Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Project1/Pload

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Project1/Pload

Unread postby jcut » August 14th, 2006, 5:57 pm

I have gotten something via a driveby download. I was navigating a rootsweb website when the task bar showed what appeared to be a pop-up/under. I right-clicked on the bar to delete it, but it wouldn't delete. I can't remember the order of everything that happened, but McAfee popped up saying it had stopped and cleaned a trojan. (Sorry, things were happening so fast I didn't note the name.) I went to the task manager to delete it (mmxsnet) and it would multiply. All the while, zone alarm was popping up request after request to access the internet. (All denied) I finally got everything out of task manager, rebooted the computer and ran Virus Scan. It found nothing. I also went into zone alarm and denied all access to the programs that had tried to access the internet.

The programs identified by zone alarm were:

Project1
C:\Documents and Settings\Owner\Local Settings\Temp\mmxsnet.exe

Project1
C:\Documents and Settings\Owner\Local Settings\Temp\drsmartload180a.exe

Pload
C\Documents and Settings\Owner\Local Settings\Temp\pre.exe

There is also a PF File of each.

I've run McAfee, Spybot and AdAware.

I have noticed no ill effects from this.

I really would appreciate any help. Be forwarned I'm sort of a computer weenie.

Here's my HiJack This file:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:43 PM, on 8/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _en_US.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.clerk.org/activex/smsx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm
Advertisement
Register to Remove

Unread postby Nexus7 » August 15th, 2006, 12:10 pm

jcut,

Welcome to MalWare Removal! My name is David, and I'll be assisting you with your computer problems. As an Undergrad, all my fixes will be checked by an expert before I post them for you, so please be patient with any perceived delays. Now and until we're finished, please:
  • Do only as I tell you to do, and don't follow instructions at another site or thread
  • Ask if anything at all seems unclear
  • Keep me informed of any noticeable changes to your system
Do this, and we'll have your computer fixed in no time! :D

I'll post back to you as soon as my instructions are OK'ed.
User avatar
Nexus7
Regular Member
 
Posts: 919
Joined: December 21st, 2005, 4:17 am
Location: Corbin, KY

Unread postby jcut » August 15th, 2006, 1:15 pm

Thank you David. Crossing my fingers that this will be easy!
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby Nexus7 » August 15th, 2006, 9:47 pm

jcut,

Your Firewall just about saved your life -- on other systems, without firewalls, that same malware package you received dropped hundreds of files and registry keys, necessitating a reformat. I hope you're definitely a believer in the worth of firewalls and good security apps! :)

However, we still have a bit of cleaning to do. Please print out these instructions before undertaking them.


Please Download the Following Programs:
  • ATF-Cleaner from here to your Desktop.
  • Ewido Anti-Spyware 4.0 from here. Once installed, make the following settings changes:
    • Under the Status menu (which opens by default), under 'Your Computer's Security', Change Status on Resident Guard to Inactive
    • Click Update Now
    • Under the now-opened Update menu, uncheck 'Download and Install Updates Automatically (Recommended)'
    • Click Scanner in the top bar
    • Click the Settings tab
      • Under 'How To Act?' set 'Default Action for Detected Malware' to Quarantine
      • Under 'How to Scan' ALL boxes should be checked
      • Under 'What to Scan', 'Scan every file' should be highlighted
      • Under 'Possibly Unwanted Software' ALL boxes should be checked
    • Under Reports select 'Automatically generate report after every scan' and uncheck 'Only if threats were found'
    • Exit

Run ATF-Cleaner
  • Click Select All
  • If you use Firefox:
    • Click the 'Firefox' Menu
    • Click Select All, but deselect Firefox Saved Passwords
  • If you use Opera:
    • Click the 'Opera' Menu
    • Click Select All, but deselect Opera Saved Passwords
  • Click Empty Selected
  • Hit OK when prompted, then Exit

Fix HijackThis Entries
Close all open windows.
Double-click on HijackThis.
Then click on the button that says Run a System Scan
For each of the following entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)

...make sure every other window except HJT is closed (no other tabs showing in the bottom tray), and Click Fix Checked.
Close HJT.


Run an Ewido Scan
  • Open Ewido Anti-Spyware
  • Click on the Scan Tab
  • Click on Complete System Scan
  • Let the program scan the machine -- it can take a while, just give it time.
  • When scan has finished, at bottom of screen click Apply all Actions
  • Click Save Report
  • Click Save Report As ('Save As' window should pop up.)
  • Click Desktop
  • Click Save
  • Exit ewido

In Your Next Reply, please include:
  • Your ewido log
  • A new HijackThis log
  • Any persisting problems you notice

- David
User avatar
Nexus7
Regular Member
 
Posts: 919
Joined: December 21st, 2005, 4:17 am
Location: Corbin, KY

Unread postby jcut » August 15th, 2006, 11:16 pm

David,
Thanks for coming back to my rescue. I have an old version of Zone Alarm. I never updated it because I'd read that you couldn't just delete the old version with the change/uninstall function, that you had to change things in your registry and that scared me. At least it saved my day. (hopefully)

I believe all went well with what you've had me do so far. Here are my logs:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:59:38 PM 8/15/2006

+ Scan result:



Nothing found.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 10:06:03 PM, on 8/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _en_US.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.clerk.org/activex/smsx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby jcut » August 16th, 2006, 9:47 am

David,

I also have a question. I've done nothing more than you've said to do and won't. In browsing this forum, I've noticed instructions to unhide files for certain actions, running ewido in safe mode and in cases having to rename HijackThis in order to find things that hide. Is it possible that I could have something that's hiding, if not from this event, from a previous (perhaps unknown) one? I guess my biggest fear is having a keylogger or something that would compromise my security.

Just curious. Thanks!
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby Nexus7 » August 16th, 2006, 1:06 pm

jcut,

You have nothing to worry about -- that malware package you were almost a victim of is loads of adware, not keyloggers or anything equally dangerous. As for what you've seen in other posts...

1) I did not have you unhide files because you didn't need to look for anything to delete.

2) Without any running malware on your system, an ewido scan in Normal Mode is more than enough.

3) Helpers have HJT renamed only in the case of a certain infection, whose signs are easily-seen in the log. You do not have that infection.


Fix HijackThis Entries
Close all open windows.
Double-click on HijackThis.
Then click on the button that says Run a System Scan
For each of the following entries:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

...make sure every other window except HJT is closed (no other tabs showing in the bottom tray), and Click Fix Checked.
Close HJT.


Congratulations! Your system is now clean! However, steps must be taken to ensure that you do not become the victim of future Malware infections.


Clean-Out System Restore Points:
To disable System Restore:
  • Click Start
  • Right-click My Computer, and then click Properties
  • On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives
  • Click Apply
  • A confirmation window will open, Click Yes
  • Click OK
Reboot your computer normally


Re-enable System Restore
  • Click Start
  • Right-click My Computer, and then click Properties
  • On the System Restore tab, uncheck Turn off System Restore or Turn off System Restore on all drives
  • Click Apply
  • Click OK

Enable TeaTimer
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure 'Advanced Mode' is selected
  • On the left hand side, choose Tools -> Resident
  • Check 'Resident TeaTimer' and OK any prompts
  • Restart your computer.

Make Windows Updates Automatic
Many Malware infections come from the exploitation of security flaws in Windows. Click Start -> right click on My Computer -> Click 'Properties' -> 'Automatic Updates' tab, and ensure that Automatic Updates are ON. Either install Windows XP Service Pack 2 through Automatic Updates, or directly by clicking here. It is VITAL that you upgrade to SP2, or else you will likely be reinfected within a short period of time.


Antivirus:
You have McAfee AV running. This is excellent. Make sure that it is automatically updating and that resident protection is enabled.


Firewall:
You mention that you're using an older version of ZoneAlarm. This is OK, but you are better-protected by getting a newer program in its place (the newest ZA has major bugs). I recommend both Outpost and Sunbelt Kerio. Whatever you choose, make sure that you uninstall ZA first, and run ONLY one firewall at a time.


Install the Following Programs:
Thanks for using MalwareRemoval. If you are so moved, please consider donating to help in our future endeavors against the scourge of Malware (and to help more people like yourself!).

Take care, God Bless, and Happy Computing! :D
- David
User avatar
Nexus7
Regular Member
 
Posts: 919
Joined: December 21st, 2005, 4:17 am
Location: Corbin, KY

Unread postby jcut » August 16th, 2006, 5:20 pm

Hi David,

I promise these are the last of my questions!

I've done everything you said through SpyBot's Tea Timer and choked on Windows Updates and SP2. I used to update manually because with automatic updates, I think the internet lock on Zone Alarm would be on whenever it would try. When SP 2 came out, I turned off automatic updates and stopped updating because I read of so many problems people had with it. Since then I've read that you can now only get SP2 via a disc, that you can't get it from updates anymore. Is that not true? When I do get SP2, how do I turn off the Windows firewall and would there be any other adjustments to make? Would it change any settings I already have in IE that I would have to reset?

And should I keep all the applications you've had me download?

I thank you so much for your assistance. This website is such a wonderful service. I would like to make a donation but I don't have Paypal and honestly don't want to get Paypal. Is there an alternative way to donate as in via snail mail?

Many thanks,
JC
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby jcut » August 16th, 2006, 7:46 pm

DAVID PLEASE HELP!

I just came to my computer and found a little box from Spybot-Search & Destroy.

It says: Spybot Search & Destroy has detected an important registry entry that has been changed.

Category: System Startup global entry
Change: Value changed

Entry: MCUpdateExe

Old Data: C:\PROGRA~1\mcafee.com\agent\mcupdat
New Data: c:\PROGRA~1\mcafee.com\agent\mcupdat

Below that, on the left is half a button (top half) with a box under it saying "Remember this decision" I can't read the word in the button.

Next to that is a square button with a question mark.

Next to that is a button "Info"

Next to that (to the right) is half a button which I can't read.

The only thing I've clicked on is "Info" and it says "No information found for this entry."

It seems like the window should be larger because the above is all that I can see and there's no way to maximize it, only close it.

I also think it's funny that the "c:\" next to New Data is a lower case c.

From the time I last left my computer until I came back, McAfee has not checked for updates but is asking to now.

Please tell me what to do!
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby jcut » August 16th, 2006, 8:29 pm

I do apologize for the multiple replies. I had a "duh" moment and simply elongated the window (horizontally) to read that the last word in Old Data/New Data is mcupdate.exe. The only change from old to new is from the capital "C" to the lower case "c". I did check my original hijackthis log and saw that there were McAfee entries with a lower case "c". I hope the real problem here is that I simply can't read the words in the buttons and don't know which to click. I can't elongate the window vertically.
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby Nexus7 » August 16th, 2006, 11:51 pm

jcut,

You are right -- there is nothing to worry about. The window problem is a known bug in Spybot and the work-around for it can be found here. For the record, the left button is Accept Change, and the right is Deny.

As for the applications you downloaded, ewido is an excellent anti-spyware scanner, and it's worth using periodically (though you have to update it manually once the trial period runs out). ATF-Cleaner is also worth using so long as you make sure not to delete your saved passwords in Firefox/Opera!

Service Pack 2 is a necessity today. Running without it is a ticket to certain compromise. It is important that you choose to allow Microsoft Update through your firewall, as that is the main way to get SP2 installed (it's also the easiest way), and to get the continual fixes Microsoft distributes for security holes. SP2 plays nicely with already-installed firewalls, and needs no further actions on your part. Simply install and be at peace.

As for donations via snail-mail...send a Private Message to ChrisRLG (he runs this site). You may be able to work something out. (Click the "You have no private messages" link near the MWR logo, and then click "New Post" and put in his name as the recipient).

If you have any more questions, or need something addressed, let me know. :)

- David
User avatar
Nexus7
Regular Member
 
Posts: 919
Joined: December 21st, 2005, 4:17 am
Location: Corbin, KY

Unread postby jcut » August 17th, 2006, 3:44 pm

Thanks again David. I accepted the change that Tea Time informed me of. I hope that's okay. I'll try the SP2 download early next week after some houseguests leave. If I run into a problem with it, I'd rather not be stressed with them here! If I can have one last question, do I need to disable the anti-spyware and anti-virus applications to install SP2? I read somewhere that you should.
jcut
Active Member
 
Posts: 8
Joined: August 14th, 2006, 5:22 pm

Unread postby Nexus7 » August 17th, 2006, 4:11 pm

jcut,

Yes, you did the right thing by accepting the change. I would recommend having TeaTimer turned off for the SP2 install, but otherwise you do not have any programs that should get in the way of your SP2 installation.

If you have any more questions, let me know! :)

- David
User avatar
Nexus7
Regular Member
 
Posts: 919
Joined: December 21st, 2005, 4:17 am
Location: Corbin, KY

Unread postby 'KotaGuy » August 20th, 2006, 4:41 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 486 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware