Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMLEXBCES.EXE
C:WINDOWSSYSTEMRPCSS.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESESOFTEBOARDEBOARD.EXE
C:PROGRAM FILESBMCENTRALBMLAUNCHER.EXE
C:WINDOWSLOADQM.EXE
C:PROGRAM FILESREALREALPLAYERREALPLAY.EXE
C:PROGRAM FILESCOMMON FILESSLMSSSLMSS.EXE
C:WINDOWSGOIDR.EXE
C:WINDOWSJAWA32.EXE
C:WINDOWSSYSTEMLXSUPMON.EXE
C:WINDOWSXECRTYR.EXE
C:WINDOWSGUQVQMM.EXE
C:WINDOWSSYSTEMSAIE.EXE
C:WINDOWSSYSTEMPRINTRAY.EXE
C:PROGRAM FILESMESSENGERMSMSGS.EXE
C:WINDOWSSYSTEMHTIBEBD.EXE
C:WINDOWSSYSTEMHDABECT.EXE
C:PROGRAM FILESREALREALJUKEBOXTSYSTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESCOMMON FILESMICROSOFT SHAREDWORKS SHAREDWKCALREM.EXE
C:PROGRAM FILESAMERICA ONLINE 8.0BAOLTRAY.EXE
C:PROGRAM FILESWEBSHOTSWEBSHOTSTRAY.EXE
C:WINDOWSSYSTEMMSCONFIG.EXE
A:HIJACKTHIS.EXE



R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:PROGRAM FILESSURFSIDEKICK 2SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:WINDOWSSYSTEMPECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:WINDOWSSYSTEMPUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:WINDOWSHelper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:WINDOWSXrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:WINDOWSSYSTEMLMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:WINDOWSSYSTEMMSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:WINDOWSXrdkbklj.dll
O4 – HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 – HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 – HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 – HKLM..Run: [SystemTray] SysTray.Exe
O4 – HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..Run: [eMachine eBoard] C:PROGRA~1ESOFTEBOARDeBoard.exe
O4 – HKLM..Run: [BookmarkCentral] C:PROGRA~1BMCENT~1BMLauncher.exe
O4 – HKLM..Run: [LoadQM] loadqm.exe
O4 – HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [slmss] C:Program FilesCommon Filesslmssslmss.exe
O4 – HKLM..Run: [goidr] C:WINDOWSgoidr.exe
O4 – HKLM..Run: [aqadcup] C:WINDOWSaqadcup.exe
O4 – HKLM..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSYSTEMLXSUPMON.EXE RUN
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [Dfnm] C:WINDOWSGuqvqmm.exe
O4 – HKLM..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKLM..Run: [saie] c:windowssystemsaie.exe
O4 – HKLM..Run: [puswxc] C:WINDOWSSYSTEMpuswxc.exe
O4 – HKLM..Run: [VBouncerDL] C:Program FilesVBouncerVBouncerInner.exe /S
O4 – HKLM..Run: [ylgril] C:WINDOWSylgril.exe
O4 – HKLM..Run: [LexStart] Lexstart.exe
O4 – HKLM..Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM..RunServices: [SSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 – HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 – HKCU..Run: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..Run: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKCU..RunServices: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..RunServices: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..RunServices: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..RunServices: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:Program FilesOnline ServicesMSN50MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:Program FilesAmerica Online 8.0baoltray.exe
O4 – Startup: Webshots.lnk = C:Program FilesWebshotsWebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:Program FilesBroderbundBroderbund Party and Crafts Creatorpmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:Program FilesYahoo!Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:Program FilesYahoo!Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:WINDOWSSYSTEMShdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:PROGRA~1ONLINE~1MSN50OCXMSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:WINDOWSSYSTEMLMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and windowssystem and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

Related Posts

Blog Traffic Exchange Related Posts
  • Link to Program on Mapped Network Drive not Working - Windows Cannot Access the Specified Path or File Windows XP Home connecting to a file share in a Domain controlled by Windows 2000.... Not quite your recipe for headache free things "just working" I guess, but this is what I've run into. This workstation had a mapped drive connected to a folder on the server which opened in......
  • How to Remove Desktop Defender 2010 | Removal Guide Desktop Defender 2010 is a rogue antivirus program. It will prompt you with popups complaining about various problems that it claim your system has as well as scanning your computer and consistently finding some files to complain about. It also claims that it cannot fix the problems with your system......
  • How to Remove BlockWatcher | Removal Guide BlockWatcher is another iteration in the LONG line from the Wini family.... Softbarrier (softbarrier removal) and many others have looked the same... Shieldsafeness (see the shieldsafeness removal guide) as well as... SoftStronghold (softstronghold removal guide) and succeeds the following variants in this prolific family.... Softveteran (see the softveteran removal guide)......
Blog Traffic Exchange Related Websites
  • Ever Changing Windows Registry – Here's the Way to Counter Registry Errors Windows registry is information loaded in files to direct the behaviors of operating system and other programs. Any change or deviation just leads to crashes unwanted. Whenever you install few files are registered in Windows registry as program guidance files and during uninstall they are either removed or let remain......
  • Experiencing Slow Pc Performance? It seems that many people today can no longer live without their personal computer. However, despite its extreme demand these days, many pc owners are experiencing slow pc performance. Don't despair because there are ways to improve the performance of your pc. Registry files found in your computer are vital.......
  • Windows 7 Sales Spike to Overtake Mac OS X [/caption]Proving there is no accounting for taste Microsoft’s latest attempt at a decent operating system, Windows 7, is now running on 5% of the computers online.  The daily average of online users as measured by Internet metrics company Net Applications showed that an increase last week put Windows 7 above......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site