Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

DDE Server Window, IE, Outlook Errors, Google Redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 8th, 2009, 4:08 pm

I fully understand how you feel - I know how scary it can be when things don't go as planned in the world of computers.

I've opened a topic regarding the validation issue, and if anything helpful arises I will, of course, let you know.

Please be aware that it may very well be that your Windows wasn't genuine all along and that the Daonol infection simply prevented the Windows Genuine Advantage tool from checking the legitimacy of your Windows. I cannot judge that, just saying it may be.

On the matter of malware issues: the Kaspersky scan is almost clean, some e-mails in Outlook Express are showing as infected. Unfortunately it does not show which exact mails those are. I'm 99% sure they are all the phish mails the Daonol infection made you send and receive, but it does not matter anyway as you said you now use Outlook :)

The good news is that the infection is indeed gone :)

I'd like to run one last check for that Daonol file, because it's really bothering me personally that I was wrong :D
Be assured that the file is 99,9% surely gone, and if it's still there it will be inactive. I just want to understand what I did wrong :) (Theories are the file might have self-destructed when we removed the loading point, this will prove those theories right or wrong).

So.... please click Start>Run and copy and paste this:
Code: Select all
cmd /c dir\/l/a/b/s|find/i "vwjaar.kck">"%Userprofile%\Desktop\PostThis.txt"

That command will make a full listing of all files on your computer, then filter out the Daonol file, then output that listing to the file PostThis.txt on your desktop. I would like you to post the contents of PostThis.txt file which will have appeared after running that command. If such a file does not appear, then it means the file is completely gone - which it, by the way, should have.

Also post a new hijackthis log and an uninstall list per these instructions:
  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place and post it in your next reply.

I promise I will get back on the issue regarding Windows Genuine Advantage as soon as possible.
Oh, and there's no need to run the ESET scan. :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)
Advertisement
Register to Remove

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 8th, 2009, 11:34 pm

My MS Windows XP Pro OS was preinstalled on my computer which I purchased online from Hewlett-Packard.

After I received my new HP computer, I migrated my Outlook Express files from an older computer to the new
computer and converted to Outlook. This was more than two years ago.

**************

The PostThis.txt file was empty : )

**************

Here is the uninstall_list.txt file:

Adobe Flash Player 10 ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 7.0.9
AppCore
ArcSoft Panorama Maker 3
AV
ccCommon
Creative MediaSource
Customer Experience Enhancement
DivX
Easy CD & DVD Creator 6
Easy Internet Sign-up
ERUNT 1.1j
Garmin Trip and Waypoint Manager v4
Greeting Card Creator 32
High Definition Audio Driver Package - KB888111
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Memories Disc
HP Photo and Imaging 2.3 - Scanjet 4600 Series
HP Photosmart Premier Software 6.5
HP Support Overview
HP Update
HP Web Helper
Java(TM) 6 Update 13
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
MapSource - US Topo v3.02
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
My HP Games
Netscape Browser (remove only)
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PC-Doctor 5 for Windows
Print Server Driver
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
Readiris Pro 8
RealPlayer
Remove WeatherBug Installer
Rhapsody
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Audigy 4
SPBBC 32bit
Symantec Technical Support Web Controls
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Updates from HP (remove only)
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Yahoo! Toolbar for Internet Explorer

********************

Does the presence of Daonol explain the Trojan.KillAV that was supposedly blocked by Norton, and the behavior of
Outlook, i.e., error messages, malwareremoval activation e-mail apparently blocked ( I had to activate at work ),
and phishing e-mails sent out? Or was there a Rootkit?

In my original HijackThis log, there are several "file missing" entries for Symantec. Does this mean that the virus
damaged Norton Internet Security?

Thanks again for your help.
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 9th, 2009, 2:17 am

Does the presence of Daonol explain the Trojan.KillAV that was supposedly blocked by Norton, and the behavior of Outlook, i.e., error messages, malwareremoval activation e-mail apparently blocked ( I had to activate at work ), and phishing e-mails sent out? Or was there a Rootkit?
Daonol does explain everything, and there was no rootkit (GMER would have found it) :)

In my original HijackThis log, there are several "file missing" entries for Symantec. Does this mean that the virus damaged Norton Internet Security?
No. Hijackthis simply has a problem reporting whether a file is missed or not. It only does so reliably for O2 and O3 entries.

I recommend you to uninstall "WeatherBug Installer", as WeatherBug has been associated with minor malware.

Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version, then download and install the newest version from here.

I will get back to you on the WGA issue shortly, I'm still waiting for more input.

If there are no more symptoms of malware, I'll give you my normal all-clean post in my next reply, if that's okay with you.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 9th, 2009, 9:23 am

Thanks for your professional help.

Steve
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 9th, 2009, 5:15 pm

You're most welcome :)

We'll use an official tool of Microsoft to examine your issue with validation more closely. Download MGADiag from here and save it to your Desktop.
  • Double click it to run it.
  • Click Continue.
  • Once the scan has completed, click Copy - this will transfer the results to your clipboard.
  • Paste them into your next reply.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 9th, 2009, 8:28 pm

Here are my MGADiag results:

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-9BJ82-4PCJX-2WPB6
Windows Product Key Hash: ueqMKpE2vjW53gyIDy01HDiTdPc=
Windows Product ID: 76487-OEM-2211906-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {BE1B5A74-6D27-4B2F-A60A-EDCBA8D4DF96}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.8.31.9
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.8.31.9
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Basic Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BE1B5A74-6D27-4B2F-A60A-EDCBA8D4DF96}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2WPB6</PKey><PID>76487-OEM-2211906-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-255984626-2427911087-1286077765</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>RB049AV-ABA d4650e</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 3.07</Version><SMBIOSVersion major="2" minor="4"/><Date>20060802000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>ACA3362F0184CE78</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>HP Pavilion</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.9"/><File Name="WgaLogon.dll" Version="1.8.31.9"/></GANotification></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91130409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Basic Edition 2003</Name><Ver>11</Ver><Val>7F5682473858F2C</Val><Hash>g31QDO8f7iSJBiU0f6lGn6VAGuk=</Hash><Pid>73102-OEM-5691806-47346</Pid><PidType>6</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E0D3:Compaq Computer Corporation|1E0D3:Compaq Computer Corporation|1E0D3:Hewlett-Packard Company|1005F:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A

*******************

Before I visited the MalWare Removal site, I had a Symantec technician work on my system remotely. After performing
various actions, including upgrading me from IE6 to IE7, she said that since the Registry kept refreshing and they were
not allowed to alter the Operating System, she had to stop at that point. Is this consistent with the behavior of the
Daonol virus? Do I need to do anything now to my Windows XP Pro OS?

Thanks for looking at the validation issue. I sent in a donation.
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 10th, 2009, 2:20 am

The diagnostic tool reports that your Windows is genuine.

If you get pop-ups which suggest otherwhise, they may be fake.

Is this consistent with the behavior of the Daonol virus? Do I need to do anything now to my Windows XP Pro OS?
Yes, Daonol prevents some diagnostic programs from running properly. Your computer looked fine in the last HJT log you posted, however if you're getting fake WGA messages you may have reinfected yourself :?
(Or Microsoft just has an issue they need to sort out).

If you're still getting those messages that your Windows is not genuine, please post a new Hijackthis log.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 10th, 2009, 11:13 am

I am not getting a pop-up; it is an installation wizard window. See attachment.

***************

Here is my new Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:01 AM, on 5/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/do ... ysinfo.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

****************

I sent an e-mail to Microsoft about the MGA installation wizard window. They should respond back in one business day.

****************

How do I see attachments to my posts?
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 10th, 2009, 11:57 am

The hijackthis log looks fine.

I'd like to see a full screenshot of your computer when the window comes up. When it's up, minimize or close everything you don't want to be visible to the public eye, then please press the Print Screen button on your keyboard. It's next to F12. Then open up Microsoft Paint and press Ctrl+V. Save the image to your desktop and upload it on this site: http://www.imageshack.us/
Just click Browse and browse to the image. After the image has been uploaded, copy the direct link to the image and put it in your next post.

Thanks.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 10th, 2009, 11:10 pm

This is the direct link:

http://img17.imageshack.us/img17/8263/startupscreen.png

In my previous post, I tried twice to upload an attachment with the same sceenshot in a MS Word file using the
Upload Attachment option but I did not see any evidence that it had worked or where it might be.

Thanks for following up on this. Microsoft should answer my e-mail tomorrow.
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 11th, 2009, 10:24 am

Aaaaaaaaaahhhh, now I understand!

There is a Windows update called "Windows Genuine Advantage Notifications".
It is most likely that Automatic Updates has successfully downloaded this update, and now wants you to install it. If you wish to, just install it, if not, go to the Windows Update website, choose Custom when prompted whether to take the express road or the custom, then tick the box under "Do not show this update again" under "Windows Genuine Advantage Notifications".

:D

Anything else I can do for you?

If all seems well, I would like to remove the tools we used from your computer, and then it's time for prevention tips :D

By the way - do you use any firewall software?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 11th, 2009, 6:38 pm

Microsoft replied to my e-mail and confirmed what you said about the Windows Genuine Advantage Notifications.

I use Norton Internet Security. I also have a router.

Thanks for your help. You saved me a lot of time.
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 12th, 2009, 1:17 am

That's great news :cheers:

Open OTMoveIt3 (I had you download it a few posts earlier) and click CleanUp!
That will clean up a lot of the tools we used. Any which weren´t automatically removed you can remove by just deleting the file.

Below is my standard "All Clean"-post. :)

Purge System Restore
We've now arrived at the stage where we can clean the System Restore points. Malware can easily hide itself in System Restore points. This is BAD. While inside the restore point, it is completely harmless. But once you restore from that restore point, the malware will spread again.
To purge System Restore, please do the following:
  • First, launch System Restore (Start > All Programs > Accessories > System Tools > System Restore).
  • Choose the second option: Create a restore point. Name it something like All Clean.

    Now, for the actual purging:

  • Click Start > All Programs > Accessories > Disk Cleaner.
  • Wait for the program to load... this will take a few seconds.
  • Click the More Options tab, and click the Cleanup button under the System Restore heading. Click Yes if you're prompted whether you're sure.

  • Don't close the program yet.


Clean up some more leftovers
  • Get back to the previous tab. Tick the following items:
    • Temporary Internet Files
    • Offline Web Pages
    • Recycle Bin
    • Temporary Files
    • WebClient/Publisher temporary files
  • Click OK. If you're asked whether you're sure, click Yes.


If you don't have any other issues, then I think all the malware is gone!


Congratulations!

Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. They will increase your security, but are not really "needed". That said, I recommend following at least one of these tips.

  • Install WinPatrol from here. Instructions for use are here.

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    • Click Start, then Run
    • Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    • Click OK
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

Please reply to this thread once more so we know it can be archived

Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby slrowe » May 12th, 2009, 8:05 pm

I apologize for taking up more of your time.

Clean Up Tools:

I had to use the Add or Remove Programs method for AntiMalware, ERUNT, and Hijackthis. Hijackthis was in the list twice.

****************

Purge System Restore:

I don't have start > All Programs > Accessories > Disk Cleaner,
but I do have start > All Programs > Accessories > System Tools > Disk Cleanup

Is this the same command? The first thing it asks is what drive to clean. I have
drive C: and drive D:. ( Drive D: is my HP_RECOVERY drive. )

****************

Turn On Automatic Updates:

start > Control Panel > Security Center > Automatic Updates
takes me to a window with a message which says -

The Security Center is currently unavailable because the Security Center service has not started or was stopped.

I confirmed that the wscsvc service is not running with the Net Start command, but if I click on the Automatic
Updates link, the next window shows that Automatic Updates is enabled.

****************

What does WinPatrol do?
slrowe
Banned Member
 
Posts: 31
Joined: April 23rd, 2009, 1:03 pm

Re: DDE Server Window, IE, Outlook Errors, Google Redirection

Unread postby Odd dude » May 13th, 2009, 1:41 am

I apologize for taking up more of your time.
I should be the one to apologize, for giving you flawed instructions. :oops:
I don't have start > All Programs > Accessories > Disk Cleaner,
but I do have start > All Programs > Accessories > System Tools > Disk Cleanup
That is an error on my behalf. Yes, it is the same command. Please select your C: drive when asked.
I confirmed that the wscsvc service is not running with the Net Start command, but if I click on the Automatic
Updates link, the next window shows that Automatic Updates is enabled.
Copy and paste this to notepad:
Code: Select all
@Sc config wscsvc start= auto>>"%Userprofile%\Desktop\PostMe.txt" 2>>&1
@Sc start wscsvc>>"%Userprofile%\Desktop\PostMe.txt" 2>>&1
@sc query wscsvc>>"%Userprofile%\Desktop\PostMe.txt" 2>>&1

Save it to your desktop as "RunMe.bat". Include the quotation marks when saving!
Double-click the file you just saved to run it. A black window opens and closes very quickly, and a file called PostMe.txt appears on your desktop. Post its contents in your next reply.
What does WinPatrol do?
It monitors your startup programs. If a change is made, you are alerted. It does not prevent malware, but it alerts you within a minute if something suspicious occurred. If you then start noticing strange behaviour it may be time to post another HijackThis log.
The advantage of the program is that it's very light on system resources and its notifications are pretty straightforward.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware