Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\PROGRAM FILES\BMCENTRAL\BMLAUNCHER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\WINDOWS\GOIDR.EXE
C:\WINDOWS\JAWA32.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\XECRTYR.EXE
C:\WINDOWS\GUQVQMM.EXE
C:\WINDOWS\SYSTEM\SAIE.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\HTIBEBD.EXE
C:\WINDOWS\SYSTEM\HDABECT.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\AOLTRAY.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\MSCONFIG.EXE
A:\HIJACKTHIS.EXE



R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:\WINDOWS\SYSTEM\PECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:\WINDOWS\SYSTEM\PUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:\WINDOWS\Helper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:\WINDOWS\Xrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:\WINDOWS\SYSTEM\LMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:\WINDOWS\Xrdkbklj.dll
O4 – HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 – HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 – HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 – HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 – HKLM\..\Run: [LoadQM] loadqm.exe
O4 – HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 – HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 – HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 – HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 – HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 – HKLM\..\Run: [Swup] C:\WINDOWS\Xecrtyr.exe
O4 – HKLM\..\Run: [Swup] C:\WINDOWS\Xecrtyr.exe
O4 – HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 – HKLM\..\Run: [Dfnm] C:\WINDOWS\Guqvqmm.exe
O4 – HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 – HKLM\..\Run: [saie] c:\windows\system\saie.exe
O4 – HKLM\..\Run: [puswxc] C:\WINDOWS\SYSTEM\puswxc.exe
O4 – HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 – HKLM\..\Run: [ylgril] C:\WINDOWS\ylgril.exe
O4 – HKLM\..\Run: [LexStart] Lexstart.exe
O4 – HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 – HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 – HKCU\..\Run: [MSMSGS] “C:\PROGRA~1\MESSEN~1\msmsgs.exe” /background
O4 – HKCU\..\Run: [RealJukeboxSystray] “C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe”
O4 – HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 – HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 – HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 – HKCU\..\RunServices: [MSMSGS] “C:\PROGRA~1\MESSEN~1\msmsgs.exe” /background
O4 – HKCU\..\RunServices: [RealJukeboxSystray] “C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe”
O4 – HKCU\..\RunServices: [Jawa32] C:\WINDOWS\jawa32.exe
O4 – HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 – HKCU\..\RunServices: [Jawa322] C:\WINDOWS\jawa32.exe
O4 – HKCU\..\RunServices: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 – Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
O4 – Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:\Program Files\Broderbund\Broderbund Party and Crafts Creator\pmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:\PROGRA~1\ONLINE~1\MSN50\OCX\MSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:\WINDOWS\SYSTEM\LMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and \windows\system and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

   Send article as PDF   

Similar Posts