1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Four suspicious programs keeping coming back....can you help please?

Discussion in 'Virus & Other Malware Removal' started by Cookiegal, Oct 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,481
    Unfortunately, I find I need help again. I hope I haven't worn out my welcome here.

    I have four programs that look suspicious and would appreciate it if anyone could tell me what they are. The programs are:

    csmsn.exe
    tstorm.exe
    chewcal.exe
    cmsnw.exe

    All four were created initially at the beginning of October and have no version tab to identify who they belong to.

    The first two are in the running processes and they both try to access 63.246.134.50 through port 9901 over tcp. When my firewall asks I block them both and then csmsn.exe hits the firewall every second afterwards, which it's doing right now.

    I've deleted all four programs twice before, including the registry keys that say "satin - csmsn.exe" in Local Machine under both "Run" and "Run services". They stay away for several days and then all of a sudden they come back. They all just reappeared again today for the third time.

    I run scans with Ad-aware with the latest reference files just about every day as well as Spybot Search and Destroy. I run Norton 2003 AV and also do the Trend Housecall on-line scan quite often as well.

    I'm posting my Hijack This log and would appreciate any advice on this subject.

    Logfile of HijackThis v1.97.2
    Scan saved at 18:11:49, on 2003-10-12
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\starter.exe
    C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
    C:\WINNT\SYSTEM32\tstorm.exe
    C:\WINNT\system32\csmsn.exe
    C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\RunServices: [Satin] csmsn.exe
    O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.6905092593
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553528000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks in advance,

    Cookie
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,481
    Anyone?????
     
  3. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Cookiegal, don't know who or what they are, maybe somebody will. I see this one retuned to your startup folder:

    O4 - HKLM\..\RunServices: [Satin] csmsn.exe

    See if it's anything to do with the pepper.a trojan. Go here for an online scan:

    http://housecall.trendmicro.com/housecall/start_corp.asp

    :)
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Cookieagl,

    Of course you won't wear out your welcome.. :)

    You do though, seem to have the knack of finding new and interesting problems.. :D

    I've looked back over a couple of your previous posts to get an idea of your logfile after resolution. You've got a possible nasty in this...

    C:\WINNT\SYSTEM32\starter.exe

    Could you please locate this file in safe mode (see here if you don't know how) and rename it to starter.old. Then while in safe mode, please locate the aforementioned files and also change their file extentions to *.old.

    If you could then hold back on doing anything with them for a few minutes, or until I reply, as I think that Tony Klein may like copies for analysis. The starter.exe file looks like it may be used to grant complete access to your PC, but I'm only guessing. :)

    Back in a bit...

    Cheers

    Liam
     
  5. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Buckaroo,

    I also could find nothing on them. That makes them either brand new, or they may be morphing.

    Cookiegal, since you've had the problem, have they always had the same name, or do they change between boot ups?

    I've PMd Tony to ask if he'll take a look, but he's offline at the moment. If you can rename them and hold off on any further action until he's had a look I'd be grateful. Analysing new nasties is the only way to give Lavasoft or Kolla the chance to build protections into their programs, if indeed they turn out to be brand new.......

    EDIT: Tony's just replied. Could you please send a copy of all 5 files to this address please...

    this e-mail addy

    Cheers

    Liam
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Liam................Starter.exe i think should be the Creative Labs Ensoniq Mixer Tray icon.

    We could use a 2nd log to see if the above files are morphing...then we know its peper.a and now have the POWER!! to deal with that one:D
     
  7. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Steve,

    It looked like that at first to me, but it didn't have the full...

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    ..entry, which made it look suspicious. I also didn't think of peper.a, as I didn't see the tell tale...

    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ]xxxxxxxxxx

    ..entry. That's what I've been looking for, for that one.. of course it's more than likely to have changed it's signature... and frankly I wish it wouldn't, 'cos it's confusing enough as it is.. :D

    Cheers

    Liam
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    You could well be right...........Typical of me not to notice the file path,I just picked up on the file itself.

    The legit entry is usually located in the windows folder:rolleyes:
     
  9. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Steve,

    Re: the starter.exe file: In that configuration, I only came up with one possibility, and that was from a developer's diary...

    http://www.dtcc.edu/cs/admin/nt/diary/ (entry for 20 July 1999)

    a possible way of getting complete access to another computer (possibly).. :confused:

    I think, unless anyone else has seen it before, that we'll now just have to wait for Tony's verdict.

    Aha.... I thought I was the only one who typed smilies.. : D..... or even :D

    Cheers

    Liam
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,481
    While I was off in safe mode you guys were posting.

    BTW Liam, just trying to keep you guys on your toes with new challenges (LOL).

    First of all, the four programs always come back together and all three times they have had exactly the same names.

    The starter.exe program is my Creative Sound Blaster Volume controlt thing, which was configured to show up as a small icon to the bottom right of my screen on startup. Since I changed its name, the icon is not there anymore, so it looks legit, unless it could have been changed by a virus somehow.

    Please tell me how to send those files as requested. Do you mean in a zip file as I've seen mentioned in other posts? If so, I don't know how to do that. If not, I don't know how to do that either (LOL).

    Thanks for all your help with this everyone.

    Cookie
     
  11. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi Liam, glad you got in touch with TK. He's the man. (y)

    Keep us apprised of what they are, okay?

    Since they don't change names I quess it's not pepper.a trojan, although Cookiegal may want to do the Housecall scan anyway.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,481
    Hi Buckaroo,

    I did the Trend Micro House Call scan and it came up clean. I also ran a Norton scan while I was in safe mode and that came up clean also.

    Thanks for your suggestion though, I appreciate your input.


    Cookie
     
  13. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Good. (y)

    Okay, we'll just wait and see what TK comes up with.

    :)
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,481
    I just downloaded the Oct 13th, intelligent updates for Norton (I do them every day) and ran another scan (I had done one in safe mode that was clean) and it came up with the following:

    C:\WINNT\System32\dqcs.exe is infected with Trojan Dropper and it deleted the file.

    Can someone tell me how to send those files to Tony Klein please. I had the e-mail address that Liam gave me but I don't know how to attach files in an e-mail.

    Thanks,

    Cookie
     
  15. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Do you have WinZip? Just right click on the folder or file. One of your options should be to use WinZip to e-mail it.

    :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Four suspicious programs
  1. ron40
    Replies:
    0
    Views:
    290
  2. Coco767
    Replies:
    4
    Views:
    389
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171495

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice