I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I am currently looking over your log and as I am an undergraduate at Malware Removal University, everything that I post to you must be checked by an expert. There may therefore be a slight delay between posts. I will post back as soon as I can.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions. You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Make sure you click on the "Run VundoFix as a task" checkbox to put a tick in it
You will receive a message saying "vundofix will close and re-open in a minute or less". Click "OK"
When VundoFix re-opens, click "Scan for Vundo".
When the scan is complete, click "Remove Vundo".
You will receive a prompt, "Do you want to remove the files?", click "YES"
When completed, you will get a prompt that your computer will be shutdown, click "OK".
Re-start your computer.
A log file is generated, C:\vundofix.txt, I will need a copy of this log as part of your next post.
Step 2 Download, install, and update the free version of Ewido Anti Malware from http://www.ewido.net/en/download/. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run Ewido for the first time, you will get a warning "Database could not be found!". Click "OK". From the main Ewido screen, click on "update" in the left menu, then click "Start update". After the update finishes, the status bar at the bottom will display "Update successful"
Click Scanner > Complete System Scan, and choose "Remove" then click "OK" for everything found. Beware of false positives, so check each item found before choosing to remove. At the end of the scan, click "Save Report". Please copy this log into your next post.
Step 3 Run Hijack This, "Scan" and post the log, together with the Vundofix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
Hi, Bod99, thank you so much for stopping to help me. I ran Vundo, like you said, but it didn't detect anything and didn't create a log. Is that a problem?
+ Created on: 10:35:58 PM, 6/6/2006
+ Report-Checksum: E25D2E58
+ Scan result:
C:\Documents and Settings\Kayla\Cookies\kayla@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kayla\Cookies\kayla@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 10:37:39 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Thanks for the VirusTotal log. I've a couple of things for you to do next.
Step 1 Go to UploadMalware at http://www.uploadmalware.com/, and upload the file C:\WINDOWS\SYSTEM32\cmdhcp.dll from your pc, entering your Dell forum username (Knight of Midnight) and the url for this thread(http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=37089) into the appropriate fields.
You will be promted to install an ActiveX component from Kaspersky, Click "Yes". The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on "NEXT" Now click on "Scan Settings" In the scan settings, make sure that the following are selected: "Scan using the following Anti-Virus database:" Extended (if available otherwise Standard)
"Scan Options:" Scan Archives Scan Mail Bases
Click "OK"
Now under "select a target to scan:" Select "My Computer"
This will program will start and scan your system. The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Click on "Save as Text" and save the file to your desktop.
Thanks for you KAV5 log, I now have some more instructions for you to follow.
As always, before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions. You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Step 1 Delete the copy of VundoFix that you downloaded earlier.
I've done as you asked, and here are the two new logs:
VundoFix V4.2.84
Running as SYSTEM from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 3:13:08 AM 6/11/2006
Listing files found while scanning....
C:\WINDOWS\system32\cmdhcp.dll
Attempting to delete C:\WINDOWS\system32\cmdhcp.dll C:\WINDOWS\system32\cmdhcp.dll Has been deleted!
Performing Repairs to the registry. Done!
Logfile of HijackThis v1.99.1 Scan saved at 3:18:55 AM, on 6/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Your new log is clean. please post a reply to this thread on any problems you may still have.
Please also follow these instructions to keep your computer clean.
Step 1 - Microsoft Windows Update Click Start > All Programs > Windows Update. This will take you to the Windows Update site. Follow the instructions to download and install all of the latest critical updates. Repeat this as many times as necessary, until there are no more updates available. Reboot whenever instructed. Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.
Step 2 - Hide System Files Click Start > My Computer > Tools > Folder Options > View Tab. Un-check "Show hidden files and folders" in the Hidden files and folders section, and Select "Hide protected operating system files (recommended)" option. Click Yes > OK.
Run ATF Cleaner. Click on the check box to select the following options: Windows Temp All Users Temp Temporary Internet Files Click "Empty Selected". Exit when finished.
Step 4 Create a clean system restore point Click Start > Control Panel > System > System Restore Tab and click to put a tick in the "Turn off System Restore" check box, then click "Apply". Reboot, then click Start > Control Panel > System > System Restore Tab and click to remove the tick in the "Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.
Step 5 - Make your Internet Explorer more secure Open Internet Explorer click Tools > Options > Security tab >Internet icon to highlight >Custom Level, then select the following options:- Change "Download signed ActiveX controls" to "Prompt" Change "Download unsigned ActiveX controls" to "Disable" Change "Initialise and script ActiveX controls not marked as safe" to "Disable" Change "Installation of desktop items" to "Prompt" Change "Launching programs and files in an IFRAME" to "Prompt" Change "Navigate sub-frames across different domains" to "Prompt" Click "OK", then Apply Click on the "Privacy" tab and move the slider up to "Medium High", then Apply > OK to exit the Internet Properties page.
Step 6 - Anti Virus Software It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.
You have McAfee, so make sure it is updated at least weekly, preferably daily. If your anti-virus is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use. Grisoft AVG http://free.grisoft.com/doc/1 Avast http://www.avast.com/
Step 9 - Spybot Search & Destroy You have Spybot Search & Destroy from http://www.safer-networking.org/en/download/index.html Enable both of the TeaTimer and SD Helper options. Update this and scan your PC on a weekly basis.
Step 10 - SpywareBlaster Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html. When installed, run SpywareBlaster, click "Enable All Protection", then "Download Latest Protection Updates" and follow the instructions to download and enable the latest update. SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.
Step 11 - Java Update - This is essential, earlier versions of Java can be exploited Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7. Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop. Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install. Once you have it installed, click Start > Run, type in "appwiz.cpl" (without the quotes), and click "Enter". From the list, uninstall "J2SE Runtime Environment 5.0 Update 0".
Hopefully these will help keep your computer clean, glad I could be of assistance,
Bod99
561 Posts
0
June 4th, 2006 17:00
I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I am currently looking over your log and as I am an undergraduate at Malware Removal University, everything that I post to you must be checked by an expert. There may therefore be a slight delay between posts. I will post back as soon as I can.
Thanks,
Bod
Bod99
561 Posts
0
June 4th, 2006 18:00
Hi,
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1
Download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Make sure you click on the "Run VundoFix as a task" checkbox to put a tick in it
You will receive a message saying "vundofix will close and re-open in a minute or less". Click "OK"
When VundoFix re-opens, click "Scan for Vundo".
When the scan is complete, click "Remove Vundo".
You will receive a prompt, "Do you want to remove the files?", click "YES"
When completed, you will get a prompt that your computer will be shutdown, click "OK".
Re-start your computer.
A log file is generated, C:\vundofix.txt, I will need a copy of this log as part of your next post.
Step 2
Download, install, and update the free version of Ewido Anti Malware from http://www.ewido.net/en/download/.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click "OK". From the main Ewido screen, click on "update" in the left menu, then click "Start update".
After the update finishes, the status bar at the bottom will display "Update successful"
Click Scanner > Complete System Scan, and choose "Remove" then click "OK" for everything found. Beware of false positives, so check each item found before choosing to remove.
At the end of the scan, click "Save Report".
Please copy this log into your next post.
Step 3
Run Hijack This, "Scan" and post the log, together with the Vundofix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Knight of Midni
12 Posts
0
June 4th, 2006 22:00
Bod99
561 Posts
0
June 5th, 2006 09:00
Hi,
I had a feeling that you possibly had a new version of Vundo that the tool doesn't detect yet.
Don't worry, all is not lost!
Carry on with the Ewido scan for now, and let me have that log and the new Hijack This log,
Thanks,
Bod
Knight of Midni
12 Posts
0
June 7th, 2006 01:00
ewido anti-malware - Scan report
---------------------------------------------------------
+ Report-Checksum: E25D2E58
C:\Documents and Settings\Kayla\Cookies\kayla@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
::Report End
Scan saved at 10:37:39 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\igfxext.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kayla\Desktop\Utilities\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b19404c0-5a5f-46be-a86a-581b09d9ef9d} - C:\WINDOWS\system32\cmdhcp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: cmdhcp - C:\WINDOWS\SYSTEM32\cmdhcp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
Bod99
561 Posts
0
June 7th, 2006 17:00
Thanks for the logs.
Please go to http://www.virustotal.com/en/indexf.html, and follow the instructions to upload C:\WINDOWS\system32\cmdhcp.dll from your pc for a scan.
Please copy / paste the results into your next reply.
Thanks,
Bod
Knight of Midni
12 Posts
0
June 8th, 2006 01:00
Alright, I scanned and here's the results:
http://www.virustotal.com/vt/en/resultadof?3f63a059775f8a78c5e515db45fa4a68
http://i42.photobucket.com/albums/e336/Moony_san/scan.jpg
Hope that helps you. ^^;;
Message Edited by Knight of Midnight on 06-07-200610:04 PM
Bod99
561 Posts
0
June 8th, 2006 21:00
Link > http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=37089
==========
Hi again,
Thanks for the VirusTotal log. I've a couple of things for you to do next.
Step 1
Go to UploadMalware at http://www.uploadmalware.com/, and upload the file C:\WINDOWS\SYSTEM32\cmdhcp.dll from your pc, entering your Dell forum username (Knight of Midnight) and the url for this thread(http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=37089) into the appropriate fields.
Step 2
We'll try an on-line anti-virus scan next.
Please do an online scan with Kaspersky WebScanner at http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click "Yes".
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on "NEXT"
Now click on "Scan Settings"
In the scan settings, make sure that the following are selected:
"Scan using the following Anti-Virus database:"
Extended (if available otherwise Standard)
"Scan Options:"
Scan Archives
Scan Mail Bases
Click "OK"
Now under "select a target to scan:" Select "My Computer"
This will program will start and scan your system. The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Click on "Save as Text" and save the file to your desktop.
Post the KAV scan log in your next reply
Thanks
Bod
Knight of Midni
12 Posts
0
June 8th, 2006 23:00
Sure thing. I've got that log right here:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 08, 2006 8:42:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/06/2006
Kaspersky Anti-Virus database records: 199317
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 61468
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:52:32
Infected Object Name / Virus Name / Last Action
C:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{C1B39F3F-1674-4F90-9F20-32808A803CA4}\RP59\A0125355.exe/stream/data0012 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C1B39F3F-1674-4F90-9F20-32808A803CA4}\RP59\A0125355.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C1B39F3F-1674-4F90-9F20-32808A803CA4}\RP59\A0125355.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\cmdhcp.dll Infected: Trojan-Downloader.Win32.ConHook.aa skipped
Scan process completed.
Bod99
561 Posts
0
June 10th, 2006 21:00
Hi again,
Thanks for you KAV5 log, I now have some more instructions for you to follow.
As always, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Step 1
Delete the copy of VundoFix that you downloaded earlier.
Download the new latest version of VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Make sure you click on the "Run VundoFix as a task" checkbox to put a tick in it
You will receive a message saying "vundofix will close and re-open in a minute or less". Click "OK"
When VundoFix re-opens, click "Scan for Vundo".
When the scan is complete, click "Remove Vundo".
You will receive a prompt, "Do you want to remove the files?", click "YES"
When completed, you will get a prompt that your computer will be shutdown, click "OK".
Re-start your computer.
A log file is generated, C:\vundofix.txt, I will need a copy of this log as part of your next post.
Step 2
Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Knight of Midni
12 Posts
0
June 11th, 2006 06:00
I've done as you asked, and here are the two new logs:
VundoFix V4.2.84
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 3:13:08 AM 6/11/2006
Listing files found while scanning....
C:\WINDOWS\system32\cmdhcp.dll
Attempting to delete C:\WINDOWS\system32\cmdhcp.dll
C:\WINDOWS\system32\cmdhcp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 3:18:55 AM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kayla\Desktop\Utilities\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.keiichianimeforever.com/boards
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
Bod99
561 Posts
0
June 11th, 2006 17:00
Hi,
Your new log is clean. please post a reply to this thread on any problems you may still have.
Please also follow these instructions to keep your computer clean.
Step 1 - Microsoft Windows Update
Click Start > All Programs > Windows Update. This will take you to the Windows Update site. Follow the instructions to download and install all of the latest critical updates. Repeat this as many times as necessary, until there are no more updates available. Reboot whenever instructed.
Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.
Step 2 - Hide System Files
Click Start > My Computer > Tools > Folder Options > View Tab. Un-check "Show hidden files and folders" in the Hidden files and folders section, and Select "Hide protected operating system files (recommended)" option. Click Yes > OK.
Step 3
Download ATF Cleaner from http://www.atribune.org/ccount/click.php?id=1
Run ATF Cleaner. Click on the check box to select the following options:
Windows Temp
All Users Temp
Temporary Internet Files
Click "Empty Selected". Exit when finished.
Step 4 Create a clean system restore point
Click Start > Control Panel > System > System Restore Tab and click to put a tick in the "Turn off System Restore" check box, then click "Apply". Reboot, then click Start > Control Panel > System > System Restore Tab and click to remove the tick in the "Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.
Step 5 - Make your Internet Explorer more secure
Open Internet Explorer click Tools > Options > Security tab >Internet icon to highlight >Custom Level, then select the following options:-
Change "Download signed ActiveX controls" to "Prompt"
Change "Download unsigned ActiveX controls" to "Disable"
Change "Initialise and script ActiveX controls not marked as safe" to "Disable"
Change "Installation of desktop items" to "Prompt"
Change "Launching programs and files in an IFRAME" to "Prompt"
Change "Navigate sub-frames across different domains" to "Prompt"
Click "OK", then Apply
Click on the "Privacy" tab and move the slider up to "Medium High", then Apply > OK to exit the Internet Properties page.
Step 6 - Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.
You have McAfee, so make sure it is updated at least weekly, preferably daily. If your anti-virus is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use.
Grisoft AVG http://free.grisoft.com/doc/1
Avast http://www.avast.com/
For more information on anti-virus programs see http://forum.malwareremoval.com/viewtopic.php?p=53#53
Step 7 - Firewall
You have Tiny Personal Firewall, make sure it's kept up to date.
For more information on firewalls see http://forum.malwareremoval.com/viewtopic.php?p=56#56
Step 8 - Windows Defender
Download and install Windows Defender from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Step 9 - Spybot Search & Destroy
You have Spybot Search & Destroy from http://www.safer-networking.org/en/download/index.html
Enable both of the TeaTimer and SD Helper options. Update this and scan your PC on a weekly basis.
Step 10 - SpywareBlaster
Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html. When installed, run SpywareBlaster, click "Enable All Protection", then "Download Latest Protection Updates" and follow the instructions to download and enable the latest update.
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.
Step 11 - Java Update - This is essential, earlier versions of Java can be exploited
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7.
Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install.
Once you have it installed, click Start > Run, type in "appwiz.cpl" (without the quotes), and click "Enter".
From the list, uninstall "J2SE Runtime Environment 5.0 Update 0".
Hopefully these will help keep your computer clean, glad I could be of assistance,
Bod
Knight of Midni
12 Posts
0
June 11th, 2006 23:00
Bod99
561 Posts
0
June 12th, 2006 09:00
My pleasure, glad I could help.
Bod