Disinfecting a PC… part 1



This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc’s I’ve seen. It’s also an interesting counterpoint to the network security series.)


The system was a Windows ME (I know… yuck) PC, not bad specs for that “vintage”. The first thing I did was take a look at running processes and look at items starting at boot (start, run, msconfig). I ran hijackthis to get a good logging of the situation.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:44 PM, on 12/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMLEXBCES.EXE
C:WINDOWSSYSTEMRPCSS.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESESOFTEBOARDEBOARD.EXE
C:PROGRAM FILESBMCENTRALBMLAUNCHER.EXE
C:WINDOWSLOADQM.EXE
C:PROGRAM FILESREALREALPLAYERREALPLAY.EXE
C:PROGRAM FILESCOMMON FILESSLMSSSLMSS.EXE
C:WINDOWSGOIDR.EXE
C:WINDOWSJAWA32.EXE
C:WINDOWSSYSTEMLXSUPMON.EXE
C:WINDOWSXECRTYR.EXE
C:WINDOWSGUQVQMM.EXE
C:WINDOWSSYSTEMSAIE.EXE
C:WINDOWSSYSTEMPRINTRAY.EXE
C:PROGRAM FILESMESSENGERMSMSGS.EXE
C:WINDOWSSYSTEMHTIBEBD.EXE
C:WINDOWSSYSTEMHDABECT.EXE
C:PROGRAM FILESREALREALJUKEBOXTSYSTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESCOMMON FILESMICROSOFT SHAREDWORKS SHAREDWKCALREM.EXE
C:PROGRAM FILESAMERICA ONLINE 8.0BAOLTRAY.EXE
C:PROGRAM FILESWEBSHOTSWEBSHOTSTRAY.EXE
C:WINDOWSSYSTEMMSCONFIG.EXE
A:HIJACKTHIS.EXE



R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://migration.msn.com/upgrade56/default.asp
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = https://migration.msn.com/upgrade56/default.asp
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by MSN
R3 – URLSearchHook: (no name) – {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} – C:PROGRAM FILESSURFSIDEKICK 2SSKBHO.DLL
O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O2 – BHO: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
O2 – BHO: (no name) – {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} – (no file)
O2 – BHO: (no name) – {} – (no file)
O2 – BHO: SDWin32 Class – {F96100A4-C5BC-4B07-89CA-2E689ED3F304} – C:WINDOWSSYSTEMPECXL.DLL
O2 – BHO: SDWin32 Class – {B85AD4F1-4B57-4BD4-AC24-35994EC362B2} – C:WINDOWSSYSTEMPUSWX.DLL
O2 – BHO: My Search BHO – {014DA6C1-189F-421a-88CD-07CFE51CFF10} – (no file)
O2 – BHO: (no name) – {017C20C1-F86F-11D8-9B25-000ACD002AE3} – C:WINDOWSHelper100.dll
O2 – BHO: (no name) – {4FD8D2F4-8CCA-1156-ED63-E651E7A68313} – C:WINDOWSXrdkbklj.dll
O2 – BHO: LinkTracker Class – {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} – C:WINDOWSSYSTEMLMF32V.DLL
O3 – Toolbar: @msdxmLC.dll,-1@1033,&Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:WINDOWSSYSTEMMSDXM.OCX
O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPNYCOMP5_3_12_0.DLL
O3 – Toolbar: (no name) – {014DA6C9-189F-421a-88CD-07CFE51CFF10} – (no file)
O3 – Toolbar: Search – {D48E1692-BA1B-26E3-B27C-7ACB401E83C5} – C:WINDOWSXrdkbklj.dll
O4 – HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 – HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 – HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 – HKLM..Run: [SystemTray] SysTray.Exe
O4 – HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..Run: [eMachine eBoard] C:PROGRA~1ESOFTEBOARDeBoard.exe
O4 – HKLM..Run: [BookmarkCentral] C:PROGRA~1BMCENT~1BMLauncher.exe
O4 – HKLM..Run: [LoadQM] loadqm.exe
O4 – HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [slmss] C:Program FilesCommon Filesslmssslmss.exe
O4 – HKLM..Run: [goidr] C:WINDOWSgoidr.exe
O4 – HKLM..Run: [aqadcup] C:WINDOWSaqadcup.exe
O4 – HKLM..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSYSTEMLXSUPMON.EXE RUN
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Swup] C:WINDOWSXecrtyr.exe
O4 – HKLM..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKLM..Run: [Dfnm] C:WINDOWSGuqvqmm.exe
O4 – HKLM..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKLM..Run: [saie] c:windowssystemsaie.exe
O4 – HKLM..Run: [puswxc] C:WINDOWSSYSTEMpuswxc.exe
O4 – HKLM..Run: [VBouncerDL] C:Program FilesVBouncerVBouncerInner.exe /S
O4 – HKLM..Run: [ylgril] C:WINDOWSylgril.exe
O4 – HKLM..Run: [LexStart] Lexstart.exe
O4 – HKLM..Run: [LexmarkPrinTray] PrinTray.exe
O4 – HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM..RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM..RunServices: [SSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 – HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 – HKCU..Run: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..Run: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..Run: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..Run: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..Run: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – HKCU..RunServices: [MSMSGS] “C:PROGRA~1MESSEN~1msmsgs.exe” /background
O4 – HKCU..RunServices: [RealJukeboxSystray] “C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”
O4 – HKCU..RunServices: [Jawa32] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 – HKCU..RunServices: [Jawa322] C:WINDOWSjawa32.exe
O4 – HKCU..RunServices: [SurfSideKick 2] C:PROGRAM FILESSURFSIDEKICK 2Ssk.exe
O4 – Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O4 – Startup: Microsoft Works Calendar Reminders.lnk = C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe
O4 – Startup: MSN Quick View.lnk = C:Program FilesOnline ServicesMSN50MSNDC.EXE
O4 – Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 – Startup: America Online 8.0 Tray Icon.lnk = C:Program FilesAmerica Online 8.0baoltray.exe
O4 – Startup: Webshots.lnk = C:Program FilesWebshotsWebshotsTray.exe
O4 – Startup: Event Reminder.lnk = C:Program FilesBroderbundBroderbund Party and Crafts Creatorpmremind.exe
O8 – Extra context menu item: &Yahoo! Search – file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:Program FilesYahoo!Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///C:Program FilesYahoo!Common/ycdict.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:WINDOWSSYSTEMShdocvw.dll
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:PROGRAM FILESYAHOO!MESSENGERYHEXBMES0521.DLL
O9 – Extra button: MSN – {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} – C:PROGRA~1ONLINE~1MSN50OCXMSNFORIE.DLL (HKCU)
O14 – IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 – DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} – http://www.greatplugin.com/diallerfiles/011145.exe
O16 – DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} – http://www.2nd-thought.com/files/install026.exe
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 – HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – C:WINDOWSSYSTEMLMF32V.DLL

