Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMLEXBCES.EXE
C:WINDOWSSYSTEMRPCSS.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESESOFTEBOARDEBOARD.EXE
C:PROGRAM FILESBMCENTRALBMLAUNCHER.EXE
C:WINDOWSLOADQM.EXE
C:PROGRAM FILESREALREALPLAYERREALPLAY.EXE
C:PROGRAM FILESCOMMON FILESSLMSSSLMSS.EXE
C:WINDOWSGOIDR.EXE
C:WINDOWSJAWA32.EXE
C:WINDOWSSYSTEMLXSUPMON.EXE
C:WINDOWSXECRTYR.EXE
C:WINDOWSGUQVQMM.EXE
C:WINDOWSSYSTEMSAIE.EXE
C:WINDOWSSYSTEMPRINTRAY.EXE
C:PROGRAM FILESMESSENGERMSMSGS.EXE
C:WINDOWSSYSTEMHTIBEBD.EXE
C:WINDOWSSYSTEMHDABECT.EXE
C:PROGRAM FILESREALREALJUKEBOXTSYSTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESCOMMON FILESMICROSOFT SHAREDWORKS SHAREDWKCALREM.EXE
C:PROGRAM FILESAMERICA ONLINE 8.0BAOLTRAY.EXE
C:PROGRAM FILESWEBSHOTSWEBSHOTSTRAY.EXE
C:WINDOWSSYSTEMMSCONFIG.EXE
A:HIJACKTHIS.EXE



R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:PROGRAM FILESSURFSIDEKICK 2SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:WINDOWSSYSTEMPECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:WINDOWSSYSTEMPUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:WINDOWSHelper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:WINDOWSXrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:WINDOWSSYSTEMLMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:WINDOWSSYSTEMMSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:WINDOWSXrdkbklj.dll
O4 – HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 – HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 – HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 – HKLM..Run: [SystemTray] SysTray.Exe
O4 – HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..Run: [eMachine eBoard] C:PROGRA~1ESOFTEBOARDeBoard.exe
O4 – HKLM..Run: [BookmarkCentral] C:PROGRA~1BMCENT~1BMLauncher.exe
O4 – HKLM..Run: [LoadQM] loadqm.exe
O4 – HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [slmss] C:Program FilesCommon Filesslmssslmss.exe
O4 – HKLM..Run: [goidr] C:WINDOWSgoidr.exe
O4 – HKLM..Run: [aqadcup] C:WINDOWSaqadcup.exe
O4 – HKLM..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSYSTEMLXSUPMON.EXE RUN
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [Dfnm] C:WINDOWSGuqvqmm.exe
O4 – HKLM..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKLM..Run: [saie] c:windowssystemsaie.exe
O4 – HKLM..Run: [puswxc] C:WINDOWSSYSTEMpuswxc.exe
O4 – HKLM..Run: [VBouncerDL] C:Program FilesVBouncerVBouncerInner.exe /S
O4 – HKLM..Run: [ylgril] C:WINDOWSylgril.exe
O4 – HKLM..Run: [LexStart] Lexstart.exe
O4 – HKLM..Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM..RunServices: [SSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 – HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 – HKCU..Run: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..Run: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKCU..RunServices: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..RunServices: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..RunServices: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..RunServices: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:Program FilesOnline ServicesMSN50MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:Program FilesAmerica Online 8.0baoltray.exe
O4 – Startup: Webshots.lnk = C:Program FilesWebshotsWebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:Program FilesBroderbundBroderbund Party and Crafts Creatorpmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:Program FilesYahoo!Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:Program FilesYahoo!Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:WINDOWSSYSTEMShdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:PROGRA~1ONLINE~1MSN50OCXMSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:WINDOWSSYSTEMLMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and windowssystem and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it's been out at least since June......
  • Windows Run as to let a legacy program run in XP limited user mode Several months back I had to figure out a way to get Create a card gold (5.0?) run on an XP system. The only real problem was that I had setup the account with limited user privileges (shared machine, several users, all with limited account priviliges.) But, somehow the program......
  • How to Remove KeepCop | Keep Cop Removal Guide KeepCop is yet another of those rogue antivirus applications that seem to be such a plague on computer users today. These rogue security applications usually installed without permission, or by means of trickery claiming to be a video codec or flash player update. Further they will start out on your......
Blog Traffic Exchange Related Websites
  • Free Registry Cleaner- Free Download Safely Scan And Repair Registry Problems A good registry cleaner can help fix several common computer ailments. If you're experiencing problems such as frequent error message, slow bootups, crashes and freezes, and overall sluggish performance, you probably have errors in the Windows registry. These errors can cause Windows to "trip" over itself when looking for files......
  • Creating a Blog Video Online About two years ago, blogging hit a surge that allowed its way into the mainstream, and now everybody is blogging for a wide variety of different reasons. Blogs resemble web-based public diaries of sorts, where the creator can record their thoughts, their opinions, questions and answers and essentially anything else......
  • How to Install Window Boxes Window boxes add charm to any home and they are so easy to install that anyone can do it. You're going to need to get a few things together before you get started. Your tools will include: window box brackets a level that is longer than the window box you......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site