Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Command Service malware - Oh, to be able to remove it!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Navigator » August 20th, 2006, 9:33 pm

lblondon wrote:Hey Navigator, hope your weekend's been cool, once again thanks for taking the time to do this for me it is really appreciated. Liz

Ediwo - just wont run, just leaves it hangs as a process but nothing happens.

Followed latest instructions, issues where:

Ccouldn't find this line in HiJack This to check
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)

F_Secure Online Scanner wont run, works until starting to scan system then comes up with error and says need to try again error id:24
______
As I've no longer got command service which was the point of this excercise and McAfee is now working again, if your bored, please feel free to call it a day, lol
_______


Hey Liz...

I'm not bored....LOL.

While we got rid of the command service (part of the Alcan infection), there is still malware in your HJT log. The smsc.exe service entry that was present may indicate that a backdoor with a potential rootkit may have been on your system. I'm concerned that we cannot get the online scan or Ewido to work....and there is NEW malware now in your HJT log that wasn't there on the last scan, including 3 new backdoors that allow remote access to your machine. Your system is NOT clean, and I would not use it for any secure transactions. I would strongly consider immediately changing all passwords to secure accounts maintained on this machine, using a non-infected computer to do so. If you use this computer for financial transactions, I would carefully watch any financial account and consider alerting the financial institutions of the same.

The thing about backdoor/Rbot infections is that even if we 'clean' it, it would be impossible for us to know if the system was truly clean and secure. Remote access to your machine by some entity may cause 'unseen' damage, and there is open debate among the malware fighting community as to whether victims with these kind of infections should clean the machine or just wipe the HD clean and reinstall their OS (really the only way to ensure the infectino is removed).

Do you want to proceed and try to clean this computer or re-install the OS? Let me know....if you want to try and clean this machine, please read on.

Did you do the HJT 'fixes' and file deletions as I asked in my last post? Because all of the things I asked for you to 'fix' and delete are still present. I'm going to repeat some instructions below, and ask for you to do another kind of scan:

1. Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Update Manager' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled

2. Please re-open HiJackThis and select Do a system scan only. Then, check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\csrs.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe



Now close all windows other than HiJackThis, then click Fix Checked.

2. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Please delete these folders using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\PROGRAM FILES\COMMON FILES\ozuz

Please delete these files using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\system32\spoolsvc.exe


Perform a search for this file: winsis32.exe (click start>>search and type/paste the filename in the search box...make sure to search all files and folders on your hard drive. Delete it when found.

4. Reboot into Windows normally.

5. Download and Save Blacklight to your desktop:

  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
  • A new document will be produced on the desktop.
  • Open this document with Notepad.
  • Copy and Paste its contents in a reply.

Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

6. Download this file :

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


6. Post back with a new HJT log (after doing the HJT 'fixes' above), the Blacklight log and the combofix log.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

Unread postby lblondon » August 21st, 2006, 12:13 pm

Okee dokee, i did do your last HJT scan check instructions, but the machine did lock at the fix this stage, so might not have completed and I cannot remember if I did it again - I was trying to have a short life outside of my pc over the weekend!

I have just done the latest HJT scan check and fix and the only one I couldn't find and therefore check and fix was the line below:
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe

In safe mode, I couldn't find and therefore delete

:\WINDOWS\web\related.htm
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\system32\spoolsvc.exe

or find winsis32.exe to delete it, am starting to feel a little inadequate, lol

Anyway, ... all scsan result requests below - enjoy!!
L



FSEcure scan results below:
08/21/06 16:55:25 [Info]: BlackLight Engine 1.0.46 initialized
08/21/06 16:55:25 [Info]: OS: 5.0 build 2195 (Service Pack 4)
08/21/06 16:55:26 [Note]: 7019 4
08/21/06 16:55:26 [Note]: 7005 0
08/21/06 16:55:35 [Note]: 7006 0
08/21/06 16:55:35 [Note]: 7011 764
08/21/06 16:55:36 [Note]: 7026 0
08/21/06 16:55:36 [Note]: 7026 0
08/21/06 16:56:02 [Note]: FSRAW library version 1.7.1019
08/21/06 17:01:07 [Note]: 2000 1006
08/21/06 17:01:18 [Note]: 7007 0

Combofix scan results below:

Administrator - Mon 21/08/2006 17:02:45.75
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Administrator\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Installer3.exe
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp


((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-20 22:38 157,696 C:\WINDOWS\system32\Sygate.exe
2006-08-13 01:00 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-08-13 01:00 288,320 C:\WINDOWS\system32\mcgdmgr.dll
2006-08-06 12:28 <DIR> C:\WINDOWS\McAfee.com
2006-08-05 22:15 90,112 C:\WINDOWS\system32\hpovst08.dll
2006-08-05 22:15 565,248 C:\WINDOWS\system32\hpotscl.dll
2006-08-05 22:15 262,144 C:\WINDOWS\system32\HPZc3212.dll
2006-08-05 22:15 229,376 C:\WINDOWS\system32\hpgtpusd.dll
2006-08-05 22:02 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-08-05 22:02 65,795 C:\WINDOWS\system32\HPZipm12.exe
2006-08-05 22:02 61,699 C:\WINDOWS\system32\HPZinw12.exe
2006-08-05 22:02 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-08-05 22:01 266,296 C:\WINDOWS\system32\HPZidr12.dll
2006-08-05 22:01 196,608 C:\WINDOWS\system32\HPZipr12.dll
2006-07-30 19:00 89,088 C:\WINDOWS\system32\atl71.dll
2006-07-30 19:00 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-30 19:00 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-30 19:00 1,060,864 C:\WINDOWS\system32\mfc71.dll
2006-07-25 18:20 1,063 C:\WINDOWS\system32\aaa00000.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 16:10 -------- d-------- C:\Program Files\HijackThis
2006-08-20 23:32 -------- d-------- C:\Program Files\McAfee.com
2006-08-20 22:39 157696 -ra------ C:\WINDOWS\SYSTEM32\Sygate.exe
2006-08-20 17:44 -------- d-a------ C:\Program Files\Common Files
2006-08-20 14:33 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-08-06 16:01 -------- d-ah----- C:\Program Files\Uninstall Information
2006-08-06 15:58 -------- d-a------ C:\Program Files\NetMeeting
2006-08-06 12:23 -------- d-a------ C:\Program Files\Yahoo!
2006-08-06 12:23 -------- d-a------ C:\Program Files\Common Files\Scanner
2006-08-06 00:29 -------- d-a------ C:\Program Files\Terminal Services Client
2006-08-05 23:55 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-07-30 20:47 -------- d-a------ C:\Program Files\Compaq
2006-07-30 20:23 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-07-25 19:19 20480 --a------ C:\WINDOWS\drs.exe
2006-07-25 18:20 1063 --a------ C:\WINDOWS\SYSTEM32\aaa00000.sys
2006-07-22 20:58 -------- d-a------ C:\Program Files\Accessories
2006-07-19 19:49 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Kazaa Lite
2006-07-19 18:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2006-07-19 18:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-07-19 18:37 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2006-07-03 22:44 271 ---h----- C:\Program Files\desktop.ini
2006-07-03 22:44 21952 ---h----- C:\Program Files\folder.htt
2006-07-03 22:43 -------- d-a------ C:\Program Files\Windows Media Player
2006-05-31 23:55 0 --a------ C:\WINDOWS\SYSTEM32\eraseme_04516.exe
2006-05-31 22:57 79 --a------ C:\MSDOS.SYS
2006-05-31 22:57 700688 --a------ C:\WINDOWS\SYSTEM32\migicons.exe
2006-05-31 22:57 27 ---h----- C:\CONFIG.SYS
2006-05-31 22:57 259 ---h----- C:\AUTOEXEC.BAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"ntdll.dll"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
"Flags"=""
"Title"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Accessories\\kyzene.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,00,00,00,00,60,02,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"ozuz"="C:\\Program Files\\Common Files\\ozuz\\ozuzm.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Maintenance-Defragment programs.job
C:\WINDOWS\tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\tasks\Tune-up Application Start.job

Completion time: Mon 2006-08-21 17:04:33.45
ComboFix.txt

HJT scan results below:
Logfile of HijackThis v1.99.1
Scan saved at 17:11:55, on 8/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\internat.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 21st, 2006, 11:04 pm

Hello lblondon.....

I've been talking to other experts about your log and problems....I now also have concerns that your online anti-virus program may be corrupted and the RBot/SDBot infection may have severely altered your security settings. If this is the case, I continue to have concerns about whether we can truly clean this computer to ensure any degree of security. Is reformatting the HD and reinstalling the OS not an option for you?

I would seriously consider uninstalling McAfee and replacing it with one of these two alternatives:

AVG or Anti-Vir.


Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop cmdService
sc delete cmdService
sc stop "Windows Idle Process"
sc delete "Windows Idle Process"
sc stop UpdateManager
sc delete UpdateManager
exit


Double click FixServices.bat. A window will open and close. This is normal.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\eraseme_04516.exe
    C:\WINDOWS\SYSTEM32\migicons.exe
    C:\WINDOWS\web\related.htm
    C:\WINDOWS\system32\csrs.exe
    C:\WINDOWS\update\updmgr.exe
    C:\WINDOWS\system32\spoolsvc.exe
    C:\WINDOWS\system32\winsis32.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


After doing this, please post another HJT log for me to review....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 22nd, 2006, 2:17 pm

Whilst I obviouslydon't want to have to do a complete hard drive and OS sytem overhaul, I will bow to your superior knoweldge if you tell me to stop meesing about and just do it!, lol

Menawhile latest set of instructions followed, see HJT scan results below, I did not get the "at any PendingFileRenameOperations prompt (and please let me know if you receive this message!)." you asked about.

KR
L



Logfile of HijackThis v1.99.1
Scan saved at 19:00:42, on 8/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\internat.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 22nd, 2006, 9:31 pm

Hello lblondon....

I understand your hesitance to wipe the HD and reinstall the OS, let's give this a bit more work.

Your HJT log looks better, the 'bad' services that kept popping up are no longer present. The line that bothers me though is this:

O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun


The first part of the line is usually indicative of an infection, but the file associated is usually legit. This is why I am uncertain if your McAfee program has been corrupted.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun


Now close all windows other than HiJackThis, then click Fix Checked.


Now that we have cleaned your system some, let's see if those scans we tried to run previously will run.


Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Post back with:
  • the Ewido log
  • the F-Secure scan results
  • a new HJT log


If the above scans won't run, please do the following:

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Nick-YF19 » September 12th, 2006, 11:30 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware