Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMLEXBCES.EXE
C:WINDOWSSYSTEMRPCSS.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESESOFTEBOARDEBOARD.EXE
C:PROGRAM FILESBMCENTRALBMLAUNCHER.EXE
C:WINDOWSLOADQM.EXE
C:PROGRAM FILESREALREALPLAYERREALPLAY.EXE
C:PROGRAM FILESCOMMON FILESSLMSSSLMSS.EXE
C:WINDOWSGOIDR.EXE
C:WINDOWSJAWA32.EXE
C:WINDOWSSYSTEMLXSUPMON.EXE
C:WINDOWSXECRTYR.EXE
C:WINDOWSGUQVQMM.EXE
C:WINDOWSSYSTEMSAIE.EXE
C:WINDOWSSYSTEMPRINTRAY.EXE
C:PROGRAM FILESMESSENGERMSMSGS.EXE
C:WINDOWSSYSTEMHTIBEBD.EXE
C:WINDOWSSYSTEMHDABECT.EXE
C:PROGRAM FILESREALREALJUKEBOXTSYSTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESCOMMON FILESMICROSOFT SHAREDWORKS SHAREDWKCALREM.EXE
C:PROGRAM FILESAMERICA ONLINE 8.0BAOLTRAY.EXE
C:PROGRAM FILESWEBSHOTSWEBSHOTSTRAY.EXE
C:WINDOWSSYSTEMMSCONFIG.EXE
A:HIJACKTHIS.EXE



R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:PROGRAM FILESSURFSIDEKICK 2SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:WINDOWSSYSTEMPECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:WINDOWSSYSTEMPUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:WINDOWSHelper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:WINDOWSXrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:WINDOWSSYSTEMLMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:WINDOWSSYSTEMMSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:WINDOWSXrdkbklj.dll
O4 – HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 – HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 – HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 – HKLM..Run: [SystemTray] SysTray.Exe
O4 – HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..Run: [eMachine eBoard] C:PROGRA~1ESOFTEBOARDeBoard.exe
O4 – HKLM..Run: [BookmarkCentral] C:PROGRA~1BMCENT~1BMLauncher.exe
O4 – HKLM..Run: [LoadQM] loadqm.exe
O4 – HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [slmss] C:Program FilesCommon Filesslmssslmss.exe
O4 – HKLM..Run: [goidr] C:WINDOWSgoidr.exe
O4 – HKLM..Run: [aqadcup] C:WINDOWSaqadcup.exe
O4 – HKLM..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSYSTEMLXSUPMON.EXE RUN
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [Dfnm] C:WINDOWSGuqvqmm.exe
O4 – HKLM..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKLM..Run: [saie] c:windowssystemsaie.exe
O4 – HKLM..Run: [puswxc] C:WINDOWSSYSTEMpuswxc.exe
O4 – HKLM..Run: [VBouncerDL] C:Program FilesVBouncerVBouncerInner.exe /S
O4 – HKLM..Run: [ylgril] C:WINDOWSylgril.exe
O4 – HKLM..Run: [LexStart] Lexstart.exe
O4 – HKLM..Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM..RunServices: [SSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 – HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 – HKCU..Run: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..Run: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKCU..RunServices: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..RunServices: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..RunServices: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..RunServices: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:Program FilesOnline ServicesMSN50MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:Program FilesAmerica Online 8.0baoltray.exe
O4 – Startup: Webshots.lnk = C:Program FilesWebshotsWebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:Program FilesBroderbundBroderbund Party and Crafts Creatorpmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:Program FilesYahoo!Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:Program FilesYahoo!Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:WINDOWSSYSTEMShdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:PROGRA~1ONLINE~1MSN50OCXMSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:WINDOWSSYSTEMLMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and windowssystem and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

Related Posts

Blog Traffic Exchange Related Posts
  • Windows Run as to let a legacy program run in XP limited user mode Several months back I had to figure out a way to get Create a card gold (5.0?) run on an XP system. The only real problem was that I had setup the account with limited user privileges (shared machine, several users, all with limited account priviliges.) But, somehow the program......
  • How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it's been out at least since June......
  • How to Remove BlockWatcher | Removal Guide BlockWatcher is another iteration in the LONG line from the Wini family.... Softbarrier (softbarrier removal) and many others have looked the same... Shieldsafeness (see the shieldsafeness removal guide) as well as... SoftStronghold (softstronghold removal guide) and succeeds the following variants in this prolific family.... Softveteran (see the softveteran removal guide)......
Blog Traffic Exchange Related Websites
  • Low Cost Computing for a Baby Boomer Lifestyle I rely heavily on personal computers for work and home activities. So do you. One of my objectives over the past couple of years has been to reduce the cost of computing in the one area where cost-control is easiest: software. I have found many free software applications that work......
  • Hard Drive Test Tips Different Tools for your Hard Drive Test It is always good to check your disk by doing a regular hard drive test. One way of doing it is by using the operating system integrated tool and try to set up a regular scheduled task to have a hard drive test.......
  • Experiencing Slow Pc Performance? It seems that many people today can no longer live without their personal computer. However, despite its extreme demand these days, many pc owners are experiencing slow pc performance. Don't despair because there are ways to improve the performance of your pc. Registry files found in your computer are vital.......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site