Win ME running like a sick dog...

Ive scanned with AVG, Ad-Aware etc but still little joy..... Hijack This log follows.

Could anyone help?


Logfile of HijackThis v1.99.1
Scan saved at 13:27:55, on 20/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Royal Bank of Scotland\ROYLINE\EBPEMon.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trust\Surveillance Interface 801\Surveillance\BCastTcp.EXE
C:\hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\BITWARE\BFRECV.EXE
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: CleanupHelper Class - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - C:\Program Files\ArmorIE\SX.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [EBPEventMonitor] C:\Royal Bank of Scotland\ROYLINE\EBPEMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jfbximxovq] C:\WINDOWS\System32\xosphzrs.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trust Auto Start.lnk = C:\Program Files\Trust\Surveillance Interface 801\Surveillance\DMStartup.exe
O9 - Extra button: Erotic - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra 'Tools' menuitem: Erotic... - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra button: MoreContent - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\system32\MoreContent (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: IQ Test - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O9 - Extra 'Tools' menuitem: IQ Test... - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\Program Files\ArmorIE\SX.dll (HKCU)
O16 - DPF: {15AF6247-8420-4A42-B78E-6BACB05985B0} (Msoftdld Control) - http://www.moneysoft.co.uk/download/msoftdld.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4514/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{217F05FB-2EA7-4619-98F6-094AFAC91D2F}: NameServer = 194.72.9.38 62.6.40.162
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hi chaffers,

You do have traces of malware on your system. You seem to have the My WebSearch parasite.
I presume you have an toolbar like this on your internet explorer
Image

I would like you to do the following steps to help get your computer on the road to recovery. Tom Myboy will probably stop by later with much more detailed and accurate instruction but for now please do the following:

Download Adaware and Spybot Search and Destroy form the following urls

Adaware:http://www.lavasoftusa.com/software/adaware/
Spybot:http://www.safer-networking.org/

Please also get the latest updates and definition files for the above mentioned software.

First i would like you to, uninstall the My Web Search option from Add/Remove Programs
Click on Start, Settings, Control Panel and then Double click on Add/Remove Programs
Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You should also uninstall any of the following items associated with FunWebProducts if they exist in the list.
* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

Now please reboot your Computer and run HijackThis again.

With HijackThis, scan for and fix any of the entries shown below that may be remaining. (do not be alarmed if they do not exist).


Next, open My Computer, Drive C, and double-click on the Program Files folder.
Now Right-click and delete the folders for:
* FunWebProducts
* MyWebSearch (this one should be there, based on your log)
if they exist.

There will be some minor registry entries left behind by the uninstall, however these can be cleaned up by running SpyBot Search and Destroy and Ad-Aware SE. Please run them and fix any entries they find. then scan your system with hijackthis again and post a fresh log here.

A couple of things i would like you to do as well.
I cannot figure out what this file does. Does the following file/entry seem familiar to you ?



If you cannot recognise it, (please treat it with caution it may be malware) then please submit the file xosphzrs.exe located in your C:\WINDOWS\System32\ at the following website for scanning.

http://virusscan.jotti.org/
and post the results here.

I also do not fully understand the following entries. Can you give me any information concerning them or the files they are using ?

O4 - Global Startup: Trust Auto Start.lnk = C:\Program Files\Trust\Surveillance Interface 801\Surveillance\DMStartup.exe

C:\Program Files\Trust\Surveillance Interface 801\Surveillance\BCastTcp.EXE

This is a specialist tool for removing CWS only, nothing else

http://www.intermute.com/spysubtrac...r_download.html

It is entirely safe, and cannot be screwed up.

Follow The instructions in OneMSBI's post, then download that file and click update, then fix.

Then tell us how many of them it removed.

I cannot see any traces of CoolWebSearch on your pc as of my looking over of your log. I do not feel you will need the CWShredder tool linked to above by linuxpenguin at this point in time.

Thanks for the help oneMSBi,

The surveillance entries were for a remote digicam which no longer works, hence program has been deleted.

This entry however is more problematic.

O4 - HKLM\..\Run: [jfbximxovq] C:\WINDOWS\System32\xosphzrs.exe

The file specified does not appear in the directory named. The filename looks purely random and rather sus...

A second scan with Ad-aware revealed more VX2 appearing on the system despite being deleted by the first scan yesterday....

Hijack log follows..






Logfile of HijackThis v1.99.1
Scan saved at 12:15:38, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\BITWARE\NT\bwprnmon.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\BITWARE\BFRECV.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AF6247-8420-4A42-B78E-6BACB05985B0} (Msoftdld Control) - http://www.moneysoft.co.uk/download/msoftdld.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4514/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Did you submit this file for scanning at Jotti's website ? xosphzrs.exe
Please submit it here http://virusscan.jotti.org/ and post the results of the scan here.

The file xosphzrs.exe dosn't appear to exist.... Tried searching the hard drive and looking for hidden files etc but no sign of it.....


Mike

umm... is your windows xp configured to show hidden files ? Try out the intructions given below and tell me if you find the file. Then submit it to jotti's website and post the results.


Post here if you still cant locate the file.

perhaps it has changed its name already? A lot of viruses do that to make themselves difficult to track down.

Sorry. I thought this was in the lounge

OneMSBi,

I checked the system32, system and root windows folders for hidden files of that name but without luck. I didn't check the whole machine as you have outlined above however am away from the stack at present so will conduct a search as soon as I get back on it.

If the file has indeed changed name and copied itself elsewhere then it isn't to one of the folders mentioned above. I went though everything I didn't recognise and submitted it to jotti without snaring anything. Then again if it has changed name, which seems likely then I can only think of searching for all .exe files as the only reference to xosphzrs.exe was from the Hijackthis log; hence no idea of the file size etc....

I did do a short search of all files modified or created within the last week to see if I could spot anything similarly suspiciously random but without success. Filewall and AVG might swat it once it breaks cover again.

The stack still isn't performing as it should, though have found 7-8 trojans through various scanners.

Prolly be Monday before I can get back onto the stack. Thank you again for your help...