Shell possibly compromised

Hey fellas,

Ad-aware reports explorer.exe shell may possibly be compromised. I've not yet fixed it because according to me whether or not to fix it requires an expert opinion. My hijack this log also shows "shell=explorer.exe, msmsgs.exe" (messenger, but not truly, possible hijack!). I've not yet posted this log, since i'll only post it if you guys require me to.

Besides this i've done some online scans that show multiple baddies (unlike a fully updated norton virusscanner). I've saved the logs of these aswell, just gimme a green light to post and i'll do so!

Thanx in advance,
Ray

 

First, let me start off by saying "Thank You" for following the guidelines, many do not.

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I've only left E-mule open, since it needs time to build up download speed and shutting it down will make me gather that all over again. Furthermore, as i said, you can see the first "F2", compromised by (?) msmsgs.exe. Besides what you may find in this log, i experience cpu usage without any reason frequently. Looking in my taskmanager, two system processes pop up; Lucoms~2.exe (normally, update for norton. Also, malware) & aupdate.exe! CPU usage is not bothering me since its not alot, but you can see the little sand thingy (dunno what the word is in english) besides my cursor, as if some program is trying to acces the web and my firewalls block it...I'm personnaly having doubts about both "F2" entries and the "03" entry; C:\WINDOWS\System32\msdxm.ocx (radio, audio thingy as i've been told, not sure though). Coincidentally, this log may not show the two processes popping up randomly, since they also close down themselves after a few seconds..., so do not let this fool ya, hehe

Good luck & many many thanx in advance,
Ray

 

The first thing I notice is that your Operating System is WAY out dated. This is a major security risk and should be updated ASAP. After we get your system cleaned up you need to surf in to Windows Updates and get updated.

C:\Program Files\Internet Explorer\IEXPLORE.EXE <-- You must close ALL browsers while running HJT!


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: Microsoft AntiSpyware helper - {5D9DEE7F-CDFB-4886-A9B0-8C3548F9E6FD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5D9DEE7F-CDFB-4886-A9B0-8C3548F9E6FD} - (no file) (HKCU)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netox.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you have completed ALL of the above REBOOT, Scan with HijackThis and attach the new log.

 

"The first thing I notice is that your Operating System is WAY out dated. This is a major security risk and should be updated ASAP. After we get your system cleaned up you need to surf in to Windows Updates and get updated"

Yup your absolutely right (of course, lol). To be honest, i've been supplied with dozens of different pc's the last few years, since my father is a desktop publisher and he sends me the equipment he doen't require anymore. Besides, i live in a student home and many of my friends (not very bright van pc's) use this one. It's always been like this, but malware/spyware/hijacking etc. has never been this fierce and therefore, i'm now definitely looking to buy my own pc that I, of course, will fully upgrade, unlike now, when i couldn't be bothered (if ya catch my drift).

The new log is attached and I didn't kill the popuper.exe and intmonp.exe processes on purpose, so that you could see for yourself. Evidently these are baddies. Hope you can further help me out, appreciate the effort and time spent on my tiny problems!

Ray

 

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\popuper.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\intmonp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now, allow Killbox to reboot your system. After you have rebooted post a fresh HJT log.

 

Dude you're amazingly quick with your responses, i can hardly keep up,

As you can see, the killbox worked. However, to bother you further;
I play "guildwars" alot, an online rpg. The slightest congestion makes the exit the current game, with no save option at all (by nature of the game). As you can guess, this is happening alot today and this is most definitly due to "lucoms~2.exe" and "aupdate.exe" both popping up as system processes sporadically and causing the game to exit probably due to internet congestion (dunno whether that's the right word?). This is most likely the last thing i ask of you, thanx a bunch

Ray

p.s. were not able to make a screeny of the processes, you'll have to trust me on this one!

 

The file aupdate.exe is part of Automatic LiveUpdate for Symantec Products.

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System\lucoms~2.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system. After you have rebooted, run the below online scans as this is part of a WORM.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you have completed all of the above, reboot and let me know how things are running.

 

Hey,

first of all C:\WINDOWS\System\lucoms~2.exe cannot be found (even with enabling to view all files). Still it pops up as a process in my taskmanager. Secondly; aupdate.exe is indeed a valid norton file, however, it constantly pops up when lucoms~2.exe does and jointly they cause my system cpu usage to increase a bit and my internet game to stop. Maybe aupdate is compromised? I also cannot update norton anymore, it gives me an error message that it couldn't retrieve information or files. I have done all online scans and put the log files as attachment, if you want i can also tell you what malware they found...Trojancan found nothing and i've uploaded a .txt file to show you what the others found

Ray

 

Did you run Killbox as per my previous request?

Killbox this file and it most likely will go away.

Try it again and let me know!

 

Maybe i was a bit unclear. When i said the file cannot be found, i really mean it cannot be found, thus not killboxed either! Though the "tilde" in the name "lucoms~2" may represent the folling entire filename: "lucomserver_2_6.exe", which is a norton update file. I any event, i could not killbox it!

Thanx,
Ray

ps. did you read the attachment of my last post, or is this not your area? i'd understand.

 

See this site and see if you find anything related to it. After you do this attach a HJT log and we will go from there.

http://securityresponse.symantec.com/avcenter/venc/data/w32.kedebe@mm.html