PDA

View Full Version : Please Help! I can't sole my problems... (wmiprvse, msmsgs, MediaPlex, Avenue Inc.)


PIRATA!
Feb 15, 2005, 07:58 AM
Hi to everyone.
I think have a serious problem here.
My machine is based on WinXP Pro @ SP2 w/ Firewall ON and I use antivirus Symantec Norton 2005 w/ Internet Worm Protection OFF and use toscan for spywares with SpyBot S&D 1.31XT.
I get strange lookups of some apps like IExplorer or eDonkey2000 after using them a while.

I don't know if that's correct or not, but I have wmiprvse.exe (located in C:\WINDOWS\system32\wbem\.. ) and msmsgs.exe (located in C:\Program Files\Messenger\.. ) that might have something wrong.
I say this because msmsgs.exe always starts up with Windows even if its NOT in my msconfig at startup and have MSN Messenger to NOT load up when Windows starts, and wmiprvse.exe is always located under the same svchost.exe, that if terminated it let come up the automatic countdown for WIndows shutdown (like old sasser problem).
Now... I think that the svchost.exe in case is some kind of MS patch for excluding the old sasser problem, but I just don't understand why the two files wmiprvse.exe and msmsgs.exe are related to that particular svchost.exe.

Now here are two screenshots about Process Explorer taken at startup (first pic) and after a while when I have several IExplorer pages open, Outlook opened and composing an email with Outlook composer (based on WINWORD).

http://img104.exs.cx/img104/7797/pe14ws.th.jpg (http://img104.exs.cx/my.php?loc=img104&image=pe14ws.jpg)
(save to disk for better resolution)

http://img104.exs.cx/img104/4805/pe21sc.th.jpg (http://img104.exs.cx/my.php?loc=img104&image=pe21sc.jpg)
(save to disk for better resolution)


I have made some SpyBot S&D scans since I first had these lookups and I foud several spywares that now are completely gone.
The only two that I just can't remove definitely are the MediaPlex and the Avenue A, Inc. spywares that use to appear again in the Spybot S&D scan list after a while.
Here is a shot of the scan:

http://img196.exs.cx/img196/9148/sb12jr.th.jpg (http://img196.exs.cx/my.php?loc=img196&image=sb12jr.jpg)
(save to disk for better resolution)

I thought maybe this could be related to some open prots I have in my Windows or in my router, so I downloaded Windows Worms Doors Cleaner (http://www.firewallleaktester.com/wwdc.htm) and took a look at it, and I found the following ports opened. Is this part of the cause of my problems?

http://img200.exs.cx/img200/738/wwdc10at.th.jpg (http://img200.exs.cx/my.php?loc=img200&image=wwdc10at.jpg)
(save to disk for better resolution)


(end of first part of message)

PIRATA!
Feb 15, 2005, 07:58 AM
(second part of message)


I have made a HijackThis log and compared on the online alalyser at HijackThis log file analysis (http://www.hijackthis.de/en), but everything seams correct except for a few things that seams to be Possibly nasty, but don't really know if they are really bad of not.

Here is my HijackThis log:

------
Logfile of HijackThis v1.99.0
Scan saved at 1:22:51 PM, on 15/Feb/05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programmi\System Programs\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Programmi\System Programs\Norton AntiVirus\navapsvc.exe
D:\Programmi\System Programs\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programmi\System Programs\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://umail.rules.it/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Text Programs\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programmi\Download Programs\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programmi\System Programs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programmi\Text Programs\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programmi\System Programs\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programmi\System Programs\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programmi\Text Programs\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\.. \Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\.. \Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\.. \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\.. \Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\.. \Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\.. \Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\TEXTPR~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Programmi\Network Programs\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Programmi\Network Programs\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programmi\Chat Programs\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programmi\Chat Programs\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\.. \{79949E38-97F3-4547-95B5-B0214F2D5BD0}: NameServer = 10.0.0.138
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Programmi\System Programs\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - D:\Programmi\System Programs\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - D:\Programmi\System Programs\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service - SiSoftware - D:\Programmi\System Programs\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - D:\Programmi\System Programs\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Programmi\System Programs\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
------

And here is the Short analyzing about the Possibly nasty:

------
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://umail.rules.it/ - Possibly nasty

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Programmi\Network Programs\VisualRoute\vrie.dll - Possibly nasty

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Programmi\Network Programs\VisualRoute\vrie.dll - Possibly nasty

O17 - HKLM\System\CCS\Services\Tcpip\.. \{79949E38-97F3-4547-95B5-B0214F2D5BD0}: NameServer = 10.0.0.138 - Possibly nasty
------

In the first entry there is my default web page that is a redirect url of my online webmail.

The second and third are about a software that I use to trace IPs.

The forth and last entry there is my router personal IP, but I don't understand why this could be possibly nasty.


Please Help!
Thank you all.

fredg
Feb 15, 2005, 10:39 AM
Hi,
The very best program for stopping this junk from getting into a computer is called Spyware Blaster, and it's free.
You don't have to scan with it; just keep it updated, and it will protect your computer.

Try it out at:

http://www.download.com/SpywareBlaster/3000-8022_4-10305680.html?tag=lst-0-2

I haven't had ANY problems since installing this gem a couple of months ago.
Also, run AdAware and Spybot in Safe Mode... as well as your Antivirus Program scan; it is much, much more effective.
Best wishes,
fredg

psi42
Feb 15, 2005, 05:57 PM
Looks like you have some windows SMB file/printer sharing services running. But if you are behind a hardware firewall, these shouldn't be visible to the world.

Get a portscan from:
https://www.grc.com/x/ne.dll?bh0bkyd2

PIRATA!
Feb 16, 2005, 12:27 PM
fredg... thank you very much.
I have already done everythig you told me.
Now I hope just to be secure.
The only thing I haven't made is the virus scan.
I'll make it asap.

psi42... I have a file and printer sharing because I am in a home lan.
How can I secure this on my machine?

I have made Common Ports scan and its all Stealth.
What does this mean?

Thank you all.

PIRATA!
Feb 17, 2005, 05:23 PM
fredg?. psi42?!