Major Problem - browser hijacked, cannot get rid of routing.exe, wserving.exe

**floppsybunny** · 10-08-2008, 01:56 PM

i did manage to download sdfix from my laptop, and transfer it to my computer, but i can't restart my computer in safe mode! every time it loads and lists the drivers, it gets as far as system32\drivers\mup.sys and crashes, restarts.

don't know what to do.

**jholland1964** · 10-08-2008, 02:15 PM

Post me a HiJackThis start ups list.
go into the Config option when you start HijackThis
then click on the Misc Tools button at the top
You will then click on the button labeled "Generate StartupList Log"
Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it.

**floppsybunny** · 10-08-2008, 03:19 PM

StartupList report, 10/8/2008, 4:17:40 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WakeMeUp\WMUSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
COMODO Firewall Pro = "C:\Program Files\COMODO\Firewall\cfp.exe" -h
WMUAgent.exe = C:\Program Files\WakeMeUp\WMUAgent.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll C:\WINDOWS\system32\guard32.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

HP Print Enhancer - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll - {0347C33E-8762-4905-BF09-768834316C61}
(no name) - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll - {053F9267-DC04-4294-A72C-58F732D338C0}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL - {A057A204-BACC-4D26-9990-79A187E2698E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/res...scbase5036.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/wind...?1200362538812

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,780 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**jholland1964** · 10-08-2008, 04:55 PM

Can I ask, when did you install the XP SP3 update?

Also, do this, go to Start, Control Panel, Administrative Tools, Event Viewer and note any errors around the time you did the last safe boot.
Also, another thing to try is go into msconfig see what it auto starting and remove all the check marks. Then shut down and try again to boot to safe mode and see if it proceeds, if it does then it is hanging on one of the items in auto start.

**floppsybunny** · 10-08-2008, 09:18 PM

j - thanks again. don't remember updating the service pack, couldve been a while ago.

i did go into msconfig and actually, after physically disconnecting my modem, unchecked the following startup items: AVG tray (Antivirus), CFP (firewall), ITunesHelper (i'm not sure what that even does), msmsgs (which is apparently MSN messenger - which i no longer even have installed), WMUAgent (wake me up - alarm clock, which is corrupted, and i cant uninstall it), and HP Digital Imaging.

i guess one of these things was getting in the way of the safe mode startup because it worked on the restart, at which point i did run SDFix exactly as you'd instructed. the report is here:

SDFix: Version 1.233
Run by Pat on Wed 10/08/2008 at 21:35

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 21:45:14
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer .exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 7 Oct 2008 41,472 A..H. --- "C:\Program Files\WakeMeUp\DelSvc.exe"
Tue 7 Oct 2008 43,008 A..H. --- "C:\Program Files\WakeMeUp\KillProc.exe"
Sun 30 Mar 2008 95 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti35.tmp"
Fri 14 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 25 Jun 2007 1,171 A..H. --- "C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy\EN6HYalzQ8i\JVgO92mRuBHmF.tmp"
Mon 4 Feb 2008 1,193 A..H. --- "C:\Documents and Settings\Pat\Local Settings\Application Data\HYalzQ8iO\JVgO92mRuBHmF.tmp"

Finished!

-------------------------------

i don't know what tdssserv is, and don't want to jinx anything, because i'm still a little worried what will happen when i forego the selective startup - are any of those startup programmes responsible for any of this? should i try enabling them one by one and run the sdfix on each one like that? or doesn't it work like that?

but anyways, after rebooting this time my AVG Antivirus was finally able to connect to the network and update its definitions, i tested out some links in google and got no redirects, and i was finally able to download .exe files (including ATF-Cleaner and ComboFix) directly from the board here which was all impossible before. there is also no rogue iexplore.exe popping up in my task manager as of yet or any other strange shenanigans.

dont know if you have any further advice (aside from obviously, getting used to my new firewall and anti-virus being mandatory, despite the slight processor slow down, i am definitely not doing this again EVER). let me know what you think, if i'm not out of the woods yet, or anything else you would recommend to make sure we've got to the root of the problem.

in any case, thanks so much again for all your time and help! you are amazing.

