enoughalready 0 Report post Posted June 10, 2006 evil spyware bastards make me mad helpful community members make me smile any help dealing with this antispywarebox scum much appreciated Logfile of HijackThis v1.99.1 Scan saved at 8:54:34 PM, on 6/9/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Regedit.exe C:\WINDOWS\System32\users32.exe C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O15 - Trusted Zone: http://*.public.windupdates.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing) O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 10, 2006 Ad-Aware SE Build 1.06r1 Logfile Created on:Friday, June 09, 2006 9:02:55 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R111 08.06.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Adware.Admess(TAC index:5):6 total references Alexa(TAC index:5):18 total references CoolWebSearch(TAC index:10):2 total references DailyToolbar(TAC index:5):14 total references Other(TAC index:5):1 total references Transponder(TAC index:10):1 total references WinFavorites(TAC index:6):14 total references VX2(TAC index:10):6 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 6-9-2006 9:02:55 PM - Scan started. (Full System Scan) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 740 ThreadCreationTime : 6-10-2006 12:07:16 AM BasePriority : Normal #:2 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 816 ThreadCreationTime : 6-10-2006 12:07:21 AM BasePriority : High #:3 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 860 ThreadCreationTime : 6-10-2006 12:07:21 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:4 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 872 ThreadCreationTime : 6-10-2006 12:07:21 AM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:5 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1044 ThreadCreationTime : 6-10-2006 12:07:22 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1068 ThreadCreationTime : 6-10-2006 12:07:22 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [s24evmon.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1104 ThreadCreationTime : 6-10-2006 12:07:22 AM BasePriority : Normal FileVersion : 8, 0, 0, 162 ProductVersion : 8, 0, 0, 162 ProductName : Mobile Unit Support Service CompanyName : Intel Corporation FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. InternalName : S24EvMon LegalCopyright : Copyright © 2001 - 2003 Intel Corporation, 1997 - 2001 Symbol Technologies, Inc. Portions Copyright © MIT OriginalFilename : S24EvMon.exe #:8 [zcfgsvc.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1432 ThreadCreationTime : 6-10-2006 12:07:23 AM BasePriority : Normal FileVersion : 8, 0, 0, 162 ProductVersion : 8, 0, 0, 162 ProductName : ZeroCfgSvc Application CompanyName : Intel Corporation FileDescription : ZeroCfgSvc MFC Application InternalName : ZeroCfgSvc LegalCopyright : Copyright © 2002 - 2003 Intel Corporation OriginalFilename : ZeroCfgSvc.EXE #:9 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1544 ThreadCreationTime : 6-10-2006 12:07:24 AM BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1816 ThreadCreationTime : 6-10-2006 12:07:24 AM BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [mcdetect.exe] FilePath : c:\program files\mcafee.com\agent\ ProcessID : 1944 ThreadCreationTime : 6-10-2006 12:07:24 AM BasePriority : Normal FileVersion : 6, 0, 0, 19 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee WSC Integration Service InternalName : McDetect LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : McDetect.exe Comments : McAfee WSC Integration Service #:12 [mcshield.exe] FilePath : c:\PROGRA~1\mcafee.com\vso\ ProcessID : 1964 ThreadCreationTime : 6-10-2006 12:07:24 AM BasePriority : High #:13 [mctskshd.exe] FilePath : c:\PROGRA~1\mcafee.com\agent\ ProcessID : 1992 ThreadCreationTime : 6-10-2006 12:07:24 AM BasePriority : Normal FileVersion : 6, 0, 0, 13 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee Task Scheduler InternalName : McTskshd LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : McTskshd.exe #:14 [oasclnt.exe] FilePath : c:\PROGRA~1\mcafee.com\vso\ ProcessID : 2032 ThreadCreationTime : 6-10-2006 12:07:25 AM BasePriority : Normal FileVersion : 10, 0, 0, 24 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan OAS Client InternalName : OasClnt LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : OasClnt.exe Comments : McAfee VirusScan OAS Client #:15 [mcvsshld.exe] FilePath : c:\program files\mcafee.com\vso\ ProcessID : 344 ThreadCreationTime : 6-10-2006 12:07:27 AM BasePriority : Normal FileVersion : 10, 0, 0, 22 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan ActiveShield Resource InternalName : McVsShld LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : McVsShld.exe Comments : McAfee VirusScan ActiveShield Resource #:16 [mcvsescn.exe] FilePath : c:\progra~1\mcafee.com\vso\ ProcessID : 404 ThreadCreationTime : 6-10-2006 12:07:27 AM BasePriority : Normal FileVersion : 10, 0, 0, 20 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan E-mail Scan Module InternalName : mcvsescn LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : mcvsescn.EXE Comments : McAfee VirusScan E-mail Scan Module #:17 [jusched.exe] FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\ ProcessID : 520 ThreadCreationTime : 6-10-2006 12:07:29 AM BasePriority : Normal #:18 [pcmservice.exe] FilePath : C:\Program Files\Dell\Media Experience\ ProcessID : 540 ThreadCreationTime : 6-10-2006 12:07:29 AM BasePriority : Normal FileVersion : 1.0.1212 ProductVersion : 1.0.1212 ProductName : PCM2Launcher Application CompanyName : CyberLink Corp. FileDescription : PowerCinema Resident Program for Dell InternalName : PowerCinema Resident Program for Dell LegalCopyright : Copyright c 2003 CyberLink Corp. OriginalFilename : PCM2Launcher.EXE #:19 [dsentry.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 652 ThreadCreationTime : 6-10-2006 12:07:31 AM BasePriority : Normal FileVersion : 1, 0, 5, 0 ProductVersion : 1, 0, 5, 0 ProductName : Dell - DVDSentry CompanyName : Dell - Advanced Desktop Engineering FileDescription : DVDSentry InternalName : DVDSentry LegalCopyright : Copyright © 2002 Dell OriginalFilename : DSentry.exe Comments : DVDSentry launches your software DVD player when a DVD is inserted. #:20 [tfswctrl.exe] FilePath : C:\WINDOWS\system32\dla\ ProcessID : 660 ThreadCreationTime : 6-10-2006 12:07:31 AM BasePriority : Normal FileVersion : 1.04.05b CompanyName : Sonic Solutions FileDescription : Drive Letter Access Component LegalCopyright : Copyright © 2003 Sonic Solutions #:21 [quickset.exe] FilePath : C:\Program Files\Dell\QuickSet\ ProcessID : 676 ThreadCreationTime : 6-10-2006 12:07:31 AM BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : QuickSet Application FileDescription : QuickSet MFC Application InternalName : direct LegalCopyright : Copyright © 2001 OriginalFilename : direct.EXE #:22 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 696 ThreadCreationTime : 6-10-2006 12:07:31 AM BasePriority : Normal FileVersion : 6.14.10.4586 ProductVersion : 6.14.10.4586 ProductName : NVIDIA Driver Helper Service, Version 45.86 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 45.86 InternalName : NVSVC LegalCopyright : © NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:23 [apoint.exe] FilePath : C:\Program Files\Apoint\ ProcessID : 400 ThreadCreationTime : 6-10-2006 12:07:32 AM BasePriority : Normal FileVersion : 5.4.101.118 ProductVersion : 5.4.101.118 ProductName : Alps Pointing-device Driver CompanyName : Alps Electric Co., Ltd. FileDescription : Alps Pointing-device Driver InternalName : Alps Pointing-device Driver LegalCopyright : Copyright © 1999-2003 Alps Electric Co., Ltd. OriginalFilename : Apoint.exe #:24 [ntvdm.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 784 ThreadCreationTime : 6-10-2006 12:07:32 AM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : NTVDM.EXE InternalName : NTVDM.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : NTVDM.EXE #:25 [regsrvc.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1092 ThreadCreationTime : 6-10-2006 12:07:33 AM BasePriority : Normal FileVersion : 8, 0, 0, 162 ProductVersion : 8, 0, 0, 162 ProductName : RegSrvc Module CompanyName : Intel Corporation FileDescription : RegSrvc Module InternalName : RegSrvc LegalCopyright : Copyright © 2002 - 2003 Intel Corporation OriginalFilename : RegSrvc.EXE #:26 [wanmpsvc.exe] FilePath : C:\WINDOWS\ ProcessID : 1208 ThreadCreationTime : 6-10-2006 12:07:33 AM BasePriority : Normal FileVersion : 7, 0, 0, 2 ProductVersion : 7, 0, 0, 2 ProductName : America Online CompanyName : America Online, Inc. FileDescription : Wan Miniport (ATW) Service InternalName : WanMPSvc LegalCopyright : Copyright © 2001 America Online, Inc. OriginalFilename : WanMPSvc.exe #:27 [dsagnt.exe] FilePath : C:\Program Files\Dell Support\ ProcessID : 1280 ThreadCreationTime : 6-10-2006 12:07:34 AM BasePriority : Below Normal FileVersion : 1, 1, 0, 73 ProductVersion : 1, 1, 0, 73 ProductName : Dell Support CompanyName : Gteko Ltd. FileDescription : Dell Support InternalName : AUAgent LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd. OriginalFilename : AUAgent.exe #:28 [mnyexpr.exe] FilePath : C:\Program Files\Microsoft Money\System\ ProcessID : 1500 ThreadCreationTime : 6-10-2006 12:07:35 AM BasePriority : Normal FileVersion : 12.00.0613 ProductVersion : 12.00.0613 ProductName : Microsoft® MSN Money Deluxe CompanyName : Microsoft Corp. FileDescription : Microsoft Money Express InternalName : mnyexpr LegalCopyright : Copyright © Microsoft Corporation OriginalFilename : mnyexpr.exe #:29 [mcagent.exe] FilePath : c:\program files\mcafee.com\agent\ ProcessID : 1620 ThreadCreationTime : 6-10-2006 12:07:37 AM BasePriority : Normal FileVersion : 6, 0, 0, 16 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee SecurityCenter Agent InternalName : mcagent LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : mcagent.exe #:30 [dlg.exe] FilePath : C:\Program Files\Digital Line Detect\ ProcessID : 1636 ThreadCreationTime : 6-10-2006 12:07:38 AM BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : BVRP Software TestLine CompanyName : BVRP Software FileDescription : Digital Line Detection InternalName : TestLine LegalCopyright : Copyright © 2003 OriginalFilename : TestLine.exe #:31 [apntex.exe] FilePath : C:\Program Files\Apoint\ ProcessID : 1696 ThreadCreationTime : 6-10-2006 12:07:38 AM BasePriority : Normal FileVersion : 5.0.1.15 ProductVersion : 5.0.1.15 ProductName : Alps Pointing-device Driver for Windows NT/2000/XP CompanyName : Alps Electric Co., Ltd. FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP InternalName : Alps Pointing-device Driver for Windows NT/2000/XP LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd. OriginalFilename : ApntEx.exe #:32 [1xconfig.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 552 ThreadCreationTime : 6-10-2006 12:07:40 AM BasePriority : Normal FileVersion : 8, 0, 0, 162 ProductVersion : 8, 0, 0, 162 ProductName : 8021XConfig Module CompanyName : Intel FileDescription : 8021XConfig Module InternalName : 8021XConfig LegalCopyright : Copyright 2003 OriginalFilename : 1XConfig.EXE Comments : Wrapper for MH. (Service COM) #:33 [wuauclt.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 3180 ThreadCreationTime : 6-10-2006 12:08:41 AM BasePriority : Normal FileVersion : 5.8.0.2469 built by: lab01_n(wmbla) ProductVersion : 5.8.0.2469 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Automatic Updates InternalName : wuauclt.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : wuauclt.exe #:34 [firefox.exe] FilePath : C:\Program Files\Mozilla Firefox\ ProcessID : 3840 ThreadCreationTime : 6-10-2006 12:08:58 AM BasePriority : Normal #:35 [regedit.exe] FilePath : C:\WINDOWS\ ProcessID : 3576 ThreadCreationTime : 6-10-2006 12:15:11 AM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Registry Editor InternalName : REGEDIT LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : REGEDIT.EXE #:36 [users32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 4068 ThreadCreationTime : 6-10-2006 12:16:42 AM BasePriority : Normal FileVersion : 1.00 ProductVersion : 1.00 ProductName : Project1 CompanyName : Trojan Factory InternalName : main OriginalFilename : main.dat #:37 [wpwin11.exe] FilePath : C:\Program Files\WordPerfect Office 11\Programs\ ProcessID : 2752 ThreadCreationTime : 6-10-2006 12:34:04 AM BasePriority : Normal FileVersion : 11.0.0.233 ProductVersion : 11.0.0.233 ProductName : WordPerfect® 11 CompanyName : Corel Corporation Limited FileDescription : WordPerfect® 11 InternalName : WPWIN LegalCopyright : Copyright 2001 - 2003. Corel Corporation. All rights reserved. LegalTrademarks : WordPerfect® 11 OriginalFilename : wpwin11.exe #:38 [hijackthis.exe] FilePath : C:\Program Files\HijackThis\ ProcessID : 2256 ThreadCreationTime : 6-10-2006 12:54:32 AM BasePriority : Normal FileVersion : 1.99.0001 ProductVersion : 1.99.0001 ProductName : HijackThis CompanyName : Soeperman Enterprises Ltd. FileDescription : HijackThis InternalName : HijackThis LegalCopyright : Freeware OriginalFilename : HijackThis.exe Comments : Version history is in Help section #:39 [notepad.exe] FilePath : C:\WINDOWS\ ProcessID : 2316 ThreadCreationTime : 6-10-2006 12:54:35 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Notepad InternalName : Notepad LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : NOTEPAD.EXE #:40 [ad-aware.exe] FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\ ProcessID : 124 ThreadCreationTime : 6-10-2006 1:02:40 AM BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\{f6bdb4e5-d6aa-4d1f-8b67-bcb0f2246e21} Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\wstart.dll Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0} Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : wstart.whttphelper Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : wstart.whttphelper.1 Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : alxtb.bho Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{f1fabe79-25fc-46de-8c5a-2c6db9d64333} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{0bbb0424-e98e-4405-9a94-481854765c80} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{0f3332b5-bc98-48af-9fac-05fec94ebe73} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{3e60160f-0ed6-4dcc-b6b6-850cde4fd217} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{a69107cc-bec8-4a34-b474-211b0f46a764} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b7b84995-8b92-46bf-94aa-fa2f3dd23b84} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{fa77ad79-09cf-41fb-b171-cc856f9e737f} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : popmenu.menu Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : popup.popupkiller Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{547ab549-4dd8-4ea0-b070-f6ea062148ff} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{a6a68cbd-6673-41b1-b997-3f83a25b45b0} Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b71c7d9a-da43-4e8b-bb98-1684ac2af324} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\dailytoolbar.dll DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\{951b3138-ae8e-4676-a05a-250a5f111631} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{58f9b276-e1cc-458e-8159-21cbc021874b} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{8333c319-0669-4893-a418-f56d9249fca6} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : dailytoolbar.ieband DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : dailytoolbar.sysmgr DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : ietoolbar.affiliatectl DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{10195311-e434-47a9-adba-48839e3f7e4e} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{abafa0b4-f78d-42e5-8c31-1a441d01c1df} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : bridge.brdg WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : jao.jao WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27} Adware.Admess Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\wsoft Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\alexa internet CoolWebSearch Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb} DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\dailytoolbar DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\nix solutions\dailytoolbar Transponder Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\transponder WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27} VX2 Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\respondmiter VX2 Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f} VX2 Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-f09c-02b4-6ec2-ad0300000000} VX2 Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-c1ec-0345-6ec2-4d0300000000} VX2 Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-59d4-4008-9058-080011001200} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 46 Objects found so far: 46 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8333c319-0669-4893-a418-f56d9249fca6} Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 47 Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 48 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 48 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 0 entries scanned. New critical objects:0 Objects found so far: 48 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\alexa toolbar Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\alexa toolbar Alexa Object Recognized! Type : File Data : alxres.dll TAC Rating : 5 Category : Data Miner Comment : Object : C:\WINDOWS\System32\ DailyToolbar Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\nix solutions DailyToolbar Object Recognized! Type : File Data : dailytoolbar.dll TAC Rating : 5 Category : Misc Comment : Object : C:\WINDOWS\System32\ WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12} WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\bridge WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\bridge.brdg WinFavorites Object Recognized! Type : Regkey Data : TAC Rating : 6 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\jao.jao WinFavorites Object Recognized! Type : File Data : a.exe TAC Rating : 6 Category : Malware Comment : Object : C:\WINDOWS\System32\ WinFavorites Object Recognized! Type : File Data : bridge.dll TAC Rating : 6 Category : Malware Comment : Object : C:\WINDOWS\System32\ CoolWebSearch Object Recognized! Type : RegData Data : about:blank TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Start Page Data : about:blank VX2 Object Recognized! Type : File Data : ZServ.dll TAC Rating : 10 Category : Malware Comment : Object : C:\WINDOWS\ Other Object Recognized! Type : File Data : NLDDKZUA.EXE-08BD186C.pf TAC Rating : 10 Category : Malware Comment : Object : C:\WINDOWS\prefetch\ Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 14 Objects found so far: 62 9:16:04 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:13:08.173 Objects scanned:125678 Objects identified:63 Objects ignored:0 New critical objects:63 Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 10, 2006 you have got a whole bundle of malware, including some very nasty trojans. This will take numerous steps to get everything. 1. Please download the free trial program Ewido per the following instructions. This is a good trojan scanner and will help to block any further trojan downloads of malware onto your system while we're trying to clean it all up. Should any nasties try to enter your system it should popup a warning and you can block anything new coming in. But first lets install it, update it, and we'll scan later in SAFE MODE. Download, install, and update Ewido AntiMalware (get the free trial version) http://www.ewido.net/en/download/ a. Install Ewido AntiMalware b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it. c. The program will prompt you to update click the OK button d. The program will now go to the main screen e. On the left hand side of the main screen click on Update f. Click on Start. The update will start and a progress bar will show the updates being installed. g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs. *Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended). You will still be able to manually update Ewido using the *update* button 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! 4. Reboot into Safe Mode You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 5. Once in safe mode, start Ewido AntiMalware a. Click on scanner b. Click on *complete system scan* c. Let the program scan the machine. d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Checkmark the box: *Create encrypted backup in the quarantine* (recommended) Click OK. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. 6. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. click "save"IN "filename" enter log.txt click exit to exit the BFU program. Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder 7. Now please scan with HijackThis and do a *scan only*. Checkmark these items in the list (if found) and then press the *fix checked* button. O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O15 - Trusted Zone: http://*.public.windupdates.com O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 8. Delete these files(if found) C:\WINDOWS\system32\users32.exe C:\WINDOWS\system32\susp.exe C:\WINDOWS\system32\runsrv32.exe dwcrnt.exe c:\windows\winhelp.exe C:\WINDOWS\System32\serwvdrv.exe C:\WINDOWS\System32\d3d8.exe C:\WINDOWS\System32\taskdir.exe 9. Reboot back into normal mode Logs needed in your next post are: log.txt will be in the C:\BFU\ folder Ewido Scan log Fresh HijackThis log There will be more to do but this will be a good start Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 10, 2006 OK. I took care of all this stuff. Only problem was that after running BruteForce Uninstaller, I realized that the "Save log" box wasn't checked, so I didn't have anything to save. I checked it and ran it again. Hopefully that's not a problem. Logs are below. Thanks so much for your help! 1. BFU Log BFU v1.00.9 Windows XP SP1 (WinNT 5.01.2600 SP1) Script started at 4:21:52 PM, on 6/10/2006 Option Unload Explorer: Yes Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found) Failed: ServiceStop Network Monitor (service not found) Failed: ServiceStop cmdService (service not found) Failed: ServiceDisable Network Monitor (service not found) Failed: ServiceDisable cmdService (service not found) Failed: ServiceDelete Network Monitor (service not found) Failed: ServiceDelete cmdService (service not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found) Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found) Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found) Option pause between commands: 300 ms Option pause between commands: 50 ms Failed: FolderDelete C:\Program Files\MsConfigs (folder not found) Failed: FolderDelete C:\Program Files\winupdates (folder not found) Failed: FolderDelete C:\Program Files\winupdate (folder not found) Failed: FolderDelete C:\Program Files\winsupdater (folder not found) Failed: FolderDelete C:\Program Files\MsUpdate (folder not found) Failed: FolderDelete C:\Program Files\MsMovies (folder not found) Failed: FolderDelete C:\Program Files\wmplayer (folder not found) Failed: FolderDelete C:\Program Files\outlook (folder not found) Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed) Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed) Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_3a0.dat (operation failed) Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6271.tmp (operation failed) Failed: FolderDelete C:\Program Files\Maxifiles (folder not found) Failed: FolderDelete C:\Program Files\DNS (folder not found) Failed: FolderDelete C:\Program Files\EQAdvice (folder not found) Failed: FolderDelete C:\Program Files\FCAdvice (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found) Failed: FolderDelete C:\Program Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found) Failed: FolderDelete C:\Program Files\Network Monitor (folder not found) Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found) Failed: FolderDelete C:\Program Files\Update06 (folder not found) Failed: FolderDelete C:\Program Files\Update03 (folder not found) Failed: FolderDelete C:\Program Files\Update04 (folder not found) Failed: FolderDelete C:\Program Files\Update08 (folder not found) Failed: FolderDelete C:\Program Files\W-Update (folder not found) Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found) Failed: FolderDelete C:\Program Files\Cas (folder not found) Failed: FolderDelete C:\Program Files\CasStub (folder not found) Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found) Failed: FolderDelete C:\Program Files\ipwins (folder not found) Failed: FolderDelete C:\temp (folder not found) Failed: FolderDelete C:\WINDOWS\mdrive (folder not found) Failed: FolderCreate C:\bintheredunthat (folder already exists) Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found) Script completed. 2. Ewido Scan log --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:17:37 PM, 6/10/2006 + Report-Checksum: 5DAA990F + Scan result: HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Sidefind : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0017533.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0017540.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017559.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017596.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017604.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017646.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\WINDOWS\SYSTEM32\elyinobo.dma -> Trojan.Agent.qe : Cleaned with backup C:\WINDOWS\SYSTEM32\ipod.raw.exe -> Proxy.Lager.bi : Cleaned with backup C:\WINDOWS\SYSTEM32\qjrkvy.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup C:\WINDOWS\SYSTEM32\rtyduhuo.exe -> Downloader.VB.aan : Cleaned with backup C:\WINDOWS\SYSTEM32\users32.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup C:\WINDOWS\SYSTEM32\winflash.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup ::Report End 3. Fresh HJT log (done after items fixed and system running in normal mode) Logfile of HijackThis v1.99.1 Scan saved at 4:58:57 PM, on 6/10/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Notepad\NOTEPAD.EXE C:\Program Files\Notepad\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O15 - Trusted Zone: http://*.public.windupdates.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe END ALL LOGS Bye for now and thanks again! you have got a whole bundle of malware, including some very nasty trojans. This will take numerous steps to get everything. 1. Please download the free trial program Ewido per the following instructions. This is a good trojan scanner and will help to block any further trojan downloads of malware onto your system while we're trying to clean it all up. Should any nasties try to enter your system it should popup a warning and you can block anything new coming in. But first lets install it, update it, and we'll scan later in SAFE MODE. Download, install, and update Ewido AntiMalware (get the free trial version) http://www.ewido.net/en/download/ a. Install Ewido AntiMalware b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it. c. The program will prompt you to update click the OK button d. The program will now go to the main screen e. On the left hand side of the main screen click on Update f. Click on Start. The update will start and a progress bar will show the updates being installed. g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs. *Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended). You will still be able to manually update Ewido using the *update* button 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! 4. Reboot into Safe Mode You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 5. Once in safe mode, start Ewido AntiMalware a. Click on scanner b. Click on *complete system scan* c. Let the program scan the machine. d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Checkmark the box: *Create encrypted backup in the quarantine* (recommended) Click OK. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. 6. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. click "save"IN "filename" enter log.txt click exit to exit the BFU program. Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder 7. Now please scan with HijackThis and do a *scan only*. Checkmark these items in the list (if found) and then press the *fix checked* button. O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O15 - Trusted Zone: http://*.public.windupdates.com O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37 8. Delete these files(if found) C:\WINDOWS\system32\users32.exe C:\WINDOWS\system32\susp.exe C:\WINDOWS\system32\runsrv32.exe dwcrnt.exe c:\windows\winhelp.exe C:\WINDOWS\System32\serwvdrv.exe C:\WINDOWS\System32\d3d8.exe C:\WINDOWS\System32\taskdir.exe 9. Reboot back into normal mode Logs needed in your next post are: log.txt will be in the C:\BFU\ folder Ewido Scan log Fresh HijackThis log There will be more to do but this will be a good start Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 11, 2006 Sorry for the late reply, I missed seeing this last post. Open HijackThis, do a *scan only* and when it finishes checkmark these entries, then press *fix checked* O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O15 - Trusted Zone: http://*.public.windupdates.com ...................................... 1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!). http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. How to extract (decompress) zipped or compressed files http://www.lvsonline.com/compresstut/index.shtml Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. 2. Reboot into Safe Mode You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. 4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below. Logs needed in your next post are: rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed Fresh HijackThis log Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 11, 2006 Sorry for the late reply, I missed seeing this last post. Open HijackThis, do a *scan only* and when it finishes checkmark these entries, then press *fix checked* O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O15 - Trusted Zone: http://*.public.windupdates.com ...................................... 1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!). http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. How to extract (decompress) zipped or compressed files http://www.lvsonline.com/compresstut/index.shtml Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. 2. Reboot into Safe Mode You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. 4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below. Logs needed in your next post are: rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed Fresh HijackThis log Hello again and thank you for your continued help! Here are the rapport.txt file and fresh HJT log. Thanks again! SmitFraudFix v2.58 Scan done at 11:45:51.38, Sun 06/11/2006 Run from C:\Documents and Settings\Gret\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\bg.gif Deleted C:\WINDOWS\BTGrab.dll Deleted C:\WINDOWS\close-bar.gif Deleted C:\WINDOWS\dlmax.dll Deleted C:\WINDOWS\infected.gif Deleted C:\WINDOWS\Pynix.dll Deleted C:\WINDOWS\star.gif Deleted C:\WINDOWS\warning-bar-ico.gif Deleted C:\WINDOWS\system32\jao.dll Deleted C:\WINDOWS\system32\questmod.dll Deleted C:\WINDOWS\system32\runsrv32.dll Deleted C:\WINDOWS\system32\tcpservice2.exe Deleted C:\WINDOWS\system32\txfdb32.dll Deleted C:\WINDOWS\system32\udpmod.dll Deleted C:\WINDOWS\system32\wstart.dll Deleted »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 11:53:45 AM, on 6/11/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Dell\Media Experience\PCMService.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O15 - Trusted Zone: http://*.public.windupdates.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 11, 2006 Everything looks good except that 015 item is being stubborn. We'll use this to fix it Download: DelDomains.inf Right-click this link and select: Save Target As (IE only) http://www.mvps.org/winhelp2002/DelDomains.inf To use: right-click and select: Install (no need to restart - there is no on-screen action) Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone. ......................... Your Sun Java is out of date and old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java. Then go get the latest up to date version here: http://www.java.com/en/download/manual.jsp Here's why removing old versions of Sun Java is important: Potential Vulnerability with Sun Java auto update http://www.dslreports.com/forum/remark,14738046 Scan once more with HijackThis and post a fresh please? Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 12, 2006 Here's the latest HJT log. One added bonus of all this is that I finally got rid of a harmless (I think) but annoying blue screen that popped up everytime I booted up. I also lost my XP wallpaper, but I can get that back easy enough! Thanks so much Logfile of HijackThis v1.99.1 Scan saved at 8:43:01 PM, on 6/11/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe c:\program files\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 12, 2006 We're getting there, enoughalready! That 015 item is being stubborn. We'll use the following to fix it for good. Download: DelDomains.inf Right-click the following URL and select: Save Target As (IE only) and save to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf To use: right-click Deldomains.inf and select: Install (no need to restart - there is no on-screen action) Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone. Scan once more with HijackThis and post a fresh log please Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 13, 2006 Sorry, just want to make sure...should I be running this DelDomains.inf again? Thanks! We're getting there, enoughalready! That 015 item is being stubborn. We'll use the following to fix it for good. Download: DelDomains.inf Right-click the following URL and select: Save Target As (IE only) and save to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf To use: right-click Deldomains.inf and select: Install (no need to restart - there is no on-screen action) Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone. Scan once more with HijackThis and post a fresh log please Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 13, 2006 Sorry, just want to make sure...should I be running this DelDomains.inf again? Thanks! LOL! No, a bad case of tired eyes looking at the wrong log. It's gone now. I think you are good to go! Some final cleanup and then my prevention recommendations Navigate to C:\Windows\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Clean out your Temporary Internet files. Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why? One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (winXP) 1. Turn off System Restore. Go to Start and right-click on *My Computer*. Click Properties. Click the System Restore tab. Put a Checkmark in the box next to "Turn off System Restore". Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. Go to Start and right-click on *My Computer*. Click Properties. Click the System Restore tab. Remove the checkmark next to "Turn off System Restore". Click Apply, and then click OK. How to Turn On and Turn Off System Restore in Windows XP http://support.microsoft.com/default.aspx?...kb;en-us;310405 Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help . How do I prevent Browser Hijacks and Spyware? http://www.dslreports.com/faq/13620 Important! You need to get SP2 for XP and IE; and also ALL of the windows critical security updates. These and other nasties have been using exploits against unpatched systems to install on silently on victims browsing webpages. Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable! Windows Update http://update.microsoft.com/microsoftupdate/ And see this link for instructions on how to configure the enhanced security features in SP2: http://www.microsoft.com/technet/security/...xp/iesecxp.mspx I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes. MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here: Microsoft Baseline Security Analyzer http://www.microsoft.com/technet/security/...s/mbsahome.mspx Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you. Share this post Link to post Share on other sites
enoughalready 0 Report post Posted June 14, 2006 Looking good! I can't thank you enough for all your help! Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 14, 2006 You're welcome! I'm glad we could help and I hope you are enjoying your computer again Share this post Link to post Share on other sites
