[Itachi98]

This is a strange problem I've been getting recently... In the last week or so, My AIM, or MSN messengers, crash my internet (Strangley.. If I do not open any IM program, after I reset my internet via unplugging the router and restarting, I can browse the internet, download things, and play games online, I can even use WEB IM programs, such as AIM express~). A week or so ago this was not happening, I figured, perhaps it's my xp version, so I updated XP, and my IM programs, I also ran virus scanning programs, as well as registry and spybot scanners. After all of this I tried once again. And yet again, when I sign on AIM or MSN it crashes my internet. I'm pretty stumped... I figure it may be my Modem? Or Router.. But I thought I should ask here first, to see if anyone had any ideas.

[dvk01]

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

[Itachi98]

Thanks for your reply, dvk01. I went ahead and did what you asked, And saved the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:26:36 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missin

I did not fix anything as you asked, I'm pretty sure I'd end up messing it up if I did lol. So theres the results~

[dvk01]

that is a very short log

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Processes group click Non-Microsoft
  • In the Win32 Services group click Non-Microsoft
  • In the Driver Services group click Non-Microsoft
  • In the Registry group click Non-Microsoft
  • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
  • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
  • In the File String Search group select Non-Microsoft
  • in the Additional scans sections please press select all and check non-microsoft only
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here . I will review it when it comes in.

[Itachi98]

Thanks for all the help so far Dvk01~ Heres the scan result.


http://attachments.techguy.org/attachment.php?attachmentid=104704&stc=1&d=1178000583
WinPFind3.Txt


I did run a virus scan the other night, it found a trojan, which I was able to remove. Though you never know with viruses, it may still be there, I'm going to run some more virus scans and spyware scans in the meantime.

[dvk01]

I need to examine this before we go anywhere to see if it's involved

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\system32\cxscheca001.dll

[Itachi98]

Here you go dvk01~

http://www.thespykiller.co.uk/index....c=4096.new#new

I attached the file you requested.

[dvk01]

it is an IM password stealer

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {BC0CFA58-3A6F-51ba-9EFE-B320F4F621BA} [HKLM] -> %System32%\cxscheca001.dll []
[Files/Folders - Created Within 30 days]
NY -> adccdcb5_g.dll -> %System32%\adccdcb5_g.dll
NY -> bdod.bin -> %System32%\bdod.bin
NY -> bebcaeda0_g.ocx -> %System32%\bebcaeda0_g.ocx
NY -> cxscheca001.dll -> %System32%\cxscheca001.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots


Post the following back here:

the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

and

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)

[dvk01]

and as it is part of the IMpassword stealer pest and your antivirus doesn't seem to detect it

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work

[Itachi98]

WinPFind3 - Fix, I ran this first, with the information you provided, and this is the resulting log. Two errors popped up, I did not write down the names of the files that received the errors (Mistake by me..~) So once I restarted I ran the program again, with the same fix, and it did not error. Here is the 2nd log. The one without the errors, I can post the one that received the errors if you want that one.


http://attachments.techguy.org/attac...1&d=1178150647
05022007_164924.log

[Itachi98]

Rootchk program. (There were 205 hidden files, I'm not sure if thats what you meant by Hidden Drivers? I can rescan if you would like.)


http://attachments.techguy.org/attac...1&d=1178150831
rootlog.txt

[Itachi98]

Heres the result from the Kaspersky Scan.

http://attachments.techguy.org/attac...1&d=1178153708
Kaspersky Scan.txt

[Itachi98]

And finally, the HiJackThis Scan Log.

I was curious, since the program is a IM password stealer. Should I go through my various applications that I use a password on, like games for example, and change my passwords?

http://attachments.techguy.org/attac...1&d=1178153959
hijackthis scan.txt

[dvk01]

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

Anything inside the C:\Documents and Settings\Josh\My Documents\WinPFind3u\MovedFiles folder which is where it made copies of all the files it deleted

the easy way is first go to C:\Documents and Settings\Josh\My Documents\WinPFind3u\MovedFiles and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

then

Turn off system restore by following instructions here
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

then change ALL your passwords on everything including all online sites and especially banks etc

[Itachi98]

Heres the folders, I just zipped the folder inside the movedfiles.

http://www.thespykiller.co.uk/index....c=4111.new#new

And once again thanks for all the help, dvk~ I wouldn't have ever guessed the internet issue was a PW stealer.. Thats a huge security threat there. Thanks for helping me pin point this!