The biggest things that jump out are jawa’s (jawa32.exe), surf sidekick and some seemingly random named programs running directly from the Windows directory. (and windowssystem and vbouncer) A few BHO’s (Browser helper objects)… looks like this is going to be fun.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove BlockWatcher | Removal Guide BlockWatcher is another iteration in the LONG line from the Wini family.... Softbarrier (softbarrier removal) and many others have looked the same... Shieldsafeness (see the shieldsafeness removal guide) as well as... SoftStronghold (softstronghold removal guide) and succeeds the following variants in this prolific family.... Softveteran (see the softveteran removal guide)......
  • Ron Ads NetupBanner Popups and Invalid Image file c:\windows\system32\nolomipu.dll Here are some notes from a recent spyware cleanup. The system came in and there were complaints that "Ron Ads by NetupBanner" kept coming up all the time as well as popups claiming that the dll c:\windows\system32\nolomipu.dll is not a valid windows image - mismn.exe bad image. I ran malwarebytes......
  • Windows Run as to let a legacy program run in XP limited user mode Several months back I had to figure out a way to get Create a card gold (5.0?) run on an XP system. The only real problem was that I had setup the account with limited user privileges (shared machine, several users, all with limited account priviliges.) But, somehow the program......
Blog Traffic Exchange Related Websites
  • Hard Drive Test Tips Different Tools for your Hard Drive Test It is always good to check your disk by doing a regular hard drive test. One way of doing it is by using the operating system integrated tool and try to set up a regular scheduled task to have a hard drive test.......
  • Free Registry Cleaner- Free Download Safely Scan And Repair Registry Problems A good registry cleaner can help fix several common computer ailments. If you're experiencing problems such as frequent error message, slow bootups, crashes and freezes, and overall sluggish performance, you probably have errors in the Windows registry. These errors can cause Windows to "trip" over itself when looking for files......
  • Windows 7 Sales Spike to Overtake Mac OS X [/caption]Proving there is no accounting for taste Microsoft’s latest attempt at a decent operating system, Windows 7, is now running on 5% of the computers online.  The daily average of online users as measured by Internet metrics company Net Applications showed that an increase last week put Windows 7 above......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site