Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Screen saver bugs and desktop

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Screen saver bugs and desktop

Unread postby Rhona » June 5th, 2008, 12:52 am

Hello,

Last night out of the blue my computers desktop changed (cannot change it back) and the screen saver has bugs.

The message that is stuck on my desktop says "Warning Spyware detected on your computer"[/quote] Second line says "Install a anti-virus or spyware remover to clean your computer".

I've tried numerous things but to no avail. Below is my hijackthis log. I would greatly appreciate your help and knowledge in resolving this issue.

Rhona




StartupList report, 6/4/2008, 11:52:57 PM
StartupList version: 1.52.2
Started from : g:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\UTSCSI.EXE
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\sysrest32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Avi Player\AviPlayer.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINNT\system32\mrtMngr.EXE
G:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Event Planner Reminders Tray Icon.lnk = F:\Sierra\PLNRnote.exe
hp psc 2000 Series.lnk = ?
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
SMSERIAL = sm56hlpr.exe
Logitech Utility = Logi_MwX.Exe
SoundMan = SOUNDMAN.EXE
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
lphccm7j0el1r = C:\WINNT\system32\lphccm7j0el1r.exe
sysrest32.exe = C:\WINNT\system32\sysrest32.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpybotSnD = "G:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\system32\ctfmon.exe
Avi Player = "C:\Program Files\Avi Player\AviPlayer.exe" hmw

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\blphccm7j0el1r.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
(no name) - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Ipswitch.WsftpBrowserHelper - C:\Program Files\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
FRU Task #Hewlett-Packard#hp psc 2170 series#1184885159.job
McDefragTask.job
McQcTask.job
User_Feed_Synchronization-{506C3A2D-AE1C-4EBB-8B4F-1E98AA911610}.job

--------------------------------------------------

Enumerating Download Program Files:

[Web-Based Email Tools]
CODEBASE = http://email.secureserver.net/Download.CAB
OSD = C:\WINNT\Downloaded Program Files\OSD7C4D.OSD

[System Requirements Lab Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\sysreqlab3.dll
CODEBASE = http://www.srtest.com/srl_bin/sysreqlab3.cab
OSD = C:\WINNT\Downloaded Program Files\SysReqLab3.osd

[Installation Support]
InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

[Get_ActiveX Control]
InProcServer32 = C:\WINNT\DOWNLO~1\HPGETD~1.OCX
CODEBASE = https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx

[Driver Agent ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\driveragent.ocx
CODEBASE = http://driveragent.com/files/driveragent.cab

[McFreeScan Class]
InProcServer32 = C:\WINNT\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-l ... cfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\RHONAD~1\LOCALS~1\Temp\1f34ff45||C:\WINNT\system32\sysrest.sys


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WPDShServiceObj: C:\WINNT\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,707 bytes
Report generated in 1.602 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Rhona
Active Member
 
Posts: 4
Joined: June 4th, 2008, 11:33 pm
Advertisement
Register to Remove

Re: Screen saver bugs and desktop

Unread postby MikeSwim07 » June 6th, 2008, 11:21 am

Get a Hijackthis Log

  • Click on the shortcut on your desktop to open Hijackthis. If you cannot find this, goto Start > All Programs > Hijackthis > then Click on Hijackthis.exe
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Run the file, it will extract Smitfraudfix to its own folder and run.

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Please post this new Hijackthis log and the SmitfraudFix log on your next reply.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Screen saver bugs and desktop

Unread postby Rhona » June 6th, 2008, 8:07 pm

Hello,

Thanks so much for your help! I did find the bug screen save file and deleted it. I also found the bmp file phccm7j0el1r.bmp and deleted it also. My McAfee anti-virus software still notifies me of a Trojan/Virus each time the system is booted up. McAfee asks if I want to remove it and when I click yes I get the notification that the computer has to be restarted in order remove the infection. Of course that doesn't work!

HiJackThis log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:31 PM, on 6/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\UTSCSI.EXE
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\sysrest32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Avi Player\AviPlayer.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINNT\system32\sysrest32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Avi Player] "C:\Program Files\Avi Player\AviPlayer.exe" hmw
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = F:\Sierra\PLNRnote.exe
O4 - Global Startup: hp psc 2000 Series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.vickerylightning.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINNT\system32\UTSCSI.EXE

--
End of file - 10095 bytes

Smithfraud FX results

SmitFraudFix v2.323

Scan done at 19:58:57.17, Fri 06/06/2008
Run from C:\Documents and Settings\Rhona Drew\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\UTSCSI.EXE
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\sysrest32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Avi Player\AviPlayer.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rhona Drew


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rhona Drew\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RHONAD~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

HKLM\SYSTEM\CCS\Services\Tcpip\..\{52762E78-2881-45E9-BB5B-41D0D9FFCAF9}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{52762E78-2881-45E9-BB5B-41D0D9FFCAF9}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{52762E78-2881-45E9-BB5B-41D0D9FFCAF9}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{52762E78-2881-45E9-BB5B-41D0D9FFCAF9}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks again!
Rhona
Rhona
Active Member
 
Posts: 4
Joined: June 4th, 2008, 11:33 pm

Re: Screen saver bugs and desktop

Unread postby MikeSwim07 » June 7th, 2008, 4:44 pm

Please do not attempt to fix this problem yourself. I know you want your computer malware free as soon as possible but you could do harm by doing things yourself.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

If you decide to try and fix your system, please follow the instructions below this black line. If you do NOT want to fix your system, please post telling me that you have decided to reformat.



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Screen saver bugs and desktop

Unread postby Rhona » June 8th, 2008, 1:36 am

Hello,

Thank you again for your help. I would like to try the 2nd choice of ridding my computer of the backdoor trojan. I uninstalled the McAfee Anti-Virus software and installed the TrendMicro 30 day trial antivirus / spyware and did a scan. There were a lot of "Generic Trojan" type instances found and it appears that most of them were quarantined and/or deleted by the TrendMicro software.

I will follow the instructions regarding the Combofix and Recovery Console and post the ComboFix txt log and a new instance of HiJackThis.

Rhona
Rhona
Active Member
 
Posts: 4
Joined: June 4th, 2008, 11:33 pm

Re: Screen saver bugs and desktop

Unread postby MikeSwim07 » June 8th, 2008, 7:17 am

Rhona wrote:
I will follow the instructions regarding the Combofix and Recovery Console and post the ComboFix txt log and a new instance of HiJackThis.

Rhona


Please post this when you get the time to :D
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Screen saver bugs and desktop

Unread postby Rhona » June 8th, 2008, 12:48 pm

Thanks again. I am having a difficult time with the recovery console (i.e. installation of) because I have Service Pack 3 and my original MS Win XP Pro CD does not have any Service Packs.

I am receiving the message that the OS on my computer has a newer version than the CD. I checked the ComboFix website and it mentions having service pack 2 but not SP3.

Any suggestions?

Rhona
Rhona
Active Member
 
Posts: 4
Joined: June 4th, 2008, 11:33 pm

Re: Screen saver bugs and desktop

Unread postby MikeSwim07 » June 10th, 2008, 10:05 am

According to my teacher, the one for Service Pack 2 works on Vista too!


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Image

For you, its Service Pack 2.

Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Image

  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Screen saver bugs and desktop

Unread postby MikeSwim07 » June 13th, 2008, 12:17 pm

Hello

Three day bump


It has been three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Screen saver bugs and desktop

Unread postby Elrond » June 16th, 2008, 6:49 am

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware