Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help me unknown virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help me unknown virus

Unread postby vicenten » March 26th, 2006, 2:33 pm

Hello Infected with a virus that tries to install a supposed antyspyware called Spyquake 2.0 I tryed everithing but it allways comes back, it has an icon next to the clock that shifts betwen a red stop sign and a green wheel chair and it open a message window that when is cliked instals the sofware again and it also load qhen in safe mode
here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:47 p.m., on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\LckFldService.exe
c:\archivos de programa\mcafee.com\agent\mcdetect.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\ARCHIV~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\AnyDVD\AnyDVD.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Archivos de programa\Archivos comunes\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Archivos de programa\Wacom\TabUserW.exe
C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\iTunes\iTunes.exe
C:\Archivos de programa\a-squared\a2guard.exe
C:\Archivos de programa\@Last Software\SketchUp 5\SketchUp.exe
C:\Archivos de programa\Oasys\Columbus\Components\Cbs#2418.exe
C:\Archivos de programa\AutoCAD 2004\acad.exe
C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\~e5d141.tmp
C:\Archivos de programa\Archivos comunes\Autodesk Shared\WSCommCntr1.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wbdg.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wbdg.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\archivos de programa\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\archivos de programa\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pictures - {8E929F51-5914-11D6-971F-0050FC3F9161} - C:\Archivos de programa\Pictures Toolbar\Pictures.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [MPSExe] c:\ARCHIV~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /O6 "USB001" /M "Stylus CX4500"
O4 - HKLM\..\Run: [AnyDVD] C:\Archivos de programa\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Archivos de programa\Archivos comunes\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Archivos de programa\Sony Handheld\Configtool.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Archivos de programa\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [a-squared] "C:\Archivos de programa\a-squared\a2guard.exe"
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Archivos de programa\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: TabUserW.lnk = C:\Archivos de programa\Wacom\TabUserW.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _sp_SP.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mexico.integra.net.mx
O17 - HKLM\Software\..\Telephony: DomainName = mexico.integra.net.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{27A27090-BFFC-4765-96F6-5B3FFB3EE8A5}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0FB0A8-A102-4986-AA9D-CC4F9DB732E5}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{A24CD68C-B68E-4D74-9896-89E3746D5B81}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mexico.integra.net.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{27A27090-BFFC-4765-96F6-5B3FFB3EE8A5}: NameServer = 200.33.146.194,200.33.146.202
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


Thanks for your help

Vicente[/list]
vicenten
Active Member
 
Posts: 5
Joined: March 26th, 2006, 2:25 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » March 26th, 2006, 11:25 pm

Hi vicenten

Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Follow Up

Unread postby vicenten » March 27th, 2006, 2:36 am

Hi agrarianmonk:

Thanks for your time and interest, I forgot to mention that since this virus started my McAfee Notificacion is turned to black instead of red and if I place the mouse over it, it sis Virusscan: Disabled, but if i try to enable it a message apears saying that protection is allready enabled.
vicenten
Active Member
 
Posts: 5
Joined: March 26th, 2006, 2:25 pm

Unread postby agrarianmonk » March 27th, 2006, 2:42 pm

Hello , welcome to the forum.

Looks like you've been infected with Spyware Quake

Please do not delete anything unless instructed to.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Image


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Image

Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.

Image

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, boot into Safe Mode. To do this:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.



Open the smitRem folder on your desktop

Image


Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Reboot your computer into Normal Mode.

Download roguescanfix.exe , and save it to your desktop.
Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat.
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till te message "Completed script execution" appear, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall". Please wait until it is finished.

Next, Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Follow Up

Unread postby vicenten » March 28th, 2006, 12:30 am

Hi agrarianmonk:

I allready did everithing you said with untill I closed the BFU, after that the screen stayed in blue for a long tim (3hrs) so I opened the task manager and run the Ewido but the Spyware/Spyfalcon uninstaller never showed up so I restarted and run the Panda. Now the alert is gone but I still get the McAfee icon as disabled. here are the logs:

Activescan:


Incident Status Location

Adware:adware/emediacodec Not disinfected C:\ARCHIVOS DE PROGRAMA\eMedia Codec
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrador\Escritorio\BORRAR\virus\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrador\Escritorio\smitRem.exe[Process.exe]
Virus:Trj/Banker.CGH Disinfected D:\Archivos Personales\RESPALDO HP Parte 2\Archivos PC\OPERACION PC\Programas\Photoshop\Plugins\nv102.exe[SETUP.EXE]
Possible Virus. Not disinfected D:\Operacion PC\Programas\Igrafx Process\iGrafx.2005.v10.0.4\Keymaker.exe
Possible Virus. Not disinfected D:\Operacion PC\Programas\Igrafx Process\iGrafx.2005.v10.0.4.zip[Keymaker.exe]

Ewido:

---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------

+ Creado en: 08:14:48 p.m., 27/03/2006
+ Report-Checksum: C6D22EED

+ Scan result:

D:\Temporal\Bosque Real\Presentacion Final\API\API01702\API1111\bases\INFORMACION\RECEPCIONES\020829\04.-DISEÑO-ESPECIFICACIONES Y PLANOS\ORDENADO POR SISTEMA\VOCEO Y EVACUACION\MEMORI~1.XLS -> Trojan.Susear.a : Limpio con backup


::Fin Report

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:52 p.m., on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\LckFldService.exe
c:\archivos de programa\mcafee.com\agent\mcdetect.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\ARCHIV~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE
C:\Archivos de programa\AnyDVD\AnyDVD.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Archivos de programa\Archivos comunes\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\Archivos de programa\a-squared\a2guard.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Archivos de programa\Wacom\TabUserW.exe
C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wbdg.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wbdg.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\archivos de programa\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\archivos de programa\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pictures - {8E929F51-5914-11D6-971F-0050FC3F9161} - C:\Archivos de programa\Pictures Toolbar\Pictures.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [MPSExe] c:\ARCHIV~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /O6 "USB001" /M "Stylus CX4500"
O4 - HKLM\..\Run: [AnyDVD] C:\Archivos de programa\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Archivos de programa\Archivos comunes\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Archivos de programa\Sony Handheld\Configtool.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Archivos de programa\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [a-squared] "C:\Archivos de programa\a-squared\a2guard.exe"
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Archivos de programa\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: TabUserW.lnk = C:\Archivos de programa\Wacom\TabUserW.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _sp_SP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mexico.integra.net.mx
O17 - HKLM\Software\..\Telephony: DomainName = mexico.integra.net.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{27A27090-BFFC-4765-96F6-5B3FFB3EE8A5}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0FB0A8-A102-4986-AA9D-CC4F9DB732E5}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{A24CD68C-B68E-4D74-9896-89E3746D5B81}: NameServer = 200.33.146.194,200.33.146.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mexico.integra.net.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{27A27090-BFFC-4765-96F6-5B3FFB3EE8A5}: NameServer = 200.33.146.194,200.33.146.202
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


Smitrem:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Versi¢n 5.1.2600]

Running from
C:\Documents and Settings\Administrador\Escritorio\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ncompat.tlb


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)


Thanks for your time,

vicente
vicenten
Active Member
 
Posts: 5
Joined: March 26th, 2006, 2:25 pm

Unread postby agrarianmonk » March 28th, 2006, 12:10 pm

Now the alert is gone but I still get the McAfee icon as disabled.


Have you tried enabling McAfee (right click the icon, and select enable)? I don't see any indication in the log why your antivirus would be disabled.

==============================

Just a couple things to clean up.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

eMedia Codec

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\ARCHIVOS DE PROGRAMA\eMedia Codec


======================

In your next post, please let me know how your computer is running.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Follow Up

Unread postby vicenten » March 28th, 2006, 12:42 pm

Hi agrarianmonk:

I allready uninstall the emedia codec and I did try to enable the antivirus with left click but it still does the same thing. Im going to reintall McAfee, I guess that will solve the problem.

The computer is running great now, thanks for your time ill let you know if there are any other problems.

Thanks,

vicente
vicenten
Active Member
 
Posts: 5
Joined: March 26th, 2006, 2:25 pm

Unread postby agrarianmonk » March 28th, 2006, 1:09 pm

Im going to reintall McAfee, I guess that will solve the problem.


That's exactly what I was going to suggest next :thumbleft:

===============================

Congratulations, your log looks clean!

First, Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

There are a few other very important things you should follow to avoid getting reinfected:

Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.


The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

-Agrarianmonk
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Thanks

Unread postby vicenten » March 30th, 2006, 2:50 am

Thanks Agrarianmonk:

I did everithing you said an the PC is running mighty fine.

Thanks for everithing.

Vicente
vicenten
Active Member
 
Posts: 5
Joined: March 26th, 2006, 2:25 pm

Unread postby NonSuch » March 30th, 2006, 3:47 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27221
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware