Four suspicious programs keeping coming back....can you help please?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,613
First Name
Karen
Unfortunately, I find I need help again. I hope I haven't worn out my welcome here.

I have four programs that look suspicious and would appreciate it if anyone could tell me what they are. The programs are:

csmsn.exe
tstorm.exe
chewcal.exe
cmsnw.exe

All four were created initially at the beginning of October and have no version tab to identify who they belong to.

The first two are in the running processes and they both try to access 63.246.134.50 through port 9901 over tcp. When my firewall asks I block them both and then csmsn.exe hits the firewall every second afterwards, which it's doing right now.

I've deleted all four programs twice before, including the registry keys that say "satin - csmsn.exe" in Local Machine under both "Run" and "Run services". They stay away for several days and then all of a sudden they come back. They all just reappeared again today for the third time.

I run scans with Ad-aware with the latest reference files just about every day as well as Spybot Search and Destroy. I run Norton 2003 AV and also do the Trend Housecall on-line scan quite often as well.

I'm posting my Hijack This log and would appreciate any advice on this subject.

Logfile of HijackThis v1.97.2
Scan saved at 18:11:49, on 2003-10-12
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\WINNT\SYSTEM32\tstorm.exe
C:\WINNT\system32\csmsn.exe
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\RunServices: [Satin] csmsn.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.6905092593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553528000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks in advance,

Cookie
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,613
First Name
Karen
Anyone?????
 
Joined
Jun 19, 2003
Messages
1,241
Hi Cookieagl,

Of course you won't wear out your welcome.. :)

You do though, seem to have the knack of finding new and interesting problems.. :D

I've looked back over a couple of your previous posts to get an idea of your logfile after resolution. You've got a possible nasty in this...

C:\WINNT\SYSTEM32\starter.exe

Could you please locate this file in safe mode (see here if you don't know how) and rename it to starter.old. Then while in safe mode, please locate the aforementioned files and also change their file extentions to *.old.

If you could then hold back on doing anything with them for a few minutes, or until I reply, as I think that Tony Klein may like copies for analysis. The starter.exe file looks like it may be used to grant complete access to your PC, but I'm only guessing. :)

Back in a bit...

Cheers

Liam
 
Joined
Jun 19, 2003
Messages
1,241
Hi Buckaroo,

I also could find nothing on them. That makes them either brand new, or they may be morphing.

Cookiegal, since you've had the problem, have they always had the same name, or do they change between boot ups?

I've PMd Tony to ask if he'll take a look, but he's offline at the moment. If you can rename them and hold off on any further action until he's had a look I'd be grateful. Analysing new nasties is the only way to give Lavasoft or Kolla the chance to build protections into their programs, if indeed they turn out to be brand new.......

EDIT: Tony's just replied. Could you please send a copy of all 5 files to this address please...

this e-mail addy

Cheers

Liam
 
Joined
Oct 9, 2001
Messages
9,396
Liam................Starter.exe i think should be the Creative Labs Ensoniq Mixer Tray icon.

We could use a 2nd log to see if the above files are morphing...then we know its peper.a and now have the POWER!! to deal with that one:D
 
Joined
Jun 19, 2003
Messages
1,241
Hi Steve,

It looked like that at first to me, but it didn't have the full...

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

..entry, which made it look suspicious. I also didn't think of peper.a, as I didn't see the tell tale...

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ]xxxxxxxxxx

..entry. That's what I've been looking for, for that one.. of course it's more than likely to have changed it's signature... and frankly I wish it wouldn't, 'cos it's confusing enough as it is.. :D

Cheers

Liam
 
Joined
Oct 9, 2001
Messages
9,396
You could well be right...........Typical of me not to notice the file path,I just picked up on the file itself.

The legit entry is usually located in the windows folder:rolleyes:
 
Joined
Jun 19, 2003
Messages
1,241
Hi Steve,

Re: the starter.exe file: In that configuration, I only came up with one possibility, and that was from a developer's diary...

http://www.dtcc.edu/cs/admin/nt/diary/ (entry for 20 July 1999)

a possible way of getting complete access to another computer (possibly).. :confused:

I think, unless anyone else has seen it before, that we'll now just have to wait for Tony's verdict.

Aha.... I thought I was the only one who typed smilies.. : D..... or even :D

Cheers

Liam
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,613
First Name
Karen
While I was off in safe mode you guys were posting.

BTW Liam, just trying to keep you guys on your toes with new challenges (LOL).

First of all, the four programs always come back together and all three times they have had exactly the same names.

The starter.exe program is my Creative Sound Blaster Volume controlt thing, which was configured to show up as a small icon to the bottom right of my screen on startup. Since I changed its name, the icon is not there anymore, so it looks legit, unless it could have been changed by a virus somehow.

Please tell me how to send those files as requested. Do you mean in a zip file as I've seen mentioned in other posts? If so, I don't know how to do that. If not, I don't know how to do that either (LOL).

Thanks for all your help with this everyone.

Cookie
 
Joined
Mar 25, 2001
Messages
3,334
Hi Liam, glad you got in touch with TK. He's the man. (y)

Keep us apprised of what they are, okay?

Since they don't change names I quess it's not pepper.a trojan, although Cookiegal may want to do the Housecall scan anyway.
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,613
First Name
Karen
Hi Buckaroo,

I did the Trend Micro House Call scan and it came up clean. I also ran a Norton scan while I was in safe mode and that came up clean also.

Thanks for your suggestion though, I appreciate your input.


Cookie
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,613
First Name
Karen
I just downloaded the Oct 13th, intelligent updates for Norton (I do them every day) and ran another scan (I had done one in safe mode that was clean) and it came up with the following:

C:\WINNT\System32\dqcs.exe is infected with Trojan Dropper and it deleted the file.

Can someone tell me how to send those files to Tony Klein please. I had the e-mail address that Liam gave me but I don't know how to attach files in an e-mail.

Thanks,

Cookie
 
Joined
Mar 25, 2001
Messages
3,334
Do you have WinZip? Just right click on the folder or file. One of your options should be to use WinZip to e-mail it.

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top