Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMLEXBCES.EXE
C:WINDOWSSYSTEMRPCSS.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESESOFTEBOARDEBOARD.EXE
C:PROGRAM FILESBMCENTRALBMLAUNCHER.EXE
C:WINDOWSLOADQM.EXE
C:PROGRAM FILESREALREALPLAYERREALPLAY.EXE
C:PROGRAM FILESCOMMON FILESSLMSSSLMSS.EXE
C:WINDOWSGOIDR.EXE
C:WINDOWSJAWA32.EXE
C:WINDOWSSYSTEMLXSUPMON.EXE
C:WINDOWSXECRTYR.EXE
C:WINDOWSGUQVQMM.EXE
C:WINDOWSSYSTEMSAIE.EXE
C:WINDOWSSYSTEMPRINTRAY.EXE
C:PROGRAM FILESMESSENGERMSMSGS.EXE
C:WINDOWSSYSTEMHTIBEBD.EXE
C:WINDOWSSYSTEMHDABECT.EXE
C:PROGRAM FILESREALREALJUKEBOXTSYSTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESCOMMON FILESMICROSOFT SHAREDWORKS SHAREDWKCALREM.EXE
C:PROGRAM FILESAMERICA ONLINE 8.0BAOLTRAY.EXE
C:PROGRAM FILESWEBSHOTSWEBSHOTSTRAY.EXE
C:WINDOWSSYSTEMMSCONFIG.EXE
A:HIJACKTHIS.EXE



R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:PROGRAM FILESSURFSIDEKICK 2SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:WINDOWSSYSTEMPECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:WINDOWSSYSTEMPUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:WINDOWSHelper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:WINDOWSXrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:WINDOWSSYSTEMLMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:WINDOWSSYSTEMMSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:WINDOWSXrdkbklj.dll
O4 – HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 – HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 – HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 – HKLM..Run: [SystemTray] SysTray.Exe
O4 – HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..Run: [eMachine eBoard] C:PROGRA~1ESOFTEBOARDeBoard.exe
O4 – HKLM..Run: [BookmarkCentral] C:PROGRA~1BMCENT~1BMLauncher.exe
O4 – HKLM..Run: [LoadQM] loadqm.exe
O4 – HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [slmss] C:Program FilesCommon Filesslmssslmss.exe
O4 – HKLM..Run: [goidr] C:WINDOWSgoidr.exe
O4 – HKLM..Run: [aqadcup] C:WINDOWSaqadcup.exe
O4 – HKLM..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSYSTEMLXSUPMON.EXE RUN
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [Dfnm] C:WINDOWSGuqvqmm.exe
O4 – HKLM..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKLM..Run: [saie] c:windowssystemsaie.exe
O4 – HKLM..Run: [puswxc] C:WINDOWSSYSTEMpuswxc.exe
O4 – HKLM..Run: [VBouncerDL] C:Program FilesVBouncerVBouncerInner.exe /S
O4 – HKLM..Run: [ylgril] C:WINDOWSylgril.exe
O4 – HKLM..Run: [LexStart] Lexstart.exe
O4 – HKLM..Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM..RunServices: [SSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 – HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 – HKCU..Run: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..Run: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKCU..RunServices: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..RunServices: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..RunServices: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..RunServices: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:Program FilesOnline ServicesMSN50MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:Program FilesAmerica Online 8.0baoltray.exe
O4 – Startup: Webshots.lnk = C:Program FilesWebshotsWebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:Program FilesBroderbundBroderbund Party and Crafts Creatorpmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:Program FilesYahoo!Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:Program FilesYahoo!Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:WINDOWSSYSTEMShdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:PROGRA~1ONLINE~1MSN50OCXMSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:WINDOWSSYSTEMLMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and windowssystem and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

Related Posts

Blog Traffic Exchange Related Posts
  • Link to Program on Mapped Network Drive not Working - Windows Cannot Access the Specified Path or File Windows XP Home connecting to a file share in a Domain controlled by Windows 2000.... Not quite your recipe for headache free things "just working" I guess, but this is what I've run into. This workstation had a mapped drive connected to a folder on the server which opened in......
  • Another workaround for WMF exploit There are at least two other workarounds for the Windows Meta File (WMF) exploit that I've been looking into this afternoon. These from sunbelt blog. First up... 2. Change file associations for WMF files. An equally ugly fix (but perhaps preferable) is to do the following: 1. Go to My......
  • How to Remove Desktop Defender 2010 | Removal Guide Desktop Defender 2010 is a rogue antivirus program. It will prompt you with popups complaining about various problems that it claim your system has as well as scanning your computer and consistently finding some files to complain about. It also claims that it cannot fix the problems with your system......
Blog Traffic Exchange Related Websites
  • Creating a Blog Video Online About two years ago, blogging hit a surge that allowed its way into the mainstream, and now everybody is blogging for a wide variety of different reasons. Blogs resemble web-based public diaries of sorts, where the creator can record their thoughts, their opinions, questions and answers and essentially anything else......
  • Hard Drive Test Tips Different Tools for your Hard Drive Test It is always good to check your disk by doing a regular hard drive test. One way of doing it is by using the operating system integrated tool and try to set up a regular scheduled task to have a hard drive test.......
  • Windows 7 Sales Spike to Overtake Mac OS X [/caption]Proving there is no accounting for taste Microsoft’s latest attempt at a decent operating system, Windows 7, is now running on 5% of the computers online.  The daily average of online users as measured by Internet metrics company Net Applications showed that an increase last week put Windows 7 above......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site