**jholland1964** · 10-08-2008, 11:39 PM

That tdssserv which was removed was the nasty one it was the NtRootK-DR.

I "believe" part of the problem was your new firewall and also that WakeMeUp program. Honestly have never heard of that before reading your log and according to the SDFix log WakeMeUp has several hidden attributes, one of which for sure I would not want on my computer. That is KillProc.exe
KillProc.exe is related to spyware. Here is what I could find out about it;
tracks user activity, logs all keystrokes, continuously takes screenshots, captures e-mails and online chat conversations. Gathered data is saved to a hard disk (meaning someplace remotely, not YOURS). The application is able to block certain Internet resources, software or computer functions and turn off a PC without notifying the user.

May I ask, why did you install this WakeMeUp program in the first place?

Did you purchase a license for it? It is NOT a free program, there is a TRIAL period of 15 days noted, meaning it must be purchased at the end of that time period in order for the program to continue to work properly.
I have read the entire website for the company that produces this program and NO WHERE on that site are instructions for Uninstall. This alone made me very suspicous. I have never heard of such a thing.

OTHER things I found distressing; Especially this from the outside website that handles the actual PURCHASE of this program.

Will my personal data be passed on to third parties?
We will only forward your personal data to our subsidiaries and associated companies directly involved in order processing, and to your contractual partner, the vendor of the product. These persons are legally and/or contractually obligated to use this data only for the purposes of examining and fulfilling contracts and providing technical support, if it is offered by the vendor. Use of the data beyond these parameters is not permitted.
We assure you that your personal data will not be passed on to third parties, sold, or rented, unless we have received your express authorization to do so or are legally obligated to forward such data.
Your payment information will be treated as strictly confidential and forwarded neither to third parties uninvolved in payment processing, nor to the vendor, unless we are legally obligated to do so.

They do not say WHO would legally obligate them to share your personal and private information...like CREDIT CARD info or email address. Sorry, but I find this ALL very shady, including the program itself.
You might contact the program manufacturer to see how to uninstall this, don't know if that will work or not. Have you looked in C:\Program Files\WakeMeUp\ to see if there is an Uninstall listed there? Now that you can get to safe mode you might try that.

For now leave everything except your AVG disabled in msconfig.

Run the ATF-Cleaner.
Update the MBA-M program and run it again and have it Remove all it finds.
Reboot.
Were you able to uninstall that older combofix? If so then run the new one and let's see what it shows.

**floppsybunny** · 10-09-2008, 08:15 AM

ran atf cleaner, did another malwarebytes full scan - nothing came up. though just now realizing i am not sure whether i had updated the database for it.

but did just successfully run combofix, downloaded the new version from the link here on the board. report is attached. looks like it deleted three things from the registry?

----------

also, re. wake me up - that is an old alarm clock program that i haven't used since the trial wore out i think, never got around to getting rid of it. i tried to run the uninstall within the program files folder, but it gave me errors, so i just deleted the folder.

**floppsybunny** · 10-09-2008, 03:44 PM

i've looked again for a version of the 'wake me up' program that has an uninstall, but can't find it anywhere. is there a way to manually remove it from both the startup programs and from the startup services list (it's still in both, though currently disabled)?

**jholland1964** · 10-10-2008, 05:11 PM

Originally Posted by floppsybunny

i've looked again for a version of the 'wake me up' program that has an uninstall, but can't find it anywhere. is there a way to manually remove it from both the startup programs and from the startup services list (it's still in both, though currently disabled)?

Yes there is, looks to me like Combofix did remove the "orphan" files remaining from WakeMeUp and also your old MSN messenger.
Post a new HJT log and we can probably get those out of there.

**floppsybunny** · 10-10-2008, 06:10 PM

beautiful, thanks so much again, j. (log attached.)

Thread: Major Problem - browser hijacked, cannot get rid of routing.exe, wserving.exe

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions