Sign in to follow this  
enoughalready

'nother antispywarebox HJT log

Recommended Posts

evil spyware bastards make me mad :(

helpful community members make me smile :lol:

any help dealing with this antispywarebox scum much appreciated

 

Logfile of HijackThis v1.99.1

Scan saved at 8:54:34 PM, on 6/9/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\Regedit.exe

C:\WINDOWS\System32\users32.exe

C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe

C:\Program Files\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O15 - Trusted Zone: http://*.public.windupdates.com

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Ad-Aware SE Build 1.06r1

Logfile Created on:Friday, June 09, 2006 9:02:55 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R111 08.06.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.Admess(TAC index:5):6 total references

Alexa(TAC index:5):18 total references

CoolWebSearch(TAC index:10):2 total references

DailyToolbar(TAC index:5):14 total references

Other(TAC index:5):1 total references

Transponder(TAC index:10):1 total references

WinFavorites(TAC index:6):14 total references

VX2(TAC index:10):6 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

6-9-2006 9:02:55 PM - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 740

ThreadCreationTime : 6-10-2006 12:07:16 AM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 816

ThreadCreationTime : 6-10-2006 12:07:21 AM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 860

ThreadCreationTime : 6-10-2006 12:07:21 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:4 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 872

ThreadCreationTime : 6-10-2006 12:07:21 AM

BasePriority : Normal

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:5 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1044

ThreadCreationTime : 6-10-2006 12:07:22 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1068

ThreadCreationTime : 6-10-2006 12:07:22 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [s24evmon.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1104

ThreadCreationTime : 6-10-2006 12:07:22 AM

BasePriority : Normal

FileVersion : 8, 0, 0, 162

ProductVersion : 8, 0, 0, 162

ProductName : Mobile Unit Support Service

CompanyName : Intel Corporation

FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters.

InternalName : S24EvMon

LegalCopyright : Copyright © 2001 - 2003 Intel Corporation, 1997 - 2001 Symbol Technologies, Inc. Portions Copyright © MIT

OriginalFilename : S24EvMon.exe

 

#:8 [zcfgsvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1432

ThreadCreationTime : 6-10-2006 12:07:23 AM

BasePriority : Normal

FileVersion : 8, 0, 0, 162

ProductVersion : 8, 0, 0, 162

ProductName : ZeroCfgSvc Application

CompanyName : Intel Corporation

FileDescription : ZeroCfgSvc MFC Application

InternalName : ZeroCfgSvc

LegalCopyright : Copyright © 2002 - 2003 Intel Corporation

OriginalFilename : ZeroCfgSvc.EXE

 

#:9 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1544

ThreadCreationTime : 6-10-2006 12:07:24 AM

BasePriority : Normal

FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)

ProductVersion : 6.00.2800.1106

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1816

ThreadCreationTime : 6-10-2006 12:07:24 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:11 [mcdetect.exe]

FilePath : c:\program files\mcafee.com\agent\

ProcessID : 1944

ThreadCreationTime : 6-10-2006 12:07:24 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 19

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee WSC Integration Service

InternalName : McDetect

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : McDetect.exe

Comments : McAfee WSC Integration Service

 

#:12 [mcshield.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 1964

ThreadCreationTime : 6-10-2006 12:07:24 AM

BasePriority : High

 

 

#:13 [mctskshd.exe]

FilePath : c:\PROGRA~1\mcafee.com\agent\

ProcessID : 1992

ThreadCreationTime : 6-10-2006 12:07:24 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 13

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee Task Scheduler

InternalName : McTskshd

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : McTskshd.exe

 

#:14 [oasclnt.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 2032

ThreadCreationTime : 6-10-2006 12:07:25 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 24

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan OAS Client

InternalName : OasClnt

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : OasClnt.exe

Comments : McAfee VirusScan OAS Client

 

#:15 [mcvsshld.exe]

FilePath : c:\program files\mcafee.com\vso\

ProcessID : 344

ThreadCreationTime : 6-10-2006 12:07:27 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 22

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan ActiveShield Resource

InternalName : McVsShld

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : McVsShld.exe

Comments : McAfee VirusScan ActiveShield Resource

 

#:16 [mcvsescn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 404

ThreadCreationTime : 6-10-2006 12:07:27 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 20

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan E-mail Scan Module

InternalName : mcvsescn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsescn.EXE

Comments : McAfee VirusScan E-mail Scan Module

 

#:17 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\

ProcessID : 520

ThreadCreationTime : 6-10-2006 12:07:29 AM

BasePriority : Normal

 

 

#:18 [pcmservice.exe]

FilePath : C:\Program Files\Dell\Media Experience\

ProcessID : 540

ThreadCreationTime : 6-10-2006 12:07:29 AM

BasePriority : Normal

FileVersion : 1.0.1212

ProductVersion : 1.0.1212

ProductName : PCM2Launcher Application

CompanyName : CyberLink Corp.

FileDescription : PowerCinema Resident Program for Dell

InternalName : PowerCinema Resident Program for Dell

LegalCopyright : Copyright c 2003 CyberLink Corp.

OriginalFilename : PCM2Launcher.EXE

 

#:19 [dsentry.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 652

ThreadCreationTime : 6-10-2006 12:07:31 AM

BasePriority : Normal

FileVersion : 1, 0, 5, 0

ProductVersion : 1, 0, 5, 0

ProductName : Dell - DVDSentry

CompanyName : Dell - Advanced Desktop Engineering

FileDescription : DVDSentry

InternalName : DVDSentry

LegalCopyright : Copyright © 2002 Dell

OriginalFilename : DSentry.exe

Comments : DVDSentry launches your software DVD player when a DVD is inserted.

 

#:20 [tfswctrl.exe]

FilePath : C:\WINDOWS\system32\dla\

ProcessID : 660

ThreadCreationTime : 6-10-2006 12:07:31 AM

BasePriority : Normal

FileVersion : 1.04.05b

CompanyName : Sonic Solutions

FileDescription : Drive Letter Access Component

LegalCopyright : Copyright © 2003 Sonic Solutions

 

#:21 [quickset.exe]

FilePath : C:\Program Files\Dell\QuickSet\

ProcessID : 676

ThreadCreationTime : 6-10-2006 12:07:31 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : QuickSet Application

FileDescription : QuickSet MFC Application

InternalName : direct

LegalCopyright : Copyright © 2001

OriginalFilename : direct.EXE

 

#:22 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 696

ThreadCreationTime : 6-10-2006 12:07:31 AM

BasePriority : Normal

FileVersion : 6.14.10.4586

ProductVersion : 6.14.10.4586

ProductName : NVIDIA Driver Helper Service, Version 45.86

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 45.86

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:23 [apoint.exe]

FilePath : C:\Program Files\Apoint\

ProcessID : 400

ThreadCreationTime : 6-10-2006 12:07:32 AM

BasePriority : Normal

FileVersion : 5.4.101.118

ProductVersion : 5.4.101.118

ProductName : Alps Pointing-device Driver

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver

InternalName : Alps Pointing-device Driver

LegalCopyright : Copyright © 1999-2003 Alps Electric Co., Ltd.

OriginalFilename : Apoint.exe

 

#:24 [ntvdm.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 784

ThreadCreationTime : 6-10-2006 12:07:32 AM

BasePriority : Normal

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : NTVDM.EXE

InternalName : NTVDM.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : NTVDM.EXE

 

#:25 [regsrvc.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1092

ThreadCreationTime : 6-10-2006 12:07:33 AM

BasePriority : Normal

FileVersion : 8, 0, 0, 162

ProductVersion : 8, 0, 0, 162

ProductName : RegSrvc Module

CompanyName : Intel Corporation

FileDescription : RegSrvc Module

InternalName : RegSrvc

LegalCopyright : Copyright © 2002 - 2003 Intel Corporation

OriginalFilename : RegSrvc.EXE

 

#:26 [wanmpsvc.exe]

FilePath : C:\WINDOWS\

ProcessID : 1208

ThreadCreationTime : 6-10-2006 12:07:33 AM

BasePriority : Normal

FileVersion : 7, 0, 0, 2

ProductVersion : 7, 0, 0, 2

ProductName : America Online

CompanyName : America Online, Inc.

FileDescription : Wan Miniport (ATW) Service

InternalName : WanMPSvc

LegalCopyright : Copyright © 2001 America Online, Inc.

OriginalFilename : WanMPSvc.exe

 

#:27 [dsagnt.exe]

FilePath : C:\Program Files\Dell Support\

ProcessID : 1280

ThreadCreationTime : 6-10-2006 12:07:34 AM

BasePriority : Below Normal

FileVersion : 1, 1, 0, 73

ProductVersion : 1, 1, 0, 73

ProductName : Dell Support

CompanyName : Gteko Ltd.

FileDescription : Dell Support

InternalName : AUAgent

LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd.

OriginalFilename : AUAgent.exe

 

#:28 [mnyexpr.exe]

FilePath : C:\Program Files\Microsoft Money\System\

ProcessID : 1500

ThreadCreationTime : 6-10-2006 12:07:35 AM

BasePriority : Normal

FileVersion : 12.00.0613

ProductVersion : 12.00.0613

ProductName : Microsoft® MSN Money Deluxe

CompanyName : Microsoft Corp.

FileDescription : Microsoft Money Express

InternalName : mnyexpr

LegalCopyright : Copyright © Microsoft Corporation

OriginalFilename : mnyexpr.exe

 

#:29 [mcagent.exe]

FilePath : c:\program files\mcafee.com\agent\

ProcessID : 1620

ThreadCreationTime : 6-10-2006 12:07:37 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 16

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee SecurityCenter Agent

InternalName : mcagent

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : mcagent.exe

 

#:30 [dlg.exe]

FilePath : C:\Program Files\Digital Line Detect\

ProcessID : 1636

ThreadCreationTime : 6-10-2006 12:07:38 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : BVRP Software TestLine

CompanyName : BVRP Software

FileDescription : Digital Line Detection

InternalName : TestLine

LegalCopyright : Copyright © 2003

OriginalFilename : TestLine.exe

 

#:31 [apntex.exe]

FilePath : C:\Program Files\Apoint\

ProcessID : 1696

ThreadCreationTime : 6-10-2006 12:07:38 AM

BasePriority : Normal

FileVersion : 5.0.1.15

ProductVersion : 5.0.1.15

ProductName : Alps Pointing-device Driver for Windows NT/2000/XP

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP

InternalName : Alps Pointing-device Driver for Windows NT/2000/XP

LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd.

OriginalFilename : ApntEx.exe

 

#:32 [1xconfig.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 552

ThreadCreationTime : 6-10-2006 12:07:40 AM

BasePriority : Normal

FileVersion : 8, 0, 0, 162

ProductVersion : 8, 0, 0, 162

ProductName : 8021XConfig Module

CompanyName : Intel

FileDescription : 8021XConfig Module

InternalName : 8021XConfig

LegalCopyright : Copyright 2003

OriginalFilename : 1XConfig.EXE

Comments : Wrapper for MH. (Service COM)

 

#:33 [wuauclt.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3180

ThreadCreationTime : 6-10-2006 12:08:41 AM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:34 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 3840

ThreadCreationTime : 6-10-2006 12:08:58 AM

BasePriority : Normal

 

 

#:35 [regedit.exe]

FilePath : C:\WINDOWS\

ProcessID : 3576

ThreadCreationTime : 6-10-2006 12:15:11 AM

BasePriority : Normal

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Registry Editor

InternalName : REGEDIT

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : REGEDIT.EXE

 

#:36 [users32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 4068

ThreadCreationTime : 6-10-2006 12:16:42 AM

BasePriority : Normal

FileVersion : 1.00

ProductVersion : 1.00

ProductName : Project1

CompanyName : Trojan Factory

InternalName : main

OriginalFilename : main.dat

 

#:37 [wpwin11.exe]

FilePath : C:\Program Files\WordPerfect Office 11\Programs\

ProcessID : 2752

ThreadCreationTime : 6-10-2006 12:34:04 AM

BasePriority : Normal

FileVersion : 11.0.0.233

ProductVersion : 11.0.0.233

ProductName : WordPerfect® 11

CompanyName : Corel Corporation Limited

FileDescription : WordPerfect® 11

InternalName : WPWIN

LegalCopyright : Copyright 2001 - 2003. Corel Corporation. All rights reserved.

LegalTrademarks : WordPerfect® 11

OriginalFilename : wpwin11.exe

 

#:38 [hijackthis.exe]

FilePath : C:\Program Files\HijackThis\

ProcessID : 2256

ThreadCreationTime : 6-10-2006 12:54:32 AM

BasePriority : Normal

FileVersion : 1.99.0001

ProductVersion : 1.99.0001

ProductName : HijackThis

CompanyName : Soeperman Enterprises Ltd.

FileDescription : HijackThis

InternalName : HijackThis

LegalCopyright : Freeware

OriginalFilename : HijackThis.exe

Comments : Version history is in Help section

 

#:39 [notepad.exe]

FilePath : C:\WINDOWS\

ProcessID : 2316

ThreadCreationTime : 6-10-2006 12:54:35 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Notepad

InternalName : Notepad

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : NOTEPAD.EXE

 

#:40 [ad-aware.exe]

FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\

ProcessID : 124

ThreadCreationTime : 6-10-2006 1:02:40 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{f6bdb4e5-d6aa-4d1f-8b67-bcb0f2246e21}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\wstart.dll

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : wstart.whttphelper

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : wstart.whttphelper.1

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : alxtb.bho

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{f1fabe79-25fc-46de-8c5a-2c6db9d64333}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{0bbb0424-e98e-4405-9a94-481854765c80}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{0f3332b5-bc98-48af-9fac-05fec94ebe73}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{3e60160f-0ed6-4dcc-b6b6-850cde4fd217}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a69107cc-bec8-4a34-b474-211b0f46a764}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{b7b84995-8b92-46bf-94aa-fa2f3dd23b84}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{fa77ad79-09cf-41fb-b171-cc856f9e737f}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : popmenu.menu

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : popup.popupkiller

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{547ab549-4dd8-4ea0-b070-f6ea062148ff}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a6a68cbd-6673-41b1-b997-3f83a25b45b0}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{b71c7d9a-da43-4e8b-bb98-1684ac2af324}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\dailytoolbar.dll

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{951b3138-ae8e-4676-a05a-250a5f111631}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{58f9b276-e1cc-458e-8159-21cbc021874b}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{8333c319-0669-4893-a418-f56d9249fca6}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : dailytoolbar.ieband

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : dailytoolbar.sysmgr

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : ietoolbar.affiliatectl

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{10195311-e434-47a9-adba-48839e3f7e4e}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{abafa0b4-f78d-42e5-8c31-1a441d01c1df}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : bridge.brdg

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : jao.jao

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\wsoft

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\alexa internet

 

CoolWebSearch Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\dailytoolbar

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\nix solutions\dailytoolbar

 

Transponder Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\transponder

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\respondmiter

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-f09c-02b4-6ec2-ad0300000000}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-c1ec-0345-6ec2-4d0300000000}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-59d4-4008-9058-080011001200}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 46

Objects found so far: 46

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8333c319-0669-4893-a418-f56d9249fca6}

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 47

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 48

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 48

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 entries scanned.

New critical objects:0

Objects found so far: 48

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\alexa toolbar

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\alexa toolbar

 

Alexa Object Recognized!

Type : File

Data : alxres.dll

TAC Rating : 5

Category : Data Miner

Comment :

Object : C:\WINDOWS\System32\

 

 

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\nix solutions

 

DailyToolbar Object Recognized!

Type : File

Data : dailytoolbar.dll

TAC Rating : 5

Category : Misc

Comment :

Object : C:\WINDOWS\System32\

 

 

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\bridge

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\bridge.brdg

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\jao.jao

 

WinFavorites Object Recognized!

Type : File

Data : a.exe

TAC Rating : 6

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

 

WinFavorites Object Recognized!

Type : File

Data : bridge.dll

TAC Rating : 6

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

 

CoolWebSearch Object Recognized!

Type : RegData

Data : about:blank

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\internet explorer\main

Value : Start Page

Data : about:blank

 

VX2 Object Recognized!

Type : File

Data : ZServ.dll

TAC Rating : 10

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

Other Object Recognized!

Type : File

Data : NLDDKZUA.EXE-08BD186C.pf

TAC Rating : 10

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 14

Objects found so far: 62

 

9:16:04 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:13:08.173

Objects scanned:125678

Objects identified:63

Objects ignored:0

New critical objects:63

Share this post


Link to post
Share on other sites

you have got a whole bundle of malware, including some very nasty trojans. This will take numerous steps to get everything.

 

1. Please download the free trial program Ewido per the following instructions. This is a good trojan scanner and will help to block any further trojan downloads of malware onto your system while we're trying to clean it all up. Should any nasties try to enter your system it should popup a warning and you can block anything new coming in. But first lets install it, update it, and we'll scan later in SAFE MODE.

 

Download, install, and update Ewido AntiMalware (get the free trial version)

http://www.ewido.net/en/download/

 

a. Install Ewido AntiMalware

 

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

 

c. The program will prompt you to update click the OK button

 

d. The program will now go to the main screen

 

e. On the left hand side of the main screen click on Update

 

f. Click on Start. The update will start and a progress bar will show the updates being installed.

 

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

 

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :(

 

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

4. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

5. Once in safe mode, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

7. Now please scan with HijackThis and do a *scan only*. Checkmark these items in the list (if found) and then press the *fix checked* button.

 

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)

 

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

 

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

 

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

 

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

 

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

 

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

 

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

 

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

 

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

 

O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe

 

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe

 

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

 

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

 

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

 

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

 

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

 

O15 - Trusted Zone: http://*.public.windupdates.com

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

 

8. Delete these files(if found)

 

C:\WINDOWS\system32\users32.exe

 

C:\WINDOWS\system32\susp.exe

 

C:\WINDOWS\system32\runsrv32.exe

 

dwcrnt.exe

 

c:\windows\winhelp.exe

 

C:\WINDOWS\System32\serwvdrv.exe

 

C:\WINDOWS\System32\d3d8.exe

 

C:\WINDOWS\System32\taskdir.exe

 

9. Reboot back into normal mode

Logs needed in your next post are:

 

log.txt will be in the C:\BFU\ folder

 

Ewido Scan log

 

Fresh HijackThis log

 

There will be more to do but this will be a good start

Share this post


Link to post
Share on other sites

OK. I took care of all this stuff. Only problem was that after running BruteForce Uninstaller, I realized that the "Save log" box wasn't checked, so I didn't have anything to save. I checked it and ran it again. Hopefully that's not a problem. Logs are below. Thanks so much for your help! :)

 

1. BFU Log

 

BFU v1.00.9

Windows XP SP1 (WinNT 5.01.2600 SP1)

Script started at 4:21:52 PM, on 6/10/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (service not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_3a0.dat (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6271.tmp (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\temp (folder not found)

Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)

Failed: FolderCreate C:\bintheredunthat (folder already exists)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

 

2. Ewido Scan log

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 4:17:37 PM, 6/10/2006

+ Report-Checksum: 5DAA990F

 

+ Scan result:

 

HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup

C:\Documents and Settings\Gret\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Sidefind : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0017533.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0017540.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017559.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017596.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017604.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017646.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\WINDOWS\SYSTEM32\elyinobo.dma -> Trojan.Agent.qe : Cleaned with backup

C:\WINDOWS\SYSTEM32\ipod.raw.exe -> Proxy.Lager.bi : Cleaned with backup

C:\WINDOWS\SYSTEM32\qjrkvy.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

C:\WINDOWS\SYSTEM32\rtyduhuo.exe -> Downloader.VB.aan : Cleaned with backup

C:\WINDOWS\SYSTEM32\users32.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup

C:\WINDOWS\SYSTEM32\winflash.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

 

 

::Report End

 

 

3. Fresh HJT log (done after items fixed and system running in normal mode)

 

Logfile of HijackThis v1.99.1

Scan saved at 4:58:57 PM, on 6/10/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

c:\program files\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Notepad\NOTEPAD.EXE

C:\Program Files\Notepad\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O15 - Trusted Zone: http://*.public.windupdates.com

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

 

END ALL LOGS

Bye for now and thanks again!

 

 

you have got a whole bundle of malware, including some very nasty trojans. This will take numerous steps to get everything.

 

1. Please download the free trial program Ewido per the following instructions. This is a good trojan scanner and will help to block any further trojan downloads of malware onto your system while we're trying to clean it all up. Should any nasties try to enter your system it should popup a warning and you can block anything new coming in. But first lets install it, update it, and we'll scan later in SAFE MODE.

 

Download, install, and update Ewido AntiMalware (get the free trial version)

http://www.ewido.net/en/download/

 

a. Install Ewido AntiMalware

 

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

 

c. The program will prompt you to update click the OK button

 

d. The program will now go to the main screen

 

e. On the left hand side of the main screen click on Update

 

f. Click on Start. The update will start and a progress bar will show the updates being installed.

 

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

 

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :)

 

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

4. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

5. Once in safe mode, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

7. Now please scan with HijackThis and do a *scan only*. Checkmark these items in the list (if found) and then press the *fix checked* button.

 

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)

 

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

 

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

 

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

 

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

 

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

 

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

 

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

 

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

 

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

 

O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe

 

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe

 

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

 

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

 

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

 

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

 

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

 

O15 - Trusted Zone: http://*.public.windupdates.com

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{95F90027-B28D-4E23-A721-073E6C0CDCD3}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC71EF8F-F453-4DCF-BE65-6EC2B500E6AC}: NameServer = 69.50.184.84,195.225.176.37

 

O17 - HKLM\System\CS1\Services\Tcpip\..\{3082F763-4A70-43E4-9151-623244CD9B9B}: NameServer = 69.50.184.84,195.225.176.37

 

8. Delete these files(if found)

 

C:\WINDOWS\system32\users32.exe

 

C:\WINDOWS\system32\susp.exe

 

C:\WINDOWS\system32\runsrv32.exe

 

dwcrnt.exe

 

c:\windows\winhelp.exe

 

C:\WINDOWS\System32\serwvdrv.exe

 

C:\WINDOWS\System32\d3d8.exe

 

C:\WINDOWS\System32\taskdir.exe

 

9. Reboot back into normal mode

Logs needed in your next post are:

 

log.txt will be in the C:\BFU\ folder

 

Ewido Scan log

 

Fresh HijackThis log

 

There will be more to do but this will be a good start

Share this post


Link to post
Share on other sites

Sorry for the late reply, I missed seeing this last post.

 

Open HijackThis, do a *scan only* and when it finishes checkmark these entries, then press *fix checked*

 

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

 

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

 

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

 

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

 

O15 - Trusted Zone: http://*.public.windupdates.com

......................................

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites
Sorry for the late reply, I missed seeing this last post.

 

Open HijackThis, do a *scan only* and when it finishes checkmark these entries, then press *fix checked*

 

O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe

 

O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\System32\serwvdrv.exe

 

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

 

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

 

O15 - Trusted Zone: http://*.public.windupdates.com

......................................

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

 

 

 

Hello again and thank you for your continued help! Here are the rapport.txt file and fresh HJT log. Thanks again!

 

SmitFraudFix v2.58

 

Scan done at 11:45:51.38, Sun 06/11/2006

Run from C:\Documents and Settings\Gret\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\dlmax.dll Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\questmod.dll Deleted

C:\WINDOWS\system32\runsrv32.dll Deleted

C:\WINDOWS\system32\tcpservice2.exe Deleted

C:\WINDOWS\system32\txfdb32.dll Deleted

C:\WINDOWS\system32\udpmod.dll Deleted

C:\WINDOWS\system32\wstart.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:53:45 AM, on 6/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

c:\program files\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O15 - Trusted Zone: http://*.public.windupdates.com

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Everything looks good except that 015 item is being stubborn.

We'll use this to fix it

Download: DelDomains.inf

 

Right-click this link and select: Save Target As (IE only)

http://www.mvps.org/winhelp2002/DelDomains.inf

 

To use: right-click and select: Install (no need to restart - there is no on-screen action)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone.

.........................

Your Sun Java is out of date and old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java. Then go get the latest up to date version here:

http://www.java.com/en/download/manual.jsp

 

Here's why removing old versions of Sun Java is important:

Potential Vulnerability with Sun Java auto update

http://www.dslreports.com/forum/remark,14738046

 

Scan once more with HijackThis and post a fresh please? :)

Share this post


Link to post
Share on other sites

Here's the latest HJT log. One added bonus of all this is that I finally got rid of a harmless (I think) but annoying blue screen that popped up everytime I booted up. I also lost my XP wallpaper, but I can get that back easy enough! Thanks so much :)

 

Logfile of HijackThis v1.99.1

Scan saved at 8:43:01 PM, on 6/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

We're getting there, enoughalready! :)

 

That 015 item is being stubborn. We'll use the following to fix it for good.

 

Download: DelDomains.inf

 

Right-click the following URL and select: Save Target As (IE only) and save to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

 

To use: right-click Deldomains.inf and select: Install (no need to restart - there is no on-screen action)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone.

 

Scan once more with HijackThis and post a fresh log please :D

Share this post


Link to post
Share on other sites

Sorry, just want to make sure...should I be running this DelDomains.inf again? Thanks! :lol:

 

We're getting there, enoughalready! :)

 

That 015 item is being stubborn. We'll use the following to fix it for good.

 

Download: DelDomains.inf

 

Right-click the following URL and select: Save Target As (IE only) and save to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

 

To use: right-click Deldomains.inf and select: Install (no need to restart - there is no on-screen action)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone.

 

Scan once more with HijackThis and post a fresh log please :)

Share this post


Link to post
Share on other sites
Sorry, just want to make sure...should I be running this DelDomains.inf again? Thanks!

LOL! :D No, a bad case of tired eyes looking at the wrong log. It's gone now.

 

I think you are good to go! :D

 

Some final cleanup and then my prevention recommendations

 

Navigate to C:\Windows\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Clean out your Temporary Internet files.

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
     
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help B).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

Important! You need to get SP2 for XP and IE; and also ALL of the windows critical security updates. These and other nasties have been using exploits against unpatched systems to install on silently on victims browsing webpages.

 

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Share this post


Link to post
Share on other sites
Sign in to follow this