This is quite a list! Among other things, you also have a potential Horseserver infection that we'll deal with here shortly (and you'll need to change any passwords you've used while on that system). Also, look this over before beginning the fix, since there are some item(s) here that i'm not familar with; if you see any you recognize, omit them from the fix.
Next, locate
CWShredder that you downloaded earlier and run it, then:
1. Click "
Check For Update"
(
If an update isn't available, skip to step #4.)
2. Click "
Click here to Download the upate".
3. When the new version has been downloaded, click "
Save".
4. Click "
Fix ->"
Download, unzip to your desktop
About:Buster and run it, then:
Locate
About:Buster that you downloaded earlier and run it, then:
1. Click "
Update".
2. Click "
Check For Update"
(
If no new version is available, skip to step #4.)
3. Click "
Download Update", and wait for it to be installed.
4. Click "
Start".
(
Wait for the initial ADS scan to complete.)
5. Click "Yes", to shutdown any IE session currently open.
(
Wait for the about:blank scan to complete.)
6. Click "
Ok", to scan once more.
7. Click "
Yes", to shutdown any IE sessions currently open.
8. Click "
Yes", to begin the second pass.
9. Click "
Save log", and post this log back along with your new log.
10. Click "
Exit".
11. Click "
Exit".
Reboot your computer normally.
Let's look for, and delete, any program segments(
prefetches) that might be present, and are associated with the '
problems' we're trying to remove from this system. To do this, let's:
1) Click "
Start | Search", then search for each of these program's
base name(s), in all files and folders:
2) Then if any are found in the '
prefetch' folder, delete them.
Look closely, since the '
base' name will have a bunch of random numbers and letters attached to it.
Go to
Add/Remove programs and remove(uninstall) the following, if present:
Bullseye Networks TV Media Web Related WinTools
The above could appear anywhere within the entry. Be careful not to remove any
personal or
system software.
Download
LSPFix and unzip to your desktop, then run it. Now, we need to:
1. check(tick) "
I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:
calsp.dll
3. then click "
>>", moving each one, individually, to the 'Remove' pane.
4.
(double-check, and make sure that only the above files are in the 'Remove'pane.) 5. click "
Finish >>"
Next, Open a
command prompt by:
1. Clicking "
Start", then "
Run...".
2. Enter "
cmd" (
without the quotes).
3. Enter "
services.msc" (
without the quotes).
-
Now, locate and '
stop' the following services, if present:
WinTools for IE service (WinToolsSvc) owner ... (
C:\Program Files\Common Files\WinTools\WToolsS.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present ...
(Unless you've set these with a anti-spyware program like SpyBot'sImmunize feature, have HiJackThis fix this.)
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing) O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
What we checked: Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results: We have detected 0 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name
Trojan/Worm Type
Spyware Check
62 spyware programs detected
What we checked: Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results: We have detected 62 spyware(s) on your computer.
What we checked: Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results: We have detected 14 vulnerability/vulnerabilities on your computer.
Risk Level
Issue
How to Fix
Critical
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by a buffer overflow in the Windows Shell function in Microsoft Windows XP.
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation.
This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory.
This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003.
The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system.
This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges.
This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application.
A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation.
This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user.
An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges.
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected.
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
My latest hijackthis logfile. Things are much better.
Thanks for all your help so far. Please let me know what I need to do on an on-going basis to keep my computer clean.
Jim
Logfile of HijackThis v1.99.1 Scan saved at 8:42:23 PM, on 03/14/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
We're not quite out of the woods yet; there's still a couple of entries that we need to remove, then try running a different scan, just to see if it can pick up something that HiJackThis can't see.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
1. Double-click the
mwav.exe icon to run it (
it'll self extract).
2. Click "
Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Midnight Star
4.8K Posts
0
March 9th, 2005 01:00
Hello! and welcome to the Dell forums.
-
This is quite a list! Among other things, you also have a potential Horseserver infection that we'll deal with here shortly (and you'll need to change any passwords you've used while on that system). Also, look this over before beginning the fix, since there are some item(s) here that i'm not familar with; if you see any you recognize, omit them from the fix.
Let's start with these...
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Reboot your computer into " Safe Mode"
Next, locate CWShredder that you downloaded earlier and run it, then:
1. Click " Check For Update"
( If an update isn't available, skip to step #4.)
2. Click " Click here to Download the upate".
3. When the new version has been downloaded, click " Save".
4. Click " Fix ->"
Download, unzip to your desktop About:Buster and run it, then:
Locate About:Buster that you downloaded earlier and run it, then:
1. Click " Update".
2. Click " Check For Update"
( If no new version is available, skip to step #4.)
3. Click " Download Update", and wait for it to be installed.
4. Click " Start".
( Wait for the initial ADS scan to complete.)
5. Click "Yes", to shutdown any IE session currently open.
( Wait for the about:blank scan to complete.)
6. Click " Ok", to scan once more.
7. Click " Yes", to shutdown any IE sessions currently open.
8. Click " Yes", to begin the second pass.
9. Click " Save log", and post this log back along with your new log.
10. Click " Exit".
11. Click " Exit".
Reboot your computer normally.
Let's look for, and delete, any program segments( prefetches) that might be present, and are associated with the ' problems' we're trying to remove from this system. To do this, let's:
1) Click " Start | Search", then search for each of these program's base name(s), in all files and folders:
WToolsA.exe*
WSup.exe*
msdrig.exe*
xaccover.exe*
tmp10.tmp*
sprmover.exe*
connmie.exe*
dxconf.exe*
2) Then if any are found in the ' prefetch' folder, delete them.
Look closely, since the ' base' name will have a bunch of random numbers and letters attached to it.
Go to Add/Remove programs and remove(uninstall) the following, if present:
Bullseye Networks
TV Media
Web Related
WinTools
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Download LSPFix and unzip to your desktop, then run it. Now, we need to:
1. check(tick) " I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:
calsp.dll
3. then click " >>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click " Finish >>"
Next, Open a command prompt by:
1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).
-
Now, locate and ' stop' the following services, if present:
WinTools for IE service (WinToolsSvc) owner ... ( C:\Program Files\Common Files\WinTools\WToolsS.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\TEMP\ICD1.tmp\svcmm32.exe
C:\WINDOWS\System32\msdrig.exe
C:\Program Files\Bpt\bpt.exe
C:\WINDOWS\System32\xaccover.exe
C:\DOCUME~1\JIMO'H~1\LOCALS~1\Temp\tmp10.tmp
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\connmie.exe
C:\WINDOWS\System32\dxconf.exe
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u msdum.dll
regsvr32 /u WToolsB.dll
regsvr32 /u WToolsT.dll
regsvr32 /u sfcman32.dll
regsvr32 /u iecustom32.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax3/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax3/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax3/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax3/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll (file missing)
O2 - BHO: Name - {7DEFF7A2-8C03-4B62-B403-80D97EE46667} - C:\WINDOWS\System32\msdum.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: (no name) - {C23699ED-EE42-4D4E-B511-98AEB8CE1883} - C:\WINDOWS\System32\sfcman32.dll
O2 - BHO: Name - {F883E882-437F-4CA2-A9F0-475AD8917078} - C:\WINDOWS\System32\msdum.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: Search - {467068CE-3D5E-F9F7-8369-43983925A9E1} - C:\WINDOWS\Awmowpsc.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [fzoxzc] C:\WINDOWS\System32\fzoxzc.exe
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe"
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [337O35S] msdrig.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Jim O'Harra\Application Data\Microsoft\sr64\kihajajd.exe
O4 - HKCU\..\Run: [I0oERRemj] xaccover.exe
O4 - Startup: winupdate15735334[1].exe
Midnight Star
4.8K Posts
0
March 9th, 2005 02:00
... (Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{093E53BE-1851-4490-A3FD-BAC4011C16D6}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCF6CDE-B2AA-482C-A115-9A590F074008}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A920844E-5787-4169-92F6-9DFE4AC03A05}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{093E53BE-1851-4490-A3FD-BAC4011C16D6}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{093E53BE-1851-4490-A3FD-BAC4011C16D6}: NameServer = 69.50.184.84,195.225.176.37
...( Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)
O18 - Filter: text/html - {19FF17A8-6C29-459E-B1B4-6E14E3EE7295} - C:\WINDOWS\System32\sfcman32.dll
O18 - Filter: text/plain - {19FF17A8-6C29-459E-B1B4-6E14E3EE7295} - C:\WINDOWS\System32\sfcman32.dll
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\gpnml3511.dll (file missing)
O21 - SSODL: NTDBGTOOL - {5660AF4D-E7CD-4542-999B-735826593C7E} - C:\WINDOWS\System32\ebayawex.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\Program Files\Common Files\WinTools
C:\WINDOWS\TEMP\ICD1.tmp
C:\Program Files\Bpt
C:\Program Files\TV Media
C:\PROGRA~1\COMMON~1\WinTools
C:\Program Files\BullsEye Network
files...
C:\WINDOWS\System32\msdrig.exe
C:\WINDOWS\System32\xaccover.exe
C:\DOCUME~1\JIMO'H~1\LOCALS~1\Temp\tmp10.tmp
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\connmie.exe
C:\WINDOWS\System32\dxconf.exe
C:\WINDOWS\System32\sfcman32.dll
C:\WINDOWS\System32\msdum.dll
C:\WINDOWS\System32\iecustom32.dll
C:\WINDOWS\System32\fzoxzc.exe
C:\Documents and Settings\Jim O'Harra\Application Data\Microsoft\sr64\kihajajd.exe
c:\windows\system32\calsp.dll
C:\WINDOWS\System32\ebayawex.dll
Search for...
msdrig.exe
sysobj.exe
open32.exe
snim.dll
xaccover.exe
winupdate15735334[1].exe
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
-
Mike.
toharra
11 Posts
0
March 9th, 2005 11:00
Thanks Mike!! I appreciate your help. It'll take me a while to get thru all of this so as soon as I complete the steps I will post back.
Again, Thanks!!
Jim
Midnight Star
4.8K Posts
0
March 10th, 2005 21:00
Jim,
Ok. Let me know how everything goes. Sometimes it takes more than one pass, to completely remove everything.
-
Mike.
toharra
11 Posts
0
March 11th, 2005 02:00
Mike, Part 2
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name
Trojan/Worm Type
Spyware Check
62 spyware programs detected
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 62 spyware(s) on your computer.
Spyware Name
Spyware Type
ADW_BKDSPACE.A
Adware
ADW_DNSERR.A
Adware
ADW_MIWAY.A
Adware
ADW_SEARCHAID.A
Adware
ADW_2020SEARCH.A
Adware
ADW_SECTHOUGHT.A
Adware
BHO_ClientMan.A
Browser Help Object
BHO_ClientMan.B
Browser Help Object
BHO_ClientMan.C
Browser Help Object
BHO_ClientMan.H
Browser Help Object
BHO_ClientMan.M
Browser Help Object
BHO_ClientMan.N
Browser Help Object
COOKIE_222
Cookie
SPYW_CLIENTMAN.A
Spyware
SPYW_TIBS.A
Spyware
BHO_ZSEARCH.A
Browser Help Object
ADW_MYDLYSCOPE.A
Adware
ADW_BARGAIN.A
Adware
BHO_MEGASEARCH.A
Browser Help Object
ADW_TWAINTECH.A
Adware
ADW_BINET.C
Adware
SPYW_IESEARCH.A
Spyware
ADW_SRCHENH.A
Adware
ADW_WINAD.B
Adware
ADW_BARGBUDDY.C
Adware
ADW_NAVISEARCH.B
Adware
SPYW_IMISERV.C
Spyware
BHO_IEPlugin.A
Browser Help Object
SPYW_AGENT.HS
Spyware
BHO_NetworkEs.A
Browser Help Object
SPYW_BISPY.A
Spyware
ADW_NETPALS.A
Adware
ADW_TOPCONV.A
Adware
ADW_FRESHBAR.A
Adware
SPYW_STINTER.A
Spyware
ADW_SAHAGENT.A
Adware
ADW_SCBAR.A
Adware
ADW_WEBOFFER.A
Adware
DIAL_TIBS.H
Dialer
HKTL_BRUTFORCE.A
Hacking Tool
ADW_HuntBar.F
Adware
ADW_POPBAR.A
Adware
COOKIE_6853
Cookie
SPYW_WEBSEARCH.A
Spyware
SPYW_SEEKSEEK.A
Spyware
COOKIE_3234
Cookie
COOKIE_3235
Cookie
ADW_APROPOS.51
Adware
ADW_DEALHLPR.A
Adware
ADW_2020SEARCH.B
Adware
ADW_SECTHOUGHT.E
Adware
ADW_CASHBACK.A
Adware
ADW_SMARTP.A
Adware
SPYW_DCTOOLBAR.A
Spyware
ADW_FlashTrack.A
Adware
ADW_BCPC.A
Adware
ADW_ADDESTROY.A
Adware
ADW_IPSENTRY.A
Adware
ADW_TVMEDIA.C
Adware
ADW_HYPLINKER.A
Adware
ADW_WEBOFFER.B
Adware
ADW_DEALHELP.A
Adware
toharra
11 Posts
0
March 11th, 2005 02:00
Mike, Part 3
What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 14 vulnerability/vulnerabilities on your computer.
Risk Level
Issue
How to Fix
Critical
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by a buffer overflow in the Windows Shell function in Microsoft Windows XP.
MS02-072
Highly Critical
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
MS03-001
Highly Critical
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
MS03-007
Highly Critical
This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
MS03-014
Critical
This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation.
MS03-023
Critical
This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory.
MS03-041
Critical
This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003.
MS03-043
Critical
The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system.
MS04-013
Critical
This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges.
MS04-015
Moderate
This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application.
MS04-016
Moderate
A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation.
MS04-018
Critical
This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user.
MS04-022
Critical
An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges.
MS04-023
Important
A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected.
MS05-004
toharra
11 Posts
0
March 11th, 2005 02:00
Hi Mike,
I'll have to post the housecall log in differenct messages. It is too large to send in 1.
Thanks. Jim
Virus Scan
26 viruses detected
Results:
We have detected 26 infected file(s) with 26 virus(es) on your computer.
Detected File
Associated Virus Name
C:\Documents and Settings\Jim O'Harra\Application Data\Microsoft\sr64\sr32.dll
TROJ_RANKY.A
C:\Program Files\CxtPls\uninstaller.exe
TROJ_APROPOS.A
C:\Program Files\XML\t.bak
TROJ_RVP.D
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP108\A0014639.exe
TROJ_AGENT.AE
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP108\A0014640.exe
TROJ_AGENT.AE
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP108\A0014641.exe
TROJ_SMALL.XC
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP108\A0014642.exe
TROJ_SMALL.XC
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP108\A0014643.exe
TROJ_AGENT.EG
C:\WINDOWS\Downloaded Program Files\sl.ocx
TROJ_AGENT.EX
C:\WINDOWS\SYSTEM32\1802.dll
TROJ_MIEWER.A
C:\WINDOWS\SYSTEM32\asrccr32.exe
TROJ_APROPOS.A
C:\WINDOWS\SYSTEM32\bcs.dll
TROJ_SMALL.GV
C:\WINDOWS\SYSTEM32\bcs.dlltmp
TROJ_SMALL.GV
C:\WINDOWS\SYSTEM32\calsp.dll
TROJ_AGENT.CAC
C:\WINDOWS\SYSTEM32\cdsm32.dll
TROJ_STARTPGE.CM
C:\WINDOWS\SYSTEM32\dmr_install.exe
TROJ_SCTHOUGHT.H
C:\WINDOWS\SYSTEM32\iecustom32.dll
TROJ_STARTPGE.CW
C:\WINDOWS\SYSTEM32\inis2.exe
TROJ_APROPOS.A
C:\WINDOWS\SYSTEM32\mquca.exe
TROJ_APROPO.C
C:\WINDOWS\SYSTEM32\msdrig.exe
TROJ_ENVOLO.A
C:\WINDOWS\SYSTEM32\mseggo.gif
TROJ_DELF.MC
C:\WINDOWS\SYSTEM32\sfcman32.dll
TROJ_STARTPGE.CX
C:\WINDOWS\SYSTEM32\sicon.dll
TROJ_MIEWER.B
C:\WINDOWS\SYSTEM32\ss.dll
TROJ_MIEWER.C
C:\WINDOWS\SYSTEM32\xaccover.exe
TROJ_ENVOLO.A
C:\WINDOWS\Temp\~apropos0\ph.exe
TROJ_APROPO.C
toharra
11 Posts
0
March 13th, 2005 11:00
Hi Mike,
I finally made it through all of your instructions.
Here is the latest Hijackthis logfile.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 8:46:14 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\MSMSGS.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Hek] C:\WINDOWS\Kqt.exe
O4 - HKCU\..\Run: [Glk] C:\WINDOWS\Mjn.exe
O4 - HKCU\..\Run: [Ket] C:\WINDOWS\System32\Rac.exe
O4 - HKCU\..\Run: [Sea] C:\WINDOWS\System32\Pjl.exe
O4 - HKCU\..\Run: [Fim] C:\WINDOWS\Jpr.exe
O4 - HKCU\..\Run: [Eqd] C:\WINDOWS\System32\Nkv.exe
O4 - HKCU\..\Run: [Vdf] