Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 38 Posts

·
Registered
Joined
·
98 Posts
Discussion Starter · #1 ·
Logfile of HijackThis v1.99.1
Scan saved at 1:51:01 PM, on 7/19/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\EASYACC\CPQBZL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\COMPAQ\EASYACC\OSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CPQTAPI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adams.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Compaq\EasyAcc\cpqbzl.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #3 ·
The computer just starts opening things (like the taskbar, moves the icons around, if I'm on the internet knocks me off the page -- it doesn't send me anywhere else on the internet the page will be gone.

When I touch the mouse the computer goes crazy, but it's sporatic. I can use the mouse for a couple minutes no problem then all of sudden I'll move it and it'll start opening things on its own for several seconds.

I am running another full scan on my computer with AVAST free antivirus. I have ME on a Compaq Petinum.

Just before the AVAST scan I did another Ad-Aware scan and it found some cookie tracking, which it quaranteened, but the problem was not solved.

thanks
 

·
Retired Moderator
Joined
·
84,301 Posts
I don't see anything in the log that would cause it.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #7 ·
I appreciate your help. I ran some on line scanner, CA, it found nothing. I have AVAST on the computer, I don't know if that would cause it not to find anything.

I tried running Panda before and it didn't seem to help, but can try again.

When I tried to download Kwaskty(sp) trial version it said to uninstall other antivirus programs - I really didn't want to uninstall AVAST knowing how much difficultly it is for me to install something on this computer.

Please advise about whether I need to get rid of AVAST before doing Panda. I can barely do anything now without the computer knocking me off here or whereever I am or whenever I'm on the computer.
 

·
Retired Moderator
Joined
·
84,301 Posts
Actually......do this instead:

Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!

Click here for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #9 ·
I tried this, but when I went to look at the winfind on my desktop I couldn't open it, I didn't have the proper whatever to open.

Before I got back to your message I scanned the computer with a what I thought was free program, but found after I went through the scan- it charges to eliminate the virus.

It found 2 trojan 2 cookes & 1 keylogger. Windows System\ESSDC.EX
Software\microsoft\windows\currentversionrun\essdc

I eliminated the tempfile that something else was in,

Is there a way to fix something with this information. Thanks
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #10 ·
I relooked at my notes. Could I eliminate my problem with the information I have??
Trojan/CWS combo Type: Registry -- the object is Software/microsoft/windows/current versionrun\essdc

The other is the same except: Type: file
C:\WINDOWS\SYSTEM\ESSDC.EX

Eliminating that Temp file (nothing was in) seemed to get rid of the DirSpy2.8 which I think it said was a keylogger

I will leave it in safe mode until I figure out what to do next. Going to breakfast.

Thanks.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #12 ·
I will do that.

While in safe mode I did another scan of Ad-aware it said I had 11 MRU's and 5 cookies (like data miner) so quaranteed them the critical objects. The problem is still there. Now I'm having trouble even getting the computer to function right let alone jumping all over the place. But I'll get it as soon as I start it. I'm on someone elses computer right now.

Thanks. I'll check back after I do that.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #13 ·
I just did it. It said: the file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware prohibiting you from uploading this file.

Is there a way to get rid of it??
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #15 ·
I deleted and it's in the recycle box. Things are the same. I was going to get rid of the other one that I checked with Jotti & it said there were 0 bytes and etc. It was software\microsoft\windows\currentversionrun\essdc

I can't find it to delete it.

Thank you for any help.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #17 ·
I have a problem. I don't have something on my computer that unzips stuff. That was the problem I had with winfind. I tried to have it opened on another computer. I downloaded it to mine then copied to a floppy then over to another computer, unzipped then to the floppy and then back to mine and it still wouldn't load.

I'll have to see if someone can download the one you suggestt & maybe save it directly to a disk already unzipped and then get the floppy to me. I'ill see if I can't find someone to do that for me.
 

·
Registered
Joined
·
98 Posts
Discussion Starter · #19 ·
this is what it came up with -REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "essdc" 7/22/2006 3:22:43 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Essdc"="essdc.exe"

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="ESSDC.EX"
-
 

·
Retired Moderator
Joined
·
84,301 Posts
The thing is......essdc.exe is a legit item. It's part of a soundcard.
So this has me wondering that the detection is a possible false positive.
Did it come up as C:\WINDOWS\SYSTEM\ESSDC.EX in the scan? or C:\WINDOWS\SYSTEM\ESSDC.EXE?

It found 2 trojan 2 cookes & 1 keylogger. Windows System\ESSDC.EX
Software\microsoft\windows\currentversionrun\essdc
 
1 - 20 of 38 Posts
Status
Not open for further replies.
Top