Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Well Hidden Adware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Well Hidden Adware

Unread postby johnt99 » August 9th, 2007, 10:17 am

Something nasty has got into this system. (Windows 2K SP4) It looks like Zedo. Multiple instances of Internet Explorer pop up advertising all sorts of junk. I've run AdAware, Superantispyware, Ewido, SpyHunter, SpybotS&D, Webroot Anti-spy, Macafee, and Kaspersky Internet Security but none of them find anything. Kaspersky at least told me that Explorer.exe was trying to send hidden data. The only problem with that was that, after about 3 warnings, Kaspersky quarantined Explorer.exe, so the desktop disappeared and I had to power off to get it back. Also, I don't think Explorer has anything wrong with it. I used Recovery Console to put in a clean copy of explorer and the problem was still there.

I also tried the Zedo removal instructions from pchell, but neither the files nor the registry entries are on the system.

Here's a HijackThis log, in the hope that someone might be able to spot something.

Logfile of HijackThis v1.99.1
Scan saved at 02:19:58, on 2007/08/09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/whsmith
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\system32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunServices: [Windows Service] Winaglern.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/whsmith
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O20 - AppInit_DLLs: C:\WINNT\system32\__c004CE8E.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avgav.exe (AVG) - Unknown owner - C:\WINNT\avgav.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am
Advertisement
Register to Remove

Unread postby Bob4 » August 9th, 2007, 10:12 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


_________________________________________________

It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.

____________________________________



______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)
_________________________________________________

Click start/run and copy and paste the follwing in :


sc stop MSDisk

Hit enter

Then

sc delete MSDisk
hit enter
________________________


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\irdvxc.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")



_____________________________


_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINNT\system32\__c004CE8E.dat


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

_______________________________________________



_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

_____________________________________________


______________________________
Make a new folder on your desktop. Call it reg finder

Download Reg Finder
Extract the files to that folder on the desktop you just created..
Go into that folder and double click RegFinder.vbs.
If any of your software gives you a warning about running this just allow it. It's safe.
Type in Winaglern into the text field that appears and hit enter.
Again... Some protection software may probably flag the script...
just let it run.
It will let you know when its done and a log should pop up ..If it doesn't there will be a file in the folder called results.txt

Post that for me.




In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
  • The report from Jottis?virus total
  • The report from reg Finder

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby johnt99 » August 10th, 2007, 3:42 am

Thanks for the response. The system hasn't been used for security-sensitive activities Also, it isn't currently directly connected to the internet but is running on a LAN behind a firewall. I'll try cleaning it and get back to you after taking your recommended actions. Or if anything odd seems to happen along the way.

Best wishes.
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby johnt99 » August 10th, 2007, 4:39 am

OK. First oddity: O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing) does not appear in the HJT log nor in the list of services until after IE has made a connection to a website. Simply starting IE with a blank page does not cause it to appear.

SC does not exist on the system. However, I used Administrative Tools; Services to disable it (once it had appeared in the list). It now doesn't appear in the HJT log even after connecting to a website. The problem's still there though, so I'll move on to the next step.

More later.
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby Bob4 » August 10th, 2007, 6:45 am

johnt99 wrote:SC does not exist on the system. .


Forgot I was working on a 2K machine. :oops:
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby johnt99 » August 10th, 2007, 7:58 am

OK Bob.

OTMoveIt didn't find the file. But, then it was already reported as missing. I guess one of the previous attempts at getting rid of viruses and general malware had removed it.

I couldn't get any response from Jotti, or the online version of Virustotal, but I submitted C:\WINNT\system32\__c004CE8E.dat to them via email. Here's the report:-

Complete scanning result of "__c004CE8E.dat", processed in VirusTotal at 08/10/2007 11:17:49 (CET).

[ file data ]
* name: __c004CE8E.dat
* size: 80895
* md5.: a555ea3f4d692b09a248b4f9e92f9ce3
* sha1: 00074689902b8b920d575fd916d65fb58a8f3cd7

[ scan result ]
AhnLab-V3 2007.8.9.2/20070810 found nothing
AntiVir 7.4.0.57/20070809 found [TR/Crypt.XPACK.Gen]
Authentium 4.93.8/20070809 found nothing
Avast 4.7.1029.0/20070809 found nothing
AVG 7.5.0.476/20070809 found nothing
BitDefender 7.2/20070810 found nothing
CAT-QuickHeal 9.00/20070809 found nothing
ClamAV 0.91/20070810 found nothing
DrWeb 4.33/20070810 found [Trojan.Juan.19]
eSafe 7.0.15.0/20070810 found [suspicious Trojan/Worm]
eTrust-Vet 31.1.5048/20070810 found nothing
Ewido 4.0/20070809 found nothing
F-Prot 4.3.2.48/20070809 found nothing
F-Secure 6.70.13030.0/20070810 found nothing
FileAdvisor 1/20070810 found nothing
Fortinet 2.91.0.0/20070810 found nothing
Ikarus T3.1.1.12/20070810 found [MemScanTrojan.Juan.V]
Kaspersky 4.0.2.24/20070810 found [Trojan-Downloader.Win32.Agent.cbm]
McAfee 5094/20070809 found nothing
Microsoft 1.2704/20070810 found nothing
NOD32v2 2448/20070810 found nothing
Norman 5.80.02/20070809 found nothing
Panda 9.0.0.4/20070809 found nothing
Prevx1 V2/20070810 found nothing
Rising 19.35.41.00/20070810 found nothing
Sophos 4.19.0/20070801 found nothing
Sunbelt 2.2.907.0/20070810 found [Trojan.FakeAlert]
Symantec 10/20070810 found nothing
TheHacker 6.1.7.166/20070810 found nothing
VBA32 3.12.2.2/20070810 found nothing
VirusBuster 4.3.26:9/20070809 found nothing
Webwasher-Gateway 6.0.1/20070810 found [Trojan.Crypt.XPACK.Gen]

[ notes ]
packers: RLPack
Sunbelt info: Trojan.FakeAlert consists of files that cause false warnings of spyware on the computer. Usually the alerts are displayed in a balloon type pop-up from an icon in the system tray.
__________________________________________________

I couldn't get the Kaspersky Online scanner to work. The page came up, but when I hit the scan button nothing happened. That happened before and was why I had downloaded their Internet Security V7. I updated that and ran it against My Computer. Sure enough, it reported an infection in C:\WINNT\system32\__c004CE8E.dat. Here's the report:-

deleted: Trojan program Trojan-Downloader.Win32.Agent.cbm File: C:\WINNT\system32\__c004CE8E.dat

__________________________________________________

RegFinder came up with:-

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 2007/08/10 12:05:41 PM
; Search Term(s) Used: "Winaglern"
; 1 matches were found.
; The search took 25 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service"="Winaglern.exe"

__________________________________________________

Searching for that file didn't find anything.

Finally, here's a HJT log taken after all that - and with IE running having been connected to a website:-

Logfile of HijackThis v1.99.1
Scan saved at 12:07:40, on 2007/08/10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Internet Security 7.0\avp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Internet Security 7.0\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/whsmith
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\system32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunServices: [Windows Service] Winaglern.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/whsmith
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: avgav.exe (AVG) - Unknown owner - C:\WINNT\avgav.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

__________________________________________________

Obviously, there's a lot of extra stuff in there now because I reinstalled Kaspersky to be able to scan with it. I think we (you!) may be getting there because Kaspersky no longer tries to shut down Explorer.exe and I haven't seen any "Internet Explorer Powered By Zedo" pages since the last reboot.

Fingers [and several other things ;-) ] x'd
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby Bob4 » August 10th, 2007, 6:32 pm

OTMoveIt didn't find the file. But, then it was already reported as missing.

HJT reports files missing is a glitch. Doesn't always mean there not there. The only ones that are listed as "file missing" that are to be counted on are 02 lines.



I guess one of the previous attempts at getting rid of viruses and general malware had removed it.

Could you tell me what,if any, specialized tools you may have used before you posted here please.




______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



O4 - HKLM\..\RunServices: [Windows Service] Winaglern.exe


_________________________________




Panda
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your Valid Email
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results in your next reply

____________________________________



1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Pandas online scan
  • The report from Combo fix
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby johnt99 » August 11th, 2007, 9:28 am

Hi again Bob.

Specialised tools: I don't think I've run anything 'specialised' other than the SpyHunter VirusProtect Pro Scanner, if that qualifies. Otherwise, just a selection of generally available antivirus and anti-malware applications. Perhaps I should mention that the system being worked on isn't mine. It belongs to a friend who thought I'd probably be able to get it to function properly. He had been foolish enough to use a broadband service without having installed any firewall. I can tell you that, before I contacted this forum, I had run:

AdAware SE
AVG Anti-Spy
AVG Antivirus
Kaspersky Internet Security
SpyHunter VirusProtect Pro Scanner
Superantispyware
Spybot S&D
TrendMicro Housecall V6

Those found about 190 infections - mostly Zlob and including VirusProtect Pro - but I didn't keep a record of what they were. Interestingly, when I first ran it last weekend, Kaspersky didn't report the infection in C:\WINNT\system32\__c004CE8E.dat which it found last time. Maybe it's a recent update to their database?

The system now has McAfee Internet Security V7.2 installed, since matey has listened to what I said about having some reasonable protection. (I might have gone for Kaspersky myself, but I think he felt more comfortable with a name he recognised.)

Right, here are the latest logs:-

Panda Active Scan

Incident Status Location

Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Malcom Hallas\Cookies\malcom hallas@ccbill[2].txt
Spyware:Cookie/E-eliminator Not disinfected C:\Documents and Settings\Malcom Hallas\Cookies\malcom hallas@evidence-eliminator[1].txt
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Malcom Hallas\Local Settings\Temp\ICD1.tmp\UWA7P_0001_N91M0809NetInstaller.inf
________________________________________________________

ComboFix 07-08-09.3 - "Malcom Hallas" 2007/08/11 11:36:52.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.840 [GMT 1:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\oledb32.dll
C:\WINNT\system32\u2g.f
C:\WINNT\system32\winiconmon.ico
C:\WINNT\system32\winiconmon.ico.bak0


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 11:41 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_468.dat
2007-08-11 11:35 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-11 10:46 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-10 16:04 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-08-10 16:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-08-10 16:04 <DIR> d-------- C:\DOCUME~1\MALCOM~1\APPLIC~1\SiteAdvisor
2007-08-10 16:04 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SiteAdvisor
2007-08-10 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-08-10 16:03 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-08-10 16:03 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-08-10 16:03 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-08-10 16:03 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-08-10 16:03 170,408 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-08-10 16:03 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-08-10 16:02 <DIR> d-------- C:\Program Files\McAfee.com
2007-08-10 16:02 <DIR> d-------- C:\Program Files\McAfee
2007-08-10 16:02 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-10 15:08 491,520 --a------ C:\WINNT\system32\msado15.dll
2007-08-09 13:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-08 16:15 <DIR> dr-hs---- C:\cmdcons
2007-08-08 16:08 <DIR> dr------- C:\I386
2007-08-08 15:28 243,472 --a--c--- C:\WINNT\system32\dllcache\explorer.exe
2007-08-08 15:28 243,472 --a------ C:\WINNT\explorer.exe
2007-08-08 15:28 243,472 --a------ C:\explorer.exe
2007-08-08 12:58 <DIR> d-------- C:\kav
2007-08-08 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-08 12:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-07 15:02 <DIR> d-------- C:\Program Files\Norton
2007-08-07 15:00 <DIR> d-------- C:\Program Files\Symantec
2007-08-07 15:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-07 14:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-07 14:52 <DIR> d-------- C:\DOCUME~1\MALCOM~1\APPLIC~1\Symantec
2007-08-07 12:24 164 --a------ C:\install.dat
2007-08-07 11:12 <DIR> d-------- C:\Program Files\CleanMyPC Popup Blocker
2007-08-07 09:37 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-06 00:02 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-08-06 00:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-05 23:58 <DIR> d-a------ C:\WINNT\Internet Logs
2007-08-05 23:48 <DIR> d-------- C:\Sources
2007-08-05 23:02 <DIR> d-------- C:\Program Files\RegCleaner
2007-08-05 22:50 <DIR> d-------- C:\Program Files\BHODemon
2007-08-05 20:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-05 18:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-05 18:20 <DIR> d-------- C:\DOCUME~1\MALCOM~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-05 18:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-05 15:41 94,480 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-08-05 15:40 69,632 --a------ C:\WINNT\system32\mfcm80.dll
2007-08-05 15:40 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-08-05 15:40 57,344 --a------ C:\WINNT\system32\mfcm80u.dll
2007-08-05 15:40 548,864 --a------ C:\WINNT\system32\msvcp80.dll
2007-08-05 15:40 479,232 --a------ C:\WINNT\system32\msvcm80.dll
2007-08-05 15:40 1,093,632 --a------ C:\WINNT\system32\mfc80.dll
2007-08-05 15:40 1,079,808 --a------ C:\WINNT\system32\mfc80u.dll
2007-08-05 15:39 <DIR> d-------- C:\DOCUME~1\MALCOM~1\APPLIC~1\HouseCall 6.6
2007-08-04 19:46 144,896 --a------ C:\WINNT\system32\msconfig.exe
2007-08-04 19:46 <DIR> d-------- C:\WINNT\pss
2007-08-04 19:37 <DIR> d-a------ C:\WINNT\system32\appmgmt
2007-08-04 12:35 <DIR> d-------- C:\DOCUME~1\MALCOM~1\.housecall6.6
2007-08-04 10:46 35,427 -ra------ C:\WINNT\system32\drivers\sisnic.sys
2007-08-04 10:46 <DIR> d-------- C:\Program Files\SiSLan
2007-08-04 10:38 <DIR> d-------- C:\LANDriver
2007-08-04 10:07 3,840 --a------ C:\WINNT\system32\drivers\BANTExt.sys
2007-08-04 10:07 <DIR> d-------- C:\Program Files\Belarc
2007-08-03 10:32 <DIR> d-------- C:\WINNT\system32\Windows Media
2007-08-03 10:31 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-08-03 10:31 <DIR> d-------- C:\WINNT\msiinst.tmp
2007-08-03 10:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-03 10:19 44,032 -----c--- C:\WINNT\system32\dllcache\msxml3r.dll
2007-08-03 10:07 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-08-03 09:24 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-11 11:18 --------- d-------- C:\Program Files\SlipStream Web Accelerator
07-08-11 11:18 --------- d-------- C:\Program Files\QuickTime
07-08-11 11:12 --------- d-------- C:\Program Files\iTunes
07-08-11 11:10 --------- d-------- C:\Program Files\Google
07-08-07 16:12 --------- d-------- C:\Program Files\Microsoft AntiSpyware
07-08-05 21:40 --------- d-------- C:\DOCUME~1\MALCOM~1\APPLIC~1\Lavasoft
07-07-08 19:11 --------- d-------- C:\Program Files\iPod
07-05-16 09:05 312 --a------ C:\WINNT\EReg206.dat
05-10-18 08:02 271 ---h----- C:\Program Files\desktop.ini
05-10-18 08:02 21952 ---h----- C:\Program Files\folder.htt
03-07-14 13:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
02-06-26 09:06 69632 --------- C:\WINNT\inf\MdmXSdk.dll
01-11-23 05:08 712704 --a------ C:\WINNT\inf\OTHER\AUDIO3D.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-14 13:00 C:\WINNT\system32\mobsync.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [04-01-26 10:38 ]
"SiS Windows KeyHook"="C:\WINNT\system32\keyhook.exe" [04-02-13 01:46 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [98-07-03 11:51 ]
"NeroCheck"="C:\WINNT\system32\\NeroCheck.exe" [01-07-09 11:50 ]
"MRT"="C:\WINNT\system32\MRT.exe" [07-06-28 00:57 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-06-28 09:14 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-05-11 22:12 ]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"McAfee Privacy Service"="C:\Program Files\McAfee\MPS\mps.exe" [07-01-23 19:16 ]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [07-01-17 16:30 ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [07-04-10 19:35 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-31 11:01 ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\Malcom Hallas\Start Menu\Programs\Startup\
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-02-06 19:29:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Event Planner Reminders.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2003-03-12 10:14:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 MPFP;MPFP;C:\WINNT\system32\Drivers\Mpfp.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 cmuda;C-Media WDM Audio Interface;C:\WINNT\system32\drivers\cmuda.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S2 AVG;avgav.exe;"C:\WINNT\avgav.exe"
S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINNT\system32\DRIVERS\alcan5wn.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 MSDisk;Network helper Service;"C:\WINNT\system32\irdvxc.exe" /service


Contents of the 'Scheduled Tasks' folder
2007-03-24 17:48:58 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-10 15:03:06 C:\WINNT\Tasks\McQcTask.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 11:41:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 11:44:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-11 11:43

--- E O F ---
________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 01:22:27, on 2007/08/11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/whsmith
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\system32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Privacy Service] C:\Program Files\McAfee\MPS\mps.exe -r
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe /nosplash
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/whsmith
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

Cheers.
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby Bob4 » August 11th, 2007, 9:42 am

Ok things looking much better now.
Just 1 quick scan to be sure something you mentioned (zlob) is completly gone.


Download SmitfraudFix (by S!Ri) to your Desktop.
Smitfraud by S!ri


______________________________


  • Double clcik the smitfraud.exe
  • When promted
    Press any key to continue.
  • Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log .

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. When prompted by allow it to run




IMPORTANT: Do NOT run any other options until you are asked to do so!


Next reply I would like to see:

  • A new HJT log
  • The report from smitfraud
  • Let me know how things seem to be running.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby johnt99 » August 11th, 2007, 12:52 pm

OK Bob,

The system is performing normally. It has been since disabling the 'Network Helper Service (MSDisk)'.

Here's the Smitfraud log:-

SmitFraudFix v2.210

Scan done at 17:35:24.50, Sat 2007/08/11
Run from C:\Sources\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Malcom Hallas


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Malcom Hallas\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MALCOM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS NIC SISNIC
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D91D4BB7-CCEB-4C88-B190-F38AF64B34EA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D91D4BB7-CCEB-4C88-B190-F38AF64B34EA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D91D4BB7-CCEB-4C88-B190-F38AF64B34EA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

__________________________________________________________

And, here's the latest HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 05:37:33, on 2007/08/11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINNT\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/whsmith
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\system32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Privacy Service] C:\Program Files\McAfee\MPS\mps.exe -r
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe /nosplash
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/whsmith
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O23 - Service: McAfee Application Installer Cleanup (0188901186849894) (0188901186849894mcinstcleanup) - McAfee, Inc. - C:\WINNT\TEMP\018890~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

Looking Good!
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby Bob4 » August 11th, 2007, 2:14 pm

Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!

________________________________


Open OTmoveit.


Click on Cleanup!.
Allow it to access the internet if any security software asks about it.

It will ask you if you want to start the clean up process :
Click yes.
When it's ready it will ask you to reboot.
Do so now.

then finish up with the rest of the instructions.




___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.


___________________________________
Download and install CCleaner from here.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.


Now open the program and click on Run Cleaner
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

You may opt out of cleaning cookies. If you clean them alls you will have to do is retype names and passwords for places you visit on the net 1 time.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla
I clean all my cookies out from time to time. It's not that big a deal if you remember passwords.




A few things to help with possible threats

These are optional . But will help protect you further.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep this updated and run weekly if you don't already have it.

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.










Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby johnt99 » August 13th, 2007, 3:55 am

Bob,

Well done! The system seems to be clean now.

A minor point: The BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dl turns out to have been part of the ISP (Tiscali) setup when matey had a dialup account, so it was probably innocent(?) As he has broadband now, it's removal is unlikely to be an issue.

Cleanup actions performed and MSVP Hosts file installed. I've left the cookies cleanup out as it's not my machine and I've no idea if there are any passwords or similar stored there and whether or not they are all remembered.

I've added this webpage to his favourites, so he easily can see what's been done and decide for himself whether or not to follow the rest of your recommendations.

Thanks again and best wishes.
johnt99
Regular Member
 
Posts: 24
Joined: August 9th, 2007, 9:36 am

Unread postby Elrond » August 13th, 2007, 9:18 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 272 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware