4 replies to this topic

[AngerSaxon]

Hello,

Outlook Express is freezing on us anytime we try to take any action. That is, we can open the program and it appears fine but if, for example, we try to send/recieve messages it freezes. It is installed as Internet Mail Only. It is part of MS Office 2000 running on a Windows 2000 platform. Now, apparently the boss's son was browsing for porno (no joke) and the computer contracted some kind of virus. I think the two events (Outlook freezing and the porno virus) are related. Thank you for your help and time. Please note, however, that tomorrow is a normal business day, and although I am posting now, I will not be able to try any suggestions until after 5 PM EST tomorrow evening. Bear with me as it is a complicated situation compounded by my lack of finess in all matters Outlook Express.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.15
Database version: 833

2:31:02 AM 6/6/2008
mbam-log-6-6-2008 (02-31-02).txt

Scan type: Quick Scan
Objects scanned: 53613
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 49

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Bug Doctor (Rogue.BugDoctor) -> Quarantined and deleted successfully.
C:\WINNT\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Bug Doctor\FixedOnSundayOctober012006091631.xml (Rogue.BugDoctor) -> Quarantined and deleted successfully.
C:\WINNT\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\vbsys2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Suzanne Hall\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

ESET log to follow.

[AngerSaxon]

ESET scan results:

Win32/Adware.WBug.A application
F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe>>WISE>>WxBug.EXE>>WISE>>MiniBugTransporter.dll

Win32/Adware.WBug.A application
F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe>>WISE>>WxBug.EXE

Win32/Adware.WBug.A application
F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe

Win32/Adware.PlayMP3Z application
C:\Documents and Settings\Suzanne Hall\Local Settings\Application Data\Mozilla\Firefox\Profiles\12qp6z1f.default\Cache\EEA4540Ed01

[AngerSaxon]

Finally here is the Hijack This log. Thanks again for all your help and hard work!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:00 AM, on 6/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgamsvr.exe
C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgupsvc.exe
C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgemc.exe
C:\Program Files\EMSI\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Remote\Nodesys\rwkernel.exe
C:\Program Files\Remote\nodesys\RWCTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgw.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Documents and Settings\Suzanne Hall\Desktop\hiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\!COMPU~1\SPYBOT~1.4(0\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [fxgarzvh] C:\WINNT\system32\dstmxajy.exe
O4 - HKCU\..\Run: [gzlcasoo] C:\WINNT\system32\qpibmxet.exe
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKLM\..\Policies\Explorer\Run: [Ruya48VUsO] C:\Documents and Settings\All Users\Application Data\dorcfkdw\jcdyzkta.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Client Communications.lnk = C:\Program Files\Remote\Nodesys\rwkernel.exe
O4 - Global Startup: Examination Management Services, Inc. EMSI VPN Client.lnk = C:\Program Files\EMSI\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasecurity.com
O16 - DPF: Documentum Content Transfer 5.2.5 SP - https://echo.emsinet.com:8443/echo/wdk/cont...ContentXfer.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142869553640
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMSI\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 8314 bytes

[JeanInMontana]

Hi AngerSaxon and welcome to Malwarebytes. Wow, impressive amount of nastiness has been removed and some dating back two years. This system is very outdated. Adobe is 4 versions behind, please uninstall it and get the latest version 8. Also your Java is a known security risk version. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/...loads/index.jsp and install the correct version for your system. Choose the offline installation. You have HJT on the desk top, please move it to Program Files and it's own folder.

Run HJT again in scan only mode and put a check next to these items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide

Now go to Add/Remove programs in the control panel and look for PC-Cleaner. Uninstall it if it's there. Reboot the machine, update MBAM and run another quick scan. Post that log and a new HJT log back into this thread please.

[JeanInMontana]

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.