM
StartDreck (build 2.1.7 public stable) - 2004-11-23 @ 10:51:08 (GMT -06:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as Mike at MIKE8100
»Registry
»Run Keys
»Current User
»Run
*MSMsgSvc=C:\WINNT\System\MSMSGSVC.exe
*Host=
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*S3TRAY=S3tray.exe
*Tpwrtray=TPWRTRAY.EXE
*TWarnMsg=TWarnMsg.exe
*TDspOff=Tdspoff.exe B
*YAMAHA DS-XG Launcher=C:\WINNT\dslaunch.exe
*MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
*MSKAGENTEXE=C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
*VSOCheckTask="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
*McAfee Guardian=C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
*MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
*VirusScan Online="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
*MSKDetectorExe=C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
*Synchronization Manager=mobsync.exe /logon
*MPFTray=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*AOL Spyware Protection="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*Host=
*McRegWiz=C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AnalyzeIE.DOMPeek.1/{834261E1-DD97-4177-853B-C907E5D5BD6E}
`InprocServer32=C:\WINNT\dpe.dll
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TSBxLogon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TMExLogon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
*C:\WINNT\system32\autoexec.nt
*C:\WINNT\system32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+156=\SystemRoot\System32\smss.exe
+180=\??\C:\WINNT\system32\csrss.exe
+176=\??\C:\WINNT\system32\winlogon.exe
+228=C:\WINNT\system32\services.exe
+240=C:\WINNT\system32\lsass.exe
+392=C:\WINNT\system32\svchost.exe
+436=C:\WINNT\System32\svchost.exe
+484=C:\WINNT\system32\LEXBCES.EXE
+508=C:\WINNT\system32\spoolsv.exe
+536=C:\Program Files\AccessManager\Client\AMBroker.exe
+556=C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
+636=C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
+684=c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
+716=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
+780=C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
+852=C:\WINNT\system32\regsvc.exe
+864=C:\WINNT\system32\MSTask.exe
+884=C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
+940=C:\WINNT\SYSTEM32\THOTKEY.EXE
+956=C:\WINNT\System32\Tmesbs2.exe
+988=C:\Program Files\TOSHIBA\TME\Tmesrv.exe
+1016=C:\WINNT\System32\WBEM\WinMgmt.exe
+1040=C:\WINNT\system32\svchost.exe
+1144=C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
+1168=c:\PROGRA~1\mcafee.com\vso\mcshield.exe
+1208=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
+1276=c:\program files\mcafee.com\agent\mcagent.exe
+1476=C:\WINNT\system32\S3tray.exe
+1508=C:\WINNT\system32\TPWRTRAY.EXE
+1516=C:\WINNT\system32\TWarnMsg.exe
+1528=C:\WINNT\System32\Tdevdetect.exe
+1548=C:\WINNT\system32\ntvdm.exe
+1556=C:\WINNT\System32\Tfunckey.exe
+1576=C:\WINNT\System32\Tpwricon.exe
+1592=C:\WINNT\dslaunch.exe
+1632=C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
+1656=C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
+1672=C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
+1720=c:\progra~1\mcafee.com\vso\mcvsescn.exe
+1796=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
+1480=C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
+1536=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1488=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
+1860=C:\WINNT\System\MSMSGSVC.exe
+1832=C:\WINNT\explorer.exe
+1736=C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
+1320=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+1292=C:\HJT\HijackThis.exe
+544=C:\StartDreck\StartDreck.exe
»NT Services
*Alerter Alerter - on demand
*Access Manager Configuration Service AMBroker running auto
*AOL Connectivity Service AOL ACS running auto
*Application Management AppMgmt running on demand
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*Visual Insight DA Plugin DAPlugin - on demand
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Contivity VPN Service ExtranetAccess - on demand
*Fax Service Fax - on demand
*McAfee Privacy Service GuardDogEXE running auto
*Infrared Monitor Irmon running auto
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*LexBce Server LexBceS running auto
*TCP/IP NetBIOS Helper Service LmHosts running auto
*McAfee.com McShield McShield running on demand
*McAfee SecurityCenter Update Manager mcupdmgr.exe - on demand
*McAfee.com VirusScan Online Realtime Engine MCVSRte running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*McAfee Personal Firewall Service MpfService running auto
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*McAfee SpamKiller Server MskService running auto
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc running auto
*Plug and Play PlugPlay running auto
*IPSEC Policy Agent PolicyAgent - disabled
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry Service RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*RunAs Service seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Sharing SharedAccess - on demand
*SP Software Installer SP Software Installe running auto
*Print Spooler Spooler running auto
*Visual Insight Dial Analysis sp_spi_da - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*THOTKEY THOTKEY running auto
*Telnet TlntSvr - on demand
*tmesbs2 Tmesbs running auto
*Tmesrv Tmesrv running auto
*Distributed Link Tracking Client TrkWks running auto
*Uninterruptible Power Supply UPS - on demand
*Utility Manager UtilMan - on demand
*Windows Time W32Time - on demand
*Windows Management Instrumentation WinMgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi running on demand
`sions
*Automatic Updates wuauserv running auto
*Wireless Configuration WZCSVC - on demand
»Application specific
Post by: Michael McCawley on November 23, 2004, 01:35:36 PM
MSMSGSVC was the background task regenerating CWS. I stopped that service and was able to use Ad-Aware se and HiJackThis to complete the removal.
Thanks, MLM
Post by: guestolo on November 23, 2004, 08:36:24 PM