PDA

View Full Version : PSW.Generic3.KCE Panda scan part 1



stewartpublic
2007-03-10, 04:02
AVG displays a threat alert for PSW.Generic3.KCE when I log in. It seems to relate to C:\Windows\System32\myssync20.exe.
I've scanned with AVG, Spybot, and some other things. Only AVG finds it, but it can't get rid of it.
Thanks for any help you can give!

Log of "HiJack This" follows:


Logfile of HijackThis v1.99.1
Scan saved at 5:02:23 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\DownLoads\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\DOCUME~1\JEANST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\DownLoads\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137186514921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

stewartpublic
2007-03-10, 04:07
AVG displays a threat alert for PSW.Generic3.KCE when I log in. It seems to relate to C:\Windows\System32\myssync20.exe.
I've scanned with AVG, Spybot, and some other things. Only AVG finds it, but it can't get rid of it.
Thanks for any help you can give!

First part of Log of Panda scan follows:

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gary Stewart\Cookies\gary stewart@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gary Stewart\Cookies\gary stewart@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Gary Stewart\Cookies\gary stewart@did-it[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Internet Access\Cookies\internet access@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Internet Access\Cookies\internet access@atwola[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Internet Access\Cookies\internet access@go[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Internet Access\Cookies\internet access@www.burstbeacon[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@112.2o7[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@ad.yieldmanager[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@adtech[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@advertising[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@anm.co[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@belnk[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@cgi-bin[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@citi.bridgetrack[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@clickbank[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@ct.360i[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@ehg-dig.hitbox[2].txt

stewartpublic
2007-03-10, 04:08
AVG displays a threat alert for PSW.Generic3.KCE when I log in. It seems to relate to C:\Windows\System32\myssync20.exe.
I've scanned with AVG, Spybot, and some other things. Only AVG finds it, but it can't get rid of it.
Thanks for any help you can give!

Second part of Log of Panda scan follows:

Incident Status Location

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@hitbox[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@stat.onestat[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@target[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@tickle[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@www.myaffiliateprogram[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jean Stewart\Cookies\jean stewart@zedo[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jean Stewart\Local Settings\Temp\Cookies\jean stewart@advertising[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jean Stewart\Local Settings\Temp\Cookies\jean stewart@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jean Stewart\Local Settings\Temp\Cookies\jean stewart@doubleclick[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jean Stewart\Local Settings\Temp\Cookies\jean stewart@tribalfusion[1].txt

Mr_JAk3
2007-03-11, 22:18
Hi stewartpublic and welcome to the Forums :)

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

stewartpublic
2007-03-14, 03:26
I think I'm going to reformat.

I've physically disconnected the computer from the Internet.

The computer is a Dell which has a partition on the hard drive with stored files that will reformat the C drive to original factory configuration. Would this be adequate?

I'm in the process of collecting disks, passwords, etc., and backing up files to CDs and a thumb drive. Are there any types of files that could harbor problems? I don't want to re-install problems along with my files :)

Thanks!

Mr_JAk3
2007-03-15, 11:07
Hi again, sorry for the delay :)

I respect you decision to reformat. Yes that should do the trick.

Pictures, music, text documents should be ok to backup. Avoid .exe and .dll files because they might be infected.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP by wng_z3r0 (http://spyware-free.us/tutorials/reformat/mainnopics.html)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)

Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)

These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)

Get all Windows updates installed!
Please ask me if you have any questions :)

Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?