my computer is taken over 4

[electricpete]

I have Windows ME, no anti-virus protection.

If I leave my computer idle, after about 5 minutes the modem will call up and connect to my ISP. It will sit there transferring megabytes of data (no browser window open... no way to figure out who it's talking to).

Also when I am on-line sometimes it begins sending large amounts of data while I am idle.

My precautions so far: unplug phone line when not on-line. Remove personal info from my pc.

What is going on and how do I fix it?
Thanks in advance for any thoughts.

 

[carrr]

Check this out.

http://forums.spywareinfo.com/index.php?s=3d52ca20c68b3f0ac614ffee4016766f&showtopic=6020

Get yourself cleaned up, then get some protection.

 

[edfair]

I would suggest the following:
Some anti-virus protection,
Adaware,
Spybot.

And it probably wouldn't hurt to have zone alarm installed.


Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[steamwiz]

Just to echo what carrr and edfair have already said.....

anti-virus........several free ones to choose from
firewall..........several free ones to choose from
spybot
adaware
spywareguard
etc....all free programs... and there to protect you

see this link :-

http://boards.cexx.org/viewtopic.php?t=957

If you want help...do this and we'll get you started

Please Download hijackthis from

http://tomcoyote.org/hjt

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

 

[electricpete]

A little ironic...in the old days we were safe as long as we didn't run any downloaded programs... now we are supposed to download and run programs to stay safe.

Are the viruses smarter now that they can get in even when we don't run any programs?

Is this hijackthis a safe program?
Thx.

 

[Xemus]

Hijack This is a great (safe to download from

http://www.tomcoyote.org/hjt)

program to help regain control over offending hijackers and settings.

 

[electricpete]

Thanks. Here is my logfile:

Logfile of HijackThis v1.97.6
Scan saved at 4:06:56 PM, on 11/14/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://www.noblindlinks.com/sp.shtml

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.couldnotfind.com/search_page.html?&account_id=50108

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.couldnotfind.com/search_page.html?&account_id=50108

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://209.15.74.79/ubb2000/cgi/for...ration+Forum&number=2&DaysPrune=20&LastLogin=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.efanz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.martfinder.com/tindex.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.couldnotfind.com/search_page.html?&account_id=50108

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://drvvv.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.efanz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.efanz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = eFanz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

http://209.15.74.79/ubb2000/cgi/for...ration+Forum&number=2&DaysPrune=20&LastLogin=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =

http://www.noblindlinks.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =

http://www.martfinder.com/tindex.html

O1 - Hosts: 66.250.171.138 auto.search.msn.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: Dialpad US Java Applet -

http://www.dialpad.com/applet/src/vscp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37878.4201851852

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -

http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

 

[electricpete]

A few things I recognize as my own customizations:
fineprint
Roxio, Projectselector

 

[kiddpete]

A site that will check your machine online is:

http://WWW.SYMANTEC.COM

click on Downloads -> Symantec Security Check

It will check your entire system while you are online, and it is free.

 

[steamwiz]

Hi electricpete

Your computer has been hijacked by Coolwebsearch

Download and run this program :-

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

here is some info about it :-

http://www.spywareinfo.com/~merijn/cwschronicles.html

If you are worried about running the shredder....Look at the top right hand side of this page (This forums top experts)...my name wouldn't be there if I was giving bad advice.

Then post a new log and we'll take out any stragglers

steam

 

[electricpete]

Thanks steamwiz.

============Results of CWShredder===========
Done!
Removed from your system:
- CWS.Bootconf
- 9 infected IE registry values

Windows ME (4.90.3000 )
CWShredder v1.33.1

After CWShredder I rebooted my machine and then ran hihackthis.

=============Results of Hijackthis================
Logfile of HijackThis v1.97.6
Scan saved at 9:25:39 PM, on 11/14/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://209.15.74.79/ubb2000/cgi/for...ration+Forum&number=2&DaysPrune=20&LastLogin=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.efanz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.efanz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.efanz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = eFanz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

http://209.15.74.79/ubb2000/cgi/for...ration+Forum&number=2&DaysPrune=20&LastLogin=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: Dialpad US Java Applet -

http://www.dialpad.com/applet/src/vscp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37878.4201851852

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -

http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

===============================
What now?
I noticed a lycos icon showed up on my screen recently. I didn't put it there. Maybe I should get rid of that lycos thing?

 

[electricpete]

There were a few improvements to my system after running the above:
1 - It seems to respond a lot faster now.
2 - Now when I type the wrong address I am redirected to search.msn.com... used to be redirected to some martfindersearch.com with porn stuff on it... not too great for the kids.

So things are better.

Unfortunately, the machine still seems to want to dial up and connect all by itself.

 

[Xemus]

I would still advise running Spybot

http://security.kolla.de

as I see some others in your log that need to be dealt with.

Kill the following:
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O9 - Extra button: Sidesearch (HKLM)

http://www.spywareinfo.com/newsletter/archives/0903/30.php

O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL

http://www.pestpatrol.com/PestInfo/O/Onflow.asp

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -

http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: Dialpad US Java Applet -

http://www.dialpad.com/applet/src/vscp.cab

This one looks evil. Anyone else have an opinion of it? Seems to be a phone card service.

http://www.closedsocket.com

 

[steamwiz]

This is a sub 7 trojan - undoubtedly the source of your problems

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE

Find this file: C:\WINDOWS\System\msrexe.exe
and go here :-

http://www.kaspersky.com/remoteviruschk.html

and upload it.

Let me know the results.

I suspect......msrexe.exe Infected: Backdoor.Jeemp.c

Let me know and I'll tell you what to do next

steam

 

[electricpete]

I notice the date on msrexe.exe is 9/6/03... seems like around the time these problems started.

Here are the result of the on-line scan:

Current object: msrexe.exe

msrexe.exe Infected: Backdoor.Jeemp.c

Statistics:

--------------------------------------------------------------------------------
Known viruses: 77780 Updated: 16.11.2003
File size (Kb): 31 Scan time: 00:00:01
Speed (Kb/sec): 32 Virus bodies: 1
Archives: 0 Packed: 0
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0

 

[steamwiz]

Two ways to get rid of this

1. Follow the instructions here :-

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html

2. download a trial for an Anti-Trojan, you can find several here :-

http://www.wilders.org/anti_trojans.htm

Any of these will get rid of it for you

steam

 

[electricpete]

I downloaded trojanchecker.... but it seemed that some of the vital instructions were in German, so I was afraid to run it.

Then I followed the instructions at symantec for deleting the offending entries with regedit. That appears to have solved the problem.

Thanks to everyone and especially steamwiz for your help.

I never would have fixed it on my own.

 

[electricpete]

For completeness, I should mention that I ran spybot and deleted those other items identified in my hijackthis log as suggested above. Nothing corrected the problem until I used regedit.