Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help !hijacked by errorplace.com

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help !hijacked by errorplace.com

Unread postby icethermal » August 9th, 2006, 12:06 am

Everytime I try to access the internet using IE I'm redirected to the errorplace.com . No matter what I enter in the address bar I get nowhere.

Here's the log file :
Logfile of HijackThis v1.99.1
Scan saved at 10:05:03 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wmiapsv.exe
C:\program files\desksite\bin\cma.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\rlvknlg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\hcqcudoA.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Valued Customer\Application Data\U3\0D505661607308A3\LaunchPad.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ouciyvx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: jimmyhelp.CBrowserHelper - {1E29F498-D490-43E2-A1B9-7E9E684F7AF4} - C:\WINDOWS\buyhd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [hcqcudoA] C:\WINDOWS\hcqcudoA.exe
O4 - HKCU\..\Run: [Esie] C:\Documents and Settings\Valued Customer\Application Data\eres.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: fxqbu.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?c4403ddb2943486bb74437a7fcaffc52
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?c4403ddb2943486bb74437a7fcaffc52
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2 ... 031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBF1F0E-EC85-4681-A9B5-D22212473D0B}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\fp4q03h5e.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VmFsdWVkIEN1c3RvbWVy\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hcqcudo.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida
Advertisement
Register to Remove

Unread postby 'KotaGuy » August 9th, 2006, 1:12 am

Hi icethermal!

Run HijackThis. Click the Misc Tools button. Then the Uninstall Manager button. Then the Save List button. Save the list to your Desktop and post the contents of it in your reply.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

errorplace.com got uninst. list

Unread postby icethermal » August 11th, 2006, 10:09 am

I cannot access the internet on the infected computer so I have to transfer the info. Heres the list.


Ad-aware 6 Personal
Adobe Acrobat 5.0
America Online (Choose which version to remove)
AnswerWorks Runtime
AOL Coach Version 1.0(Build:20030807.3)
AOL Instant Messenger
ArcSoft Software Suite
ASAP Utilities
Autodesk Architectural Desktop 3.3
autoSearch
CLIE MS SCSI Driver
Command
DelFin Media Viewer
Digital Photo Navigator 1.0
Easy CD Creator 5 Basic
eMedia Guitar Method Vol. 1
eMedia Guitar Songs
Excel Utilities 1.5
Excel VBA Code Cleaner 4.4
Excel VBA Code Documentor 4.0
Forethought
HijackThis 1.99.1
HSP56 MR Drivers
InCD (Ahead Software)
InCD EasyWrite Reader (Ahead Software)
InterActual Player
iPod for Windows 2006-01-10
iriver Music Manager
iRiver Updater
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kazaa Media Desktop 2.0.2
LimeWire
Macromedia Flash Player 8
Mahjong Towers II
MathType 5
McAfee SecurityCenter
McAfee VirusScan
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2003 Resource Kit
Microsoft Office PowerPoint 2003
Microsoft Office Professional Edition 2003
Microsoft Office Sounds
Microsoft Press Interactive Training
MS Export
MSN Messenger 7.5
MSN Music Assistant
MSN Search Toolbar
MyDSC2
Nero
NeroMediaPlayer
NeroVision Express (Ahead Software)
Network Monitor
Passware Kit 5.7
PictureGear 4.6Lite
PowerDVD
Presto! Image Folio 4.2
Presto! Mr.Photo 3
Quicklinks
QuickTime
Radio@Netscape
RealPlayer Basic
RelevantKnowledge
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Snowball Wars by OIN
Spybot - Search & Destroy 1.3
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Web Nexus Network
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPatrol 8.0
Wireless PCI Card Configuration Utility
XY Chart Labeler 6.22
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

Unread postby 'KotaGuy » August 11th, 2006, 4:35 pm

Thanks for posting the list.

I must make you aware of the seriousness of one of the infections on your computer.

You have an SDBot infection that drops a RootKit. This combination pretty much gives the infection and the people behind it full control of your computer to do whatever they want with it. As such... and you've probably figured this out... your computer has been totally compromised.

You have two choices...

1. Format your Hard Drive and reinstall Windows. This is probably your wisest choice as it would totally eliminate the infection and any additional damage done by it.

2. We can clean the infections. But even with doing so I, unfortunately, cannot guarantee the security of your computer afterwards as I have no way of knowing what other damage has been done by the RootKit/RAT.

Please let me know which route you wish to go with.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

ok lets try to clean them

Unread postby icethermal » August 12th, 2006, 10:02 am

ok , I understand. Lets try to clean the the infections. Any idea how they were introduced? thanks for your help
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

Unread postby 'KotaGuy » August 12th, 2006, 12:06 pm

All right.

Lets get rid of some junk first...

Click Start>Run type in appwiz.cpl and hit Enter. From the list uninstall the following:

autoSearch
Command
DelFin Media Viewer
Forethought
Java 2 Runtime Environment, SE v1.4.2_03
Kazaa Media Desktop 2.0.2
Network Monitor
Quicklinks
RelevantKnowledge
Snowball Wars by OIN
Spybot - Search & Destroy 1.3
Web Nexus Network
Windows Overlay Components


I've included Spybot and Java in there as those are old versions which we will update later.

Now can I get you to...
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply


Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

problems with uninstall

Unread postby icethermal » August 13th, 2006, 10:12 pm

-"autosearch" will not uninstall
- "command" will not uninstall :displays window"Can not find script file"C:\WINDOWS\VmFsdWkIEN1c3RvbWVy\pAIPxqp4KHhYwalSvqpV.vbs"
-Kazaa will not unistall displays error loading C:\WINDOWS\System32\cd_clint.dll " The specified module could not be found"
-"network monitor" will not uninstall " critical error"

The rest were removed

I'll run the combofix and post the log shortly

Thanks again
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

ran combofix

Unread postby icethermal » August 14th, 2006, 10:03 am

ran combofix 3x
-generated only 2 log files both which I opened with word pad and found no information other than the date.

- What do you think?
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

Unread postby 'KotaGuy » August 14th, 2006, 3:36 pm

Post a new HJT log for me please.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

hjt log

Unread postby icethermal » August 14th, 2006, 11:37 pm

heres the log
Logfile of HijackThis v1.99.1
Scan saved at 11:21:25 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiapsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\desksite\bin\cma.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Valued Customer\Application Data\U3\0D505661607308A3\LaunchPad.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: jimmyhelp.CBrowserHelper - {1E29F498-D490-43E2-A1B9-7E9E684F7AF4} - C:\WINDOWS\buyhd.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Esie] C:\Documents and Settings\Valued Customer\Application Data\eres.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: fxqbu.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?c4403ddb2943486bb74437a7fcaffc52
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?c4403ddb2943486bb74437a7fcaffc52
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2 ... 031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBF1F0E-EC85-4681-A9B5-D22212473D0B}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

Unread postby 'KotaGuy » August 15th, 2006, 12:27 pm

Download Blacklight. Save it to your Desktop for now. I'll get you to run it later.

Download Ewido Anti-Spyware. Install the program and make sure its updated. Don't scan with it yet.

Download SDFix and save the zip to your Desktop.

Download the PurityScan Uninstaller. Run it and let it do what it needs to.

Download CWShredder. Run it and click the Fix button. Close it when done.

Click Start>Run type in services.msc and hit Enter. In the list find Microsoft Performance WMI Adapter AddOn. Right click on it and choose Properties. Stop the service and change the Startup Type to Disabled. Exit the services console.

Print the rest of this out for reference during the fix as for part of it you won't be able to access the 'Net.

Run and scan with HJT and place checks beside the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O2 - BHO: jimmyhelp.CBrowserHelper - {1E29F498-D490-43E2-A1B9-7E9E684F7AF4} - C:\WINDOWS\buyhd.dll
O4 - HKCU\..\Run: [Esie] C:\Documents and Settings\Valued Customer\Application Data\eres.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - Global Startup: fxqbu.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2 ... 031120.EXE
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe


Close all open broswers/windows and click the Fix button.

Boot into Safe Mode. To do this:
    1. Reboot your computer.
    2. Tap the F8 button as your computer is booting to bring you to the Advanced Options Menu.
    3. Select Safe Mode and press Enter.
Once in Safe Mode... make sure no files will be hidden. To do this:
    1. Click Start.
    2. Open My Computer.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide protected operating system files (recommended) option.
    7. Click Yes to confirm.
    8. Click OK.
Then search for and delete this folder:

C:\Program Files\AWS

Search for and delete these files:

C:\Documents and Settings\Valued Customer\Application Data\eres.exe
C:\WINDOWS\System32\lockx.exe

Run Ewido through a full scan. Save the logfile to your Desktop.

Then right click the SDFix.zip folder and choose Extract All.
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.


Once back in windows... run Blacklight and do a scan with it. Don't rename anything yet. Just save the log to your Desktop. It will save with a name like fsbl-**********.log(the asterisks are numbers).

Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt, the Ewido log, Blacklight log and a new HijackThis log into your next reply please.

You may need to split the logs over a couple posts so they don't get cut off.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Here are the logs: ewido

Unread postby icethermal » August 18th, 2006, 10:41 am

Sorry I took so long to get back to you. I followed your instructions.

- eres.exe & \lockx.exe were not present.
- Ran Awido and but did not take any actions the log is posted


ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:26:31 AM 8/17/2006

+ Scan result:



C:\Program Files\Spybot - Search & Destroy\wspybotsd.exe -> Adware.Agent : No action taken.
C:\RECYCLER\S-1-5-21-823518204-1409082233-725345543-500\Dc1\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : No action taken.
C:\WINDOWS\system32\BO2802040113.dll -> Adware.BargainBuddy : No action taken.
C:\WINDOWS\system32\KVIF_11.dll -> Adware.BargainBuddy : No action taken.
C:\WINDOWS\system32\ezStub3.dll -> Adware.BargainBuddy : No action taken.
C:\WINDOWS\system32\in10b6s.dll/bi.dll -> Adware.BiSpy : No action taken.
C:\WINDOWS\system32\in10b6s.dll/biprep.exe -> Adware.BiSpy : No action taken.
HKLM\SOFTWARE\BPT -> Adware.BroadCastPC : No action taken.
HKLM\SOFTWARE\BPT\131.zip -> Adware.BroadCastPC : No action taken.
HKLM\SOFTWARE\BPT\132.zip -> Adware.BroadCastPC : No action taken.
HKLM\SOFTWARE\DInstaller2 -> Adware.BroadCastPC : No action taken.
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : No action taken.
HKLM\SOFTWARE\DelFin -> Adware.Delfin : No action taken.
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : No action taken.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : No action taken.
HKU\.DEFAULT\Software\Policies\Avenue Media -> Adware.InternetOptimizer : No action taken.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : No action taken.
HKU\S-1-5-18\Software\Policies\Avenue Media -> Adware.InternetOptimizer : No action taken.
HKLM\SOFTWARE\midADdle -> Adware.MidAddle : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\NewDotNet\readme.html -> Adware.NewDotNet : No action taken.
C:\WINDOWS\system32\chkdsk.dll -> Adware.PurityScan : No action taken.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : No action taken.
C:\WINDOWS\system32\rk.bin -> Adware.RK : No action taken.
C:\WINDOWS\Downloaded Program Files\WUInst.dll -> Adware.SaveNow : No action taken.
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : No action taken.
C:\Program Files\websearch -> Adware.TopMoxie : No action taken.
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Adware.WebSearch : No action taken.
C:\WINDOWS\wmiapsv.exe -> Backdoor.SdBot.aad : No action taken.
C:\defragsvc.exe -> Downloader.Adload.bo : No action taken.
C:\dfrgntfsdr.exe -> Downloader.Adload.bo : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KGDDCSIQ\wd7gi8n[1].exe -> Downloader.Agent.ala : No action taken.
C:\wd7gi8n.exe -> Downloader.Agent.ala : No action taken.
C:\Program Files\hijackthis\backups\backup-20060816-220219-218.dll -> Downloader.Lemmy.u : No action taken.
C:\WINDOWS\buyhd.dll -> Downloader.Lemmy.u : No action taken.
C:\WINDOWS\offun.exe -> Downloader.VB.nw : No action taken.
C:\526_620.exe -> Dropper.Mudrop.bq : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RE0TV6WR\526_620[1].exe -> Dropper.Mudrop.bq : No action taken.
C:\WINDOWS\system32\b3s.dll -> Dropper.Small.abe : No action taken.
C:\WINDOWS\system32\bAs.dll -> Dropper.Small.abe : No action taken.
C:\WINDOWS\system32\in9bjs.dll -> Dropper.Small.abe : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H2EW3OA9\SS1001[1].exe -> Dropper.Small.qn : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Valued Customer\Cookies\valued customer@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : No action taken.
C:\WINDOWS\system32ssec.exe -> Trojan.Runner.h : No action taken.
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : No action taken.


::Report end
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

other logs : sdfix and HJT

Unread postby icethermal » August 18th, 2006, 10:43 am

SDFix Version 1.11
***************

Scan Time/Date:

08:46 AM
Thu 08/17/2006

Microsoft Windows XP [Version 5.1.2600]

Running from directory:
C:\Documents and Settings\Valued Customer\Desktop\SDFix\SDFix

Stage One...

Checking Services:

Service Name
***********
wmipervaddon

Service File Path
*************
C:\WINDOWS\wmiapsv.exe

Deleting Services
**************
SUCCESS


Repairing SDBot Registry Changes....

Restoring Microsoft's default Hosts File

Adding Reg Key To Run On Reboot

Stage One Complete...

Rebooting!

Stage Two...

Removing Malware Files and Registry Entries
***********************************

Registry Cleaning Finished...

Checking For Malware Files...

C:\WINDOWS\wmiapsv.exe

Backing Up and Deleting any Files Found....


Finished :)

Logfile of HijackThis v1.99.1
Scan saved at 9:02:33 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\malware removal\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\program files\desksite\bin\cma.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\malware removal\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\malware removal\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?c4403ddb2943486bb74437a7fcaffc52
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?c4403ddb2943486bb74437a7fcaffc52
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBF1F0E-EC85-4681-A9B5-D22212473D0B}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\malware removal\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida

Unread postby 'KotaGuy » August 18th, 2006, 3:14 pm

Looking better.

Going to need to run Ewido again... should've told you to let it quarratine whatever it found... sorry about that.

Print this out for reference during the fix as you won't be able to access it while in Safe Mode.

So....

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act?
  • Click on Recommended Action and choose Quarantine from the popup menu.
[*]Under How to scan?
  • All checkboxes should be ticked.
[*]Under Possibly unwanted software:
  • All checkboxes should be ticked.
[*]Under Reports:
  • Select Automatically generate report after every scan and uncheck Only if threats were found.
[*]Under What to scan?
  • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    Image
[*]When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Post the new Ewido log and a new HijackThis log when done.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

posting logs of ewido and hjt

Unread postby icethermal » August 19th, 2006, 8:19 pm

here are the logs.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:40:55 PM 8/19/2006

+ Scan result:



C:\Program Files\Spybot - Search & Destroy\wspybotsd.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-823518204-1409082233-725345543-500\Dc1\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\system32\BO2802040113.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\KVIF_11.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ezStub3.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\in10b6s.dll/bi.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\in10b6s.dll/biprep.exe -> Adware.BiSpy : Cleaned with backup (quarantined).
HKLM\SOFTWARE\BPT -> Adware.BroadCastPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\BPT\131.zip -> Adware.BroadCastPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\BPT\132.zip -> Adware.BroadCastPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DInstaller2 -> Adware.BroadCastPC : Cleaned with backup (quarantined).
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\BTB -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\BTB\IEToolbar -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\BTB\IEToolbar\Historysearch -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\BTB\IEToolbar\tb_items -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\BTB\SiteAllow -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\Softomate -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\Softomate\BAToolbar -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1409082233-725345543-1003\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\midADdle -> Adware.MidAddle : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\readme.html -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\chkdsk.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WUInst.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Program Files\websearch -> Adware.TopMoxie : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Valued Customer\Desktop\SDFix\SDFix\backups\backups.zip/backups/wmiapsv.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\defragsvc.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\dfrgntfsdr.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KGDDCSIQ\wd7gi8n[1].exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\Program Files\hijackthis\backups\backup-20060816-220219-218.dll -> Downloader.Lemmy.u : Cleaned with backup (quarantined).
C:\WINDOWS\buyhd.dll -> Downloader.Lemmy.u : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\526_620.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RE0TV6WR\526_620[1].exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\b3s.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bAs.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\WINDOWS\system32\in9bjs.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H2EW3OA9\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Valued Customer\Cookies\valued customer@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINDOWS\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 4:46:01 PM, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\malware removal\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\program files\desksite\bin\cma.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\malware removal\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Valued Customer\Application Data\U3\0D505661607308A3\LaunchPad.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\malware removal\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?c4403ddb2943486bb74437a7fcaffc52
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?c4403ddb2943486bb74437a7fcaffc52
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBF1F0E-EC85-4681-A9B5-D22212473D0B}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\malware removal\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
icethermal
Regular Member
 
Posts: 16
Joined: August 8th, 2006, 11:57 pm
Location: florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware