Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HIJACKER.COSTRAT.E

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby bnkrldy » September 12th, 2006, 6:39 pm

Yes, we have the Visioneer Paperport scanner, have had it for years. I will perform the instructions to open hidden files, upload the files, and post the emails in another reply. Meanwhile, here is the SilentRunner Log (which I had to run from Gale because access was denied under Leanna):

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Weather" = "C:\Program Files\AWS\WeatherBug\Weather.exe 1" ["AWS Convergence Technologies, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"IntelliType" = ""C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"" [MS]
"asp4tray" = "asp4tray.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Thumbnail Image"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {HKLM...CLSID} = "Microsoft Office Binder Explode"
\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "ITPropertyPage Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Hardware\Keyboard\itcpl.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~2\MpShHook.dll" [MS]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Clouds.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Startup items in "Gale" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"EPSON Background Monitor" -> shortcut to: "C:\Esm2\Stms.exe" ["SEIKO EPSON CORPORATION"]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{AF6CABAB-61F9-4F12-A198-B7D41EF1CB52}\
"ButtonText" = "WeatherBug"
"CLSIDExtension" = "{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}"
"Exec" = "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" ["AWS Convergence Technologies, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE" ["America Online, Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
FTP Publishing, MSFtpsvc, "C:\WINDOWS\system32\inetsrv\inetinfo.exe" [MS]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Message Queuing, MSMQ, "C:\WINDOWS\system32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\system32\mqtgsvc.exe" [MS]
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\system32\tcpsvcs.exe" [MS]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON BiD Monitor1\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
LPR Port\Driver = "lprmon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 98 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 50 seconds.
---------- (total run time: 269 seconds)
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am
Advertisement
Register to Remove

Unread postby bnkrldy » September 12th, 2006, 7:15 pm

Here is the info from the Jotti site (I did not find the path as you had typed it, I hope that it ok):


File: Paprport.exe
Status: OK
MD5 ec35ba76aa17c1cdd534b60d5dee512d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: Pplinks.exe
Status: OK
MD5 6976ad5c92acdcf7b493287f5066cd30
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: Pplinks.exe
Status: OK
MD5 6976ad5c92acdcf7b493287f5066cd30
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: Pplinks.exe
Status: OK
MD5 6976ad5c92acdcf7b493287f5066cd30
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: PPSCANMG.EXE
Status: OK
MD5 49bc7d268b54d0ecf85a3b8efbf1a72f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


VIRUSTOTAL:
STATUS: FINISHEDComplete scanning result of "PPSCANMG.EXE", received in VirusTotal at 09.13.2006, 01:02:22 (CET).

Antivirus Version Update Result
AntiVir 7.1.1.16 09.12.2006 no virus found
Authentium 4.93.8 09.12.2006 no virus found
Avast 4.7.844.0 09.11.2006 no virus found
AVG 386 09.12.2006 no virus found
BitDefender 7.2 09.12.2006 no virus found
CAT-QuickHeal 8.00 09.12.2006 no virus found
ClamAV devel-20060426 09.12.2006 no virus found
DrWeb 4.33 09.12.2006 no virus found
eTrust-InoculateIT 23.72.122 09.12.2006 no virus found
eTrust-Vet 30.3.3073 09.12.2006 no virus found
Ewido 4.0 09.12.2006 no virus found
Fortinet 2.77.0.0 09.13.2006 no virus found
F-Prot 3.16f 09.12.2006 no virus found
F-Prot4 4.2.1.29 09.12.2006 no virus found
Ikarus 0.2.65.0 09.12.2006 no virus found
Kaspersky 4.0.2.24 09.13.2006 no virus found
McAfee 4850 09.12.2006 no virus found
Microsoft 1.1560 09.13.2006 no virus found
NOD32v2 1.1753 09.12.2006 no virus found
Norman 5.90.23 09.12.2006 no virus found
Panda 9.0.0.4 09.12.2006 no virus found
Sophos 4.09.0 09.13.2006 no virus found
Symantec 8.0 09.13.2006 no virus found
TheHacker 5.9.8.210 09.13.2006 no virus found
UNA 1.83 09.11.2006 no virus found
VBA32 3.11.1 09.12.2006 no virus found
VirusBuster 4.3.7:9 09.12.2006 no virus found

Aditional Information
File size: 102912 bytes
MD5: 49bc7d268b54d0ecf85a3b8efbf1a72f
SHA1: 346b7bbab31c4116808019652b26d86a153cad26

STATUS: FINISHEDComplete scanning result of "Paprport.exe", received in VirusTotal at 09.13.2006, 01:01:31 (CET).

Antivirus Version Update Result
AntiVir 7.1.1.16 09.12.2006 no virus found
Authentium 4.93.8 09.12.2006 no virus found
Avast 4.7.844.0 09.11.2006 no virus found
AVG 386 09.12.2006 no virus found
BitDefender 7.2 09.12.2006 no virus found
CAT-QuickHeal 8.00 09.12.2006 no virus found
ClamAV devel-20060426 09.12.2006 no virus found
eTrust-InoculateIT 23.72.122 09.12.2006 no virus found
eTrust-Vet 30.3.3073 09.12.2006 no virus found
DrWeb 4.33 09.12.2006 no virus found
Ewido 4.0 09.12.2006 no virus found
Fortinet 2.77.0.0 09.13.2006 no virus found
F-Prot 3.16f 09.12.2006 no virus found
F-Prot4 4.2.1.29 09.12.2006 no virus found
Ikarus 0.2.65.0 09.12.2006 no virus found
Kaspersky 4.0.2.24 09.13.2006 no virus found
McAfee 4850 09.12.2006 no virus found
Microsoft 1.1560 09.13.2006 no virus found
NOD32v2 1.1753 09.12.2006 no virus found
Norman 5.80.02 09.12.2006 no virus found
Panda 9.0.0.4 09.12.2006 no virus found
Sophos 4.09.0 09.13.2006 no virus found
Symantec 8.0 09.13.2006 no virus found
TheHacker 5.9.8.210 09.13.2006 no virus found
UNA 1.83 09.11.2006 no virus found
VBA32 3.11.1 09.12.2006 no virus found
VirusBuster 4.3.7:9 09.12.2006 no virus found

Aditional Information
File size: 269312 bytes


STATUS: FINISHEDComplete scanning result of "Pplinks.exe", received in VirusTotal at 09.13.2006, 01:01:59 (CET).

Antivirus Version Update Result
AntiVir 7.1.1.16 09.12.2006 no virus found
Authentium 4.93.8 09.12.2006 no virus found
Avast 4.7.844.0 09.11.2006 no virus found
AVG 386 09.12.2006 no virus found
BitDefender 7.2 09.12.2006 no virus found
CAT-QuickHeal 8.00 09.12.2006 no virus found
ClamAV devel-20060426 09.12.2006 no virus found
DrWeb 4.33 09.12.2006 no virus found
eTrust-InoculateIT 23.72.122 09.12.2006 no virus found
eTrust-Vet 30.3.3073 09.12.2006 no virus found
Ewido 4.0 09.12.2006 no virus found
Fortinet 2.77.0.0 09.13.2006 no virus found
F-Prot 3.16f 09.12.2006 no virus found
F-Prot4 4.2.1.29 09.12.2006 no virus found
Ikarus 0.2.65.0 09.12.2006 no virus found
Kaspersky 4.0.2.24 09.13.2006 no virus found
McAfee 4850 09.12.2006 no virus found
Microsoft 1.1560 09.13.2006 no virus found
NOD32v2 1.1753 09.12.2006 no virus found
Norman 5.90.23 09.12.2006 no virus found
Panda 9.0.0.4 09.12.2006 no virus found
Sophos 4.09.0 09.13.2006 no virus found
Symantec 8.0 09.13.2006 no virus found
TheHacker 5.9.8.210 09.13.2006 no virus found
UNA 1.83 09.11.2006 no virus found
VBA32 3.11.1 09.12.2006 no virus found
VirusBuster 4.3.7:9 09.12.2006 no virus found

Aditional Information
File size: 78848 bytes
MD5: 6976ad5c92acdcf7b493287f5066cd30
SHA1: 5d5cd6025516f143f06a0f01a198acb874a59f44
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 13th, 2006, 4:52 am

Hi bnkridy,

Thanks for the logs, they help in so far as they throw no new light on the problem.

This post is entitled Back to Basics. :)

The way that I understand it is that you have had a series of unexplained events such as no internet connection and the inability to run some programs, this problem is only in Leanna's account. Investigation by several facilities proved non-effective but Ewido threw up an infection called HIJACKER.COSTRAT.E – I assume that it deleted this infection as you can find nothing in the quarantine element of Ewido.

You can run everything as normal from both Gale's account and Rich's account except that Rich's account does not appear when in Safe mode

  1. The first phase of Back2Basics is to check what the computer thinks the account status to be – only Computer administrator accounts appear in Safe mode. The next is to downgrade Leannas old account to Limited and rename it and finally create a new account for Leanna.
  2. Please boot to Safe mode and log on using the Administrator account
    1. From the Control Panel select User Accounts
      • Confirm that Rich is set as a Computer administrator – amend the account if that is not the case
      • Similarly that Leanna is set to Computer administrator – rename Leanna to Trial and change the type to Limited if you can
      • Create a new account for Leanna – OK you are going to have to set it up again as you want it to be, if this works!
    2. Please advise the outcome of each of the previous stages.
  3. Finally boot back to Normal mode and check out what limitations there are with the new Leanna account, hopefully there are none.
  4. Please post back with the results, good or bad

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 13th, 2006, 7:43 pm

Yes, Rich is set as administrator, but still does not show as a log-in option in SafeMode.

I renamed Leanna to TRIAL and reset it to Limited.

The Leanna2 account seems normal: the desktop is back, I can reset the home page, I can d/l stuff from the internet, and I can add links to favorites, and pin shortcuts to the start page.

The ONLY problem I see is there is a strange little star on the bottom task bar that says "you may be a victim of software counterfeiting" and seems to think my WIN XP licence is not valid.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 14th, 2006, 5:15 am

Hi bnkridy,

All of our efforts have been slanted towards finding the malware giving you your problems, I guess that you had this COSTRAT.E problem, it did its damage and was then removed by Ewido, leaving us with apparent and real symptoms of continuing infection.

The change in account was an attempt to see whether the problems stop or migrate to the new account so it is early days yet to pronounce 'fixed' so I would like to leave as is (almost) for about 14 days to see whether anything develops…

In 7 days time I would like you to delete the TRIAL account to determine whether the deletion triggers any problems, I assume that you have brought across to the new Leanna account any personal documents and information from TRIAL.

Your Star problem is probably as a result of the installation of Microsoft's Windows Genuine Advantage (WGA) tool whose aim is to detect illegal software, illegality can be caused by many things, somebody has used your genuine key to activate other copies of Windows is one example – the installation of the WGA tool probably occurred with the installation of kb905474 under the automatic update schema that they recommend. More information can be found here

The way I understand it is that if you click the star, it will tell you what to do to get the validity of your version checked and, if you are an innocent party in a fraud, I believe that they will give you another key to re-validate your copy. I would suggest that you follow this course of action if you believe that you are using a fully valid copy of windows. As you are fully patched, I see no reason to doubt the validity.

Now on to a bit of housekeeping

  1. Open Task Manager > Ctrl+Alt+Del and click on the processes tab. Click the Image Name title to sort the entries alphabetically. Scroll down through the list and right-click on these files if found, selecting End Process from the options
    • OTMNM.exe
    • VXFJMVWIGVEE.exe
    Close Task Manager
  2. Please download PocketKillbox by Option^Explicit Software from here
    1. Click the Killbox.zip file and choose Extract
    2. I suggest you extract it to its own folder on your desktop
    C:\WINDOWS\TEMP\OTMNM.exe
    C:\WINDOWS\TEMP\VXFJMVWIGVEE.exe
  3. Open the folder and click to open killbox.exe
    1. Click on Delete on Reboot.
    2. Place a tick in the box next to End Explorer Shell While Killing File
    3. Copy the text from the quote box above to the clipboard
    4. From the Killbox menu bar select File and Paste from Clipboard . The two paths will appear in the box headed Full Path of File to Delete NOTE: If they do not show or you get a message like 'Empty Array' then the files no longer exist so you can close Killbox
    5. Click the Delete File button, a red circle with a white X
    6. Click Yes at the confirmation message that files will be deleted on next reboot
    7. Click Yes to reboot.
    8. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

      If your computer does not restart automatically, please restart it manually.
    9. After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  4. I note that you have CCleaner installed so I would like you to finish with a CCleaner scan, I have shown below the setup that I use when running CCleaner.
    1. Click on the CCleaner icon on your desktop.
    2. From the menu on the left select Options
    3. Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.
    4. Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.
    5. Select Cleaner from the left menu and the Windows tab
      • Under Internet Explorer place ticks in all but the last box
      • Under Windows Explorer tick the last two only
      • Under System tick all boxes
      • There is no need to tick anything under Advanced
  5. Post the Killbox log in your next reply together with a new HijackThis log for LEANNA.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 14th, 2006, 7:03 pm

Ok, I marked my calendar to remove TRIAL next week. I also made the changes to CCleaner you directed, and checked TaskManager for the two processes (but didn't find them).

Here is the Killbox Log. I ran each line separately, and did receive the "PendingFileRenameOperationRegistry" warning when the second file was deleted.

Pocket Killbox version 2.0.0.648
Running on Windows XP as Leanna_2(Administrator)
was started @ Thursday, September 14, 2006, 3:35 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\TEMP\OTMNM.exe

I Rebooted @ 3:39:31 PM
Killbox Closed(Exit) @ 3:39:32 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Leanna_2(Administrator)
was started @ Thursday, September 14, 2006, 3:47 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\TEMP\VXFJMVWIGVEE.exe

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:50:48 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\TEMP\VXFJMVWIGVEE.exe

Killbox Closed(Exit) @ 3:51:35 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Leanna_2(Administrator)
was started @ Thursday, September 14, 2006, 3:54 PM


AND here is a new HIJACKTHIS log from Leanna2:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:49 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\check.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Leanna_2\My Documents\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe (file missing)
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 15th, 2006, 12:52 pm

Hi bnkridy,

We are definitely getting there!

Because you run Ewido from the TRIAL account (old Leanna) it must be uninstalled before you remove the TRIAL account, please reinstall C:\Program Files I believe is the default installation path.

I would now like you to boot into Safe mode and navigate to C:\WINDOWS\TEMP, locate and delete the VXFJMVWIGVEE.exe file if it is still there, it is just possible that CCleaner took care of it!

Reboot back to Normal. Now we will check to see if there are any other files lurking by running an online scanner through your system

Please do an online scan with Kaspersky Online Scanner You must use Internet Explorer for this scan.
  1. Click on Kaspersky Online Scanner
  2. You will be prompted to install an ActiveX component from Kaspersky, Click Yes .
  3. The program will launch and then start to download the latest definition files.
  4. Once the scanner is installed and the definitions downloaded, click Next.
  5. Now click on Scan Settings and ensure that the following are selected:
    • Under Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Under Scan Options:
      • Scan Archives
      • Scan Mail Bases
  6. Click OK
  7. Now under select a target to scan select My Computer
  8. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  9. Now click on the Save as Text button:
  10. Save the file to your desktop.
  11. Copy and paste that information in your next post.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 15th, 2006, 10:43 pm

I posted a reply over an hour ago, but it doesn't show as yet. I hope this is not a duplicate! Anyway, I uninstalled/reinstalled Ewido under C:Programs.
I was not able to find the file VXFJMVWIGVEE.exe.

Here is the Kaspersky online scan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 15, 2006 6:55:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/09/2006
Kaspersky Anti-Virus database records: 223731
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 40054
Number of viruses found: 2
Number of infected objects: 4 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:56:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FAB2E84A-C2E7-45E2-898F-F9A5F0D6ED17}.crmlog Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\TEMP\TMP000000940969E8BD9B487828 Object is locked skipped
C:\WINDOWS\TEMP\TMP000000696FA9BBAE5A15489D Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_478.dat Object is locked skipped
C:\WINDOWS\TEMP\TMP000000656500B3270E23FC3B Object is locked skipped
C:\WINDOWS\TEMP\TMP000000665F7BE64E06928969 Object is locked skipped
C:\WINDOWS\TEMP\TMP0000006B3C737A5D142E37DD Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\Logfiles\W3SVC1\ex060916.log Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\Program Files\Comcast\ComcastToolbar.exe/data0055 Infected: not-a-virus:AdWare.Win32.BHO.al skipped
C:\Program Files\Comcast\ComcastToolbar.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07072006-215325.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\Rich.DESKTOP\.jpi_cache\jar\1.0\ms0311.jar-4034d181-5b400d06.zip/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\Rich.DESKTOP\.jpi_cache\jar\1.0\ms0311.jar-4034d181-5b400d06.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Leanna_2\ntuser.dat Object is locked skipped
C:\Documents and Settings\Leanna_2\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Leanna_2\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leanna_2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leanna_2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Leanna_2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Leanna_2\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{36C3E1F0-EB88-4093-A3EE-8DB6E333827C} Object is locked skipped
C:\Documents and Settings\Leanna_2\Cookies\index.dat Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP21\change.log Object is locked skipped
C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped

Scan process completed.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 16th, 2006, 10:41 am

Hi bnkridy,

Kaspersky has thrown up a few more warnings, 2 in Rich's account and 2 associated with your ISP Comcast as highlighted in the quote box
C:\Documents and Settings\Rich.DESKTOP\.jpi_cache\jar\1.0\ms0311.jar-4034d181-5b400d06.zip/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\Rich.DESKTOP\.jpi_cache\jar\1.0\ms0311.jar-4034d181-5b400d06.zip ZIP: infected - 1 skipped

C:\Program Files\Comcast\ComcastToolbar.exe/data0055 Infected: not-a-virus:AdWare.Win32.BHO.al skipped
C:\Program Files\Comcast\ComcastToolbar.exe NSIS: infected - 1 skipped


  1. Dealing with Rich's account first, there is no cause for alarm as these flagged items are designed to attack weaknesses in the Microsoft Virtual Machine but, because you use Java, they pose no threat to you at all but to prevent your anti-virus program throwing up periodic warnings, I suggest that you remove them.

    You can remove them by logging in to Rich and then opening the Java plug-in from the Control Panel, selecting the Cache tab and then clicking on Clear to delete the contents of the cache.
  2. The Comcast ISP has a toolbar that is, to be fair, an optional installation, the trouble is they do not tell you that when you take that option you also install a facility for Adware, in your case I would think it is the weather that you get with it. I would recommend that you uninstall the Comcast toolbar and remove the program Weather, optional instructions follow.

    To uninstall the toolbar, please click here and follow the online instructions
  3. With regards the program called Weather, this used to be a definite program to remove as it came bundled with Adware and was possibly installed along with the Comcast toolbar which at the very least makes it fall into the category of 'foistware' - programs installed without your knowledge. The latest version does now appear to be clear of adware but I am always careful of apparent changes in a programs status as it is easily enough to revert to bad old ways and the fact that you are offering a download of weather every time that you use it means that your computer could easily be compromised.

    I recommend that you change it to a safer program. If you decide to remove the weather program then
    1. Please go to Add or Remove programs within Control Panel, click on WeatherBug and then Remove
    2. Navigate to C:\Program Files, locate and delete the AWS directory together with its contents.
    3. If you need weather updates then I would suggest Weather Pulse as a safer alternative.
  4. You do have another not recommended program in that you use AOL's Instant Messenger – AIM. This again is another well known avenue for the hackers and I would suggest that you use TRILLIAN instead; this is a safer option and will allow you to communicate with all of your AOL contacts as well as other chat networks; if you wish to try it then download it here.
  5. Hopefully to finish with the new Leanna account, you do have some resource hogs starting when windows starts, they can all be started if-and-when required rather than automatically so I have shown them in the HijackThis fix but stress that they are entirely optional as are the first two entries. I personally do not like the way in which AOL takes over the computer and I wish to choose my own Search and Start pages but that is a personal choice.

    Start your HijackThis and click on Scan
    1. Click in the check-box to the left of each of the following entries, if found
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
      • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
      • O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
      • O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
      • O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

        If you switch to Trillian then you can also check this one as well
      • O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Leanna_2\My Documents\AIM\aim.exe
    2. With all windows closed except HijackThis, select Fix Checked
  6. Please post a new HijackThis log for Leanna's and then an up-to-date one for Rich. Please advise how the computer is behaving now – is the star still there in the SysTray?

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 16th, 2006, 2:44 pm

I had a few problems following your instructions. First, I was unable to remove the Comcast toolbar, so I have emailed them to ask for further instructions.

Second, I did not find Weatherbug in the Control Panel list of programs to remove, so I did it manually, including the AWS directory...hope that is ok.

I will check with my daughter on if she is willing to switch from AIM to Trillian.

The "star" in the SysTray is gone now. The computer seems to run ok, but a bit slow.

One question: Should I clean the JAVA cache periodically? I do that to the AOL cache every few weeks...

Here is Leanna HIJACKTHIS log:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:51 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Hijackthis\check.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)


Here is RICH HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:21 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\check.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 16th, 2006, 3:27 pm

Quickie response before I look at the logs.

Well done on emailing Comcast, if you had any browser windows open other than the link one then that might, just might, have prevented the toolbar being removed, I assume that the toolbar is still visible ....

Were there any programs named weather?

Can not give you a definitive answer to the Java cache as I have no add-ins to check, but if you remember that the function of a cache is to provide a pool of information that is supposed to speed up your browsing rather than having to do a fresh download each time...

Finally Trillian is another way of accessing AIM, Yahoo, MSN etc she will lose nothing by using it, have a look at the write-up on the link.

Back to have a look at the logs :D
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » September 16th, 2006, 3:50 pm

Looking reasonable and now Gale's log please
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 16th, 2006, 3:58 pm

Yes, we have Weatherbug (but I removed it and will try Weather Pulse). I will also check out Trillian.

Here is Gale's HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:23 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gale\Desktop\check.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 16th, 2006, 4:03 pm

What have you done with mcaffee, it is not showing - were the logs done in Normal or Safe mode? :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 16th, 2006, 4:17 pm

Oops! gosh you're fast! Yesterday, after I did the Kaspersky scan, I wanted to delete the items it found, but the online scanner wouldn't work...so I d/l their 30 day free trial. In order to do that, though, it wanted me to delete McAfee, which I did (I hate McAfee anyway). Today, I am going to reinstall McAfee.

One question for you, I d/l Weather pulse, but it will not run under Leanna or Rich...is there some program limitation I need to know about?
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 302 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware