Solved MSITS.EXE Trojan? (HJT Log and StartupList)

[Resolved] MSITS.EXE Trojan? (HJT Log and StartupList)

My neighbor has clicked on an email link and/or sent a reply to a spam message and now receives LOTS more spam than usual.

Appears to me that at least one trojan may have been downloaded (msits.exe).

I have not run Spybot S&D or Ad-Aware yet on the affected machine (though it appears someone has already installed Spybot S&D previously).

Seeking assistance about how to proceed.

HJT log and StartupList.txt [with "List all minor sections (full)" option] below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:29 AM, on 09/24/2007
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\KURT\HJT\KILLA.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iserv.net <-- This is their ISP.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKUS\.DEFAULT\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO (User 'Default user')
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://195.225.177.27/24d2c8d8/msits.exe

--
End of file - 2273 bytes


StartupList report, 09/24/2007, 5:20:41 AM
StartupList version: 1.52.2
Started from : C:\KURT\HJT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\KURT\HJT\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Multi-function Keyboard = GWHotKey.exe
EnsoniqMixer = starter.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadQM = loadqm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

KB891711 = c:\windows\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ccleaner = "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\SYSTEM\Rundll32.exe c:\WINDOWS\SYSTEM\mscories.dll,Install

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 14/10/2006, 22:54:48)

[Rename]
nul=C:\PROGRA~1\WINZIP\winzip32.exe
nul=C:\PROGRA~1\WINZIP
nul=C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
nul=C:\PROGRA~1\WINZIP
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\COOKIES\INDEX.DAT
NUL=c:\WINDOWS\TEMP\A~NSISU_.EXE
NUL=c:\windows\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\SBPCI\SBINIT

--------------------------------------------------

Checking for superhidden extensions:

..lnk: HIDDEN! (arrow overlay: yes)
..pif: HIDDEN! (arrow overlay: yes)
..exe: not hidden
..com: not hidden
..bat: not hidden
..hta: not hidden
..scr: not hidden
..shs: HIDDEN!
..shb: HIDDEN!
..vbs: not hidden
..vbe: not hidden
..wsh: not hidden
..scf: HIDDEN! (arrow overlay: NO!)
..url: HIDDEN! (arrow overlay: yes)
..js: not hidden
..jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38071.494537037

[{10000000-1000-0000-1000-000000000000}]
CODEBASE = mhtml:file://C:\ARCHIVE.MHT!http://195.225.177.27/24d2c8d8/msits.exe

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,091 bytes
Report generated in 0.202 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Hi mailman

Fix the DPF with HijackThis.
Check for the following files and delete if present.

C:\ARCHIVE.MHT!
C:\Windows\system\service.exe
C:\Windows\system\feat2.dll
C:\Windows\system\mshp.dll
C:\Windows\system\dict.dat
C:\Windows\system\keywords.dat


Run an online AVG-AS scan.

http://www.ewido.net/en/onlinescan/

You can save the report for posting before fixing anything (do watch for fps )

 

Thanks, Dave!

I used HJT to delete the O16 DPF.

I searched for the files you named and found only the following:

mshp.dll

C:\WINDOWS
Size: 0 bytes
Created: Sunday, April 10, 2005 5:19:22 AM
Modified: Sunday, April 10, 2005 5:19:24 AM

C:\WINDOWS\SYSTEM
Size: 0 bytes
Created: Tuesday, April 12, 2005 9:21:29 AM
Modified: Wednesday, April 13, 2005 5:57:34 AM

=========

dict.dat

C:\Program Files\eGames\MVP Word Search
Size: 720 KB (738,007 bytes)
Created: Sunday, March 20, 2005 4:20:50 PM
Modified: Monday, December 09, 1996 11:27:58 AM

[Neighbor has an eGames "CARD & BOARD GAMES" CD set (2 disks)]

=========

I did not delete any of those files yet because I am not sure they are malicious. Appears they have been on the computer for quite awhile (and size appears to be 0 bytes for the mshp.dll files).

Will run the AVG AS online scan next and will post the results afterwards.

=========

Neighbor also wants to remove the MyCopper.net stuff. (MyCopper.net used to be their ISP.) Safe to have HJT fix the following?

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer

O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net

 

Yes, you can fix those safely.

 

Thanks again, Dave.

I attempted to run the AVG online scan. Clicked "Yes" to allow the download and after a minute or so, the transfer seemed to stop. Neighbor has also tried several times earlier today to run the AVG online scan with similar lack of success.

Started downloading the AVG AS program but realized the page states for Windows 2000, XP, and Vista (no mention of Win98).

Copied Deckard's System Scanner (dss.exe) from a floppy to a folder I created. Tried to run dss.exe but nothing happened. No window. No HD activity. Nothing.

Anyway, here's an updated HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:46 PM, on 09/30/2007
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\KURT\HJT\KILLA.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iserv.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKUS\.DEFAULT\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO (User 'Default user')
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab

--
End of file - 1987 bytes

 

dss is for NT systems only. Try running a Panda ActiveScan.

 

What's your opinion about the two mshp.dll files?

BTW, they have somewhat temperamental dial-up access (with 33.3K connections).

That's what I suspected this evening as I was driving around town. Might want to edit your info post to reflect that.

Next time I see my neighbor, I'll ask him if I can run the Panda ActiveScan. If I get the go-ahead, I'll post the results (assuming the computer will let me run the scan).

I also suggested in a note to his computer savvy granddaughter to replace the existing Spybot S&D v1.4 with v1.5 and download & install a software firewall. Suggested ZoneAlarm Free and Comodo as possibilities. Recommended to check for Windows 98 SE compatibility first.

I'll also do some research to find a reputable (free?) memory-resident anti-virus app for Windows 98 SE that won't slow the computer down significantly.

I'm open to suggestions.

Thanks again!

 

I believe you'll find those mshp.dll files are rogue. You could always submit them to jotti for analysis.

Darnit, I knew I was forgetting something!

eTrust was at one time my preference for lightweight AV, though I'm not sure how lightweight the new one is now that it comes bundled inside the Security Center. Haven't tried it on a 98 system yet. It's not free either ........ affordable though I would think AVG fits the bill otherwise.

Good recommendations mailman. Hope she follows through!

 

Hi.

We may now consider this issue [RESOLVED].

My neighbor purchased a new computer with Windows Vista and apparently is giving the Windows 98 SE machine to his granddaughter to part out for a few bucks if she wishes.

THANKS again for your assistance, Dave!

 

Thanks for the update, mailman. Happy to help