Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Up for your inspection -

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Up for your inspection -

Unread postby Gary Chandler » May 4th, 2005, 9:14 pm

I've run the recommended programs and am staying in safe mode until I hear your recommendations from my HJT log I'm posting here:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:58 PM, on 5/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s C:/WINNT/pcsearch.reg
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Now I'm off to BED and checking this tomorrow!!!
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.
Advertisement
Register to Remove

Unread postby Elrond » May 5th, 2005, 8:08 am

Hi
Welcome to Malware Removal Forums.
I'm looking over your log file and will get back to you soon.

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Elrond » May 5th, 2005, 10:59 am

Hi Gary

You do have some infections on your computer and we will need to work through a few posts.

RED or UNDERLINED words are links that can be clicked.

HOW TO Instructions:


Reboot in safe mode. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key.
How to print the fix instructions
Click the red links above.

Unzip a downloaded zip file.
Place the zip file in the folder where you want the unzipped program to be.
If you are running Windows XP you simply right click the zip file and select "Extract Files".
For the other versions of Windows you will need a program like 7-Zip . If you decide to use 7-Zip down load the newest version that is not a beta version.
Open 7-Zip. Navigate to to the downloaded zipfile and highlight it. Right click and select "Extract Here"

When asked to post a new HijackThis log please
Close all windows and browsers.
Find the HijackThis folder. Open it and double click "HijackThis.exe". Click "Do a system scan" and save a "logfile". (If Hijack this shows you a "Scan" button it is OK.)
When the "Scan" button changes into a "Save Log" button click it. Click "Ctrl-A" (the "Ctrl" key and the "A" key at the same time) to highlight the whole log. Now click "Ctrl-C" to copy the text. Open this topic and click the "Add Reply" ("Post Reply") button at the bottom of the page. Paste the log into the window that opens up by clicking "Ctrl-V".

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL INSTRUCTED TO DO SO. SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH


1. Please copy the instructions to a notepad or preferably print them.

2. Make sure to work through the fixes exactly as given and in the exact order they are mentioned below.

3. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

4. Configure Windows to show all files. Showing hidden files and folders in Windows. if you need help with this.

5. Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

6. Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

7. Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

8. Repeat point 7

9. Now run the CWShredder - Hit The FIX button!

10. Reboot and post a fresh HJT log and the logs that was created by 'SpSeHjfix'.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Gary Chandler » May 6th, 2005, 8:42 am

First, the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:48:06 AM, on 5/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s C:/WINNT/pcsearch.reg
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

and now the newest SPS log:
(5/5/05 6:26:07 AM) SPSeHjFix started v1.1.2
(5/5/05 6:26:07 AM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/5/05 6:26:07 AM) Language: english
(5/5/05 6:26:07 AM) Win-Path: C:\WINNT
(5/5/05 6:26:07 AM) System-Path: C:\WINNT\system32
(5/5/05 6:26:07 AM) Temp-Path: C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\


(5/5/05 6:38:53 AM) SPSeHjFix started v1.1.2
(5/5/05 6:38:53 AM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/5/05 6:38:53 AM) Language: english
(5/5/05 6:38:53 AM) Win-Path: C:\WINNT
(5/5/05 6:38:53 AM) System-Path: C:\WINNT\system32
(5/5/05 6:38:53 AM) Temp-Path: C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\
(5/5/05 6:39:01 AM) Disinfection started
(5/5/05 6:39:01 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:39:01 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:01 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:01 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
deleted: HKCU\Software\Microsoft\Internet Explorer, SearchURL: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\garych~1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/5/05 6:39:01 AM) Stealth-String not found
(5/5/05 6:39:01 AM) No locked Files to delete. End without Reboot
(5/5/05 6:39:45 AM) Disinfection started
(5/5/05 6:39:45 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:39:45 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:45 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:45 AM) Bad IE-pages: (none)
(5/5/05 6:39:45 AM) Stealth-String not found
(5/5/05 6:39:45 AM) No locked Files to delete. End without Reboot
(5/5/05 6:39:46 AM) Disinfection started
(5/5/05 6:39:46 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:39:46 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:46 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:39:46 AM) Bad IE-pages: (none)
(5/5/05 6:39:46 AM) Stealth-String not found
(5/5/05 6:39:46 AM) No locked Files to delete. End without Reboot
(5/5/05 6:40:13 AM) Disinfection started
(5/5/05 6:40:13 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:40:13 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:40:13 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:40:13 AM) Bad IE-pages: (none)
(5/5/05 6:40:13 AM) Stealth-String not found
(5/5/05 6:40:13 AM) No locked Files to delete. End without Reboot
(5/5/05 6:44:52 AM) Disinfection started
(5/5/05 6:44:52 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:44:53 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:44:53 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:44:53 AM) Bad IE-pages: (none)
(5/5/05 6:44:53 AM) Stealth-String not found
(5/5/05 6:44:53 AM) No locked Files to delete. End without Reboot
(5/5/05 6:44:54 AM) Disinfection started
(5/5/05 6:44:54 AM) Bad-Dll(IEP): c:\docume~1\garych~1\locals~1\temp\se.dll
(5/5/05 6:44:54 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:44:54 AM) UBF: 4 - UBB: 3 - UBR: 11
(5/5/05 6:44:54 AM) Bad IE-pages: (none)
(5/5/05 6:44:54 AM) Stealth-String not found
(5/5/05 6:44:54 AM) No locked Files to delete. End without Reboot


(5/5/05 7:08:28 AM) SPSeHjFix started v1.1.2
(5/5/05 7:08:28 AM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/5/05 7:08:28 AM) Language: english
(5/5/05 7:08:28 AM) Win-Path: C:\WINNT
(5/5/05 7:08:28 AM) System-Path: C:\WINNT\system32
(5/5/05 7:08:28 AM) Temp-Path: C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\
(5/5/05 7:08:35 AM) Disinfection started
(5/5/05 7:08:35 AM) Bad-Dll(IEP): (not found)
(5/5/05 7:08:35 AM) Bad-Dll(IEP) in BHO: (not found)
(5/5/05 7:08:35 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 7:08:35 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 7:08:35 AM) Bad IE-pages: (none)
(5/5/05 7:08:35 AM) Stealth-String not found
(5/5/05 7:08:35 AM) Not infected->END


(5/5/05 8:21:38 AM) SPSeHjFix started v1.1.2
(5/5/05 8:21:38 AM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/5/05 8:21:38 AM) Language: english
(5/5/05 8:21:38 AM) Win-Path: C:\WINNT
(5/5/05 8:21:38 AM) System-Path: C:\WINNT\system32
(5/5/05 8:21:38 AM) Temp-Path: C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\
(5/5/05 8:21:45 AM) Disinfection started
(5/5/05 8:21:45 AM) Bad-Dll(IEP): (not found)
(5/5/05 8:21:45 AM) Bad-Dll(IEP) in BHO: (not found)
(5/5/05 8:21:45 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 8:21:45 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 8:21:45 AM) Bad IE-pages: (none)
(5/5/05 8:21:45 AM) Stealth-String not found
(5/5/05 8:21:45 AM) Not infected->END


(5/5/05 8:50:47 AM) SPSeHjFix started v1.1.2
(5/5/05 8:50:47 AM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/5/05 8:50:47 AM) Language: english
(5/5/05 8:50:47 AM) Win-Path: C:\WINNT
(5/5/05 8:50:47 AM) System-Path: C:\WINNT\system32
(5/5/05 8:50:47 AM) Temp-Path: C:\DOCUME~1\GARYCH~1\LOCALS~1\Temp\
(5/5/05 8:50:49 AM) Disinfection started
(5/5/05 8:50:49 AM) Bad-Dll(IEP): (not found)
(5/5/05 8:50:49 AM) Bad-Dll(IEP) in BHO: (not found)
(5/5/05 8:50:49 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 8:50:49 AM) UBF: 4 - UBB: 3 - UBR: 10
(5/5/05 8:50:49 AM) Bad IE-pages: (none)
(5/5/05 8:50:49 AM) Stealth-String not found
(5/5/05 8:50:49 AM) Not infected->END

I'll check back in this evening...(unless I can find a date...)
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.

Unread postby Elrond » May 6th, 2005, 1:40 pm

Hi again Gary

We got rid of the CWS infection.

Before we start you need to disable Teatimer until we finished the fix as it can sometimes protect the bad guys. It resits any change.
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Do not forget to re enable Teatimer again when we are finished. The same procedure but check instead of uncheck in point 4.


Now let's see about the Trjoan. We will try th easy way first.

1. Here are links to two online Trojan Scanners. Run one and let it fix what it finds.

http://scan.sygatetech.com/pretrojanscan.html

Or here:
http://www.windowsecurity.com/trojanscan/

2. I would like you to download "Trojan Remover" from http://www.majorgeeks.com/article.php?sid=903.
It is trialware. If you want to keep it you will have to pay for it. Else you should uninstall it once your computer is free of malware.

Install the program and let it decide where to install it.
Find Trojan Remover in "Start" > "Programs".
Start it and click "Update". Let it update the program.
Let it restart Trojan Remover. Click Scan.
Find the log named TRLOG.TXT in the folder where the main Trojan Remover program is installed. If you let the program use the default it should be C:\Program Files\Trojan Remover. Copy and paste that log in the next post.

Run a new HijackThis log in normal mode and post it together with whatever logs you get from the Trojan scans.

E. :)
Last edited by Elrond on May 7th, 2005, 9:40 pm, edited 1 time in total.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Gary Chandler » May 6th, 2005, 7:40 pm

Okay, we have trouble, Houston...I copied this part of the trojan report and it showed 2 ports fully closed (?) as I paste here:
NetBIOS 139 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
HTTPS 443 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Server Message Block 445 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
As above in HTTPS 443 port, all the others read the same as it does.

then, trying to download the trojanfixer, MajorGeek wouldn't download it; message says the site is expired...on all four locations.
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.

Unread postby Elrond » May 7th, 2005, 9:32 pm

That did not give us much. Lets try this:

1. Download [URL=http://www.emsisoft.com/en/software/free/] [color=red]“a Squaredâ€
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Gary Chandler » May 8th, 2005, 7:50 pm

Okay, here's HJT :
Logfile of HijackThis v1.99.1
Scan saved at 6:27:02 PM, on 5/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Followed by Trojan Hunter...couldn't get it to copy the file, but no trojans were found this last scan.
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.

Unread postby Elrond » May 8th, 2005, 8:41 pm

Hi again Gary

The Trojan was taken care of. :)

Now for general clean up.

1. This is a optonal fix: BroadJump Client Foundation. Broadband troubleshooting software installed by various companies. Not required and you can remove it via Add/Remove programs.

Click "Start". Select "Control Panel". Double click "Add/Remove Programs".
Look for "BroadJump Client Foundation" and uninstall it if it is there

Reboot.

2. If you do not want to keep Trojan Hunter and pay for it you can uninstall it by useing the same method as in point 1 and remove "Trojan Hunter". However this program is a good addition to your protection against infections. If you removed it please reboot.

3. If you did not remove Trojan Hunter please before we start please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck "Load at startup" and "Enabled". It could interfer with the fixes. Remember to reenable it when the fixes are done.

4. Open HijackThis and click "Do a System Scan Only". (If HijackThis shows a "Scan" button that is OK.) When the scan is finished put a check mark by the items that are listed in below. If you can not find an item just continue but inform me with your next post. Do not click fix until instructed to do so:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O9 - Extra button: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C1A83359-4233-4564-B235-C7FA4352299F} - (no file) (HKCU)

If you do not use "New Zealand Search" then also check mark this line:
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
Close all open windows except HijackThis and then click the "Fix checked" button.

5. Post back a fresh HijackThis log and we will take another look.

Per :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Gary Chandler » May 9th, 2005, 6:14 am

Done. Here's the log, and I should say at this point, the 'pooter has been really slow lately, loads very slow at boot as well. (maybe all this is gonna speed it up.?) But I intend to go buy the rest of McAffee's package including cleanup utility, firewall, etc. UNLESS you tell me otherwise. You are now my new best friend!

Logfile of HijackThis v1.99.1
Scan saved at 6:20:55 AM, on 5/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.

Unread postby Elrond » May 9th, 2005, 7:19 am

Hi Gary

Good job. Your log looks clean. :) I am not a great fan of McAfee or Norton. I personally prefer to use a mix of programs that do a good job at their speciality. I will be giving you a website that has a lot of good advice regarding what to use.

Now that your computer is free of malware, I want you to take some precautions to avoid being re-infected.
If something does not pertain to your version of Windows please just skip that instruction.

Settings and maintenance

1. Clean out temporary files etc.
Download and install CleanUp!
a. Click Start > Programs > "CleanUp!" > "CleanUp!".
b. A dialog will appear. Click on the button labeled "CleanUp!".
c. Reboot.
You should do this every few weeks to avoid buildup of unnecessary junk. Run it for each user account on the computer.

2. You reconfigured Windows to show hidden files and you should reset this to its original state using the instructions from here except that
1. Under the "Hidden files and folders" heading put a mark for "Do not show hidden files and folders".
2. Uncheck "Display content of system folders"
3. Check the "Hide protected operating system files (recommended)" option.

3. Make your Internet Explorer more secure

a. Less restrictive but less secure:
Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more in
Internet Explorer Privacy & Security Settings
Working with Internet Explorer 6 Security
Many exploits are directed at Internet Explorer, you don't have to use it. Try a different browser like
Firefox . It is also worth trying
Thunderbird for controlling spam in your e-mail.

b. More secure but very restrictive.
This can be done by following these simple instructions that apply to all "Windows" except "Windows XP with SP2". In SP2 many of those setting are the default settings but check your settings anyhow. The settings can become restrictive but you should use them anyhow. If there are sites that will not show up right with those settings and that you rely on to be free of malware place them in the trusted zone.

1. Click "Start". Open "Control Panel".
2. Select the "Internet Options"
3. Select "Security" Tab and select the following settings.

* ActiveX controls and plug-ins
• Download signed ActiveX controls: Disable
• Download unsigned ActiveX controls: Disable
• Initialize and script ActiveX controls not marked as safe: Disable
• Run ActiveX controls and plug-ins: Disable
• Script ActiveX controls marked safe for scripting: Disable

* Downloads
• Font Download: Disable

* Microsoft VM
• Java permissions: Disable Java

* Miscellaneous
• Allow META REFRESH: Disable
• Display mixed content: Disable
• Drag and drop or copy and paste files: Disable
• Installation of desktop items: Disable
• Launching programs and files in an IFRAME: Disable
• Navigate sub-frames across different domains: Disable
• Software channel permissions: High Safety
• Userdata persistence: Disable

* Scripting
• Active scripting: Disable
• Allow paste operations via script: Disable
• Scripting of Java applets: Disable

* User Authentication
• Logon: Prompt for username and password
4. When all these settings have been made, click on the OK button.
5. If it prompts you as to whether or not you want to save the settings, press the Yes button.
6. Next press the Apply button and then the OK to exit the Internet Properties page.


These are a MUST to protect yourself from malware.
4. Always use a good anti-virus..
KEEP IT UPDATED

5. Always use a good firewall.
Be restrictive with access to the internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not make the block permanent.

Never run two Antivirus programs or two Firewalls at the same time. The can interfere with each other and cause problems.

Download and install [b]“SpywareBlasterâ€
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Gary Chandler » May 10th, 2005, 3:36 am

You Da Man! Thanx for all and your consistent, persistent, expedient and exemplary assistance!
Gary Chandler
Active Member
 
Posts: 6
Joined: May 4th, 2005, 6:31 am
Location: Port St. Lucie Fl.

Unread postby ChrisRLG » May 20th, 2005, 5:27 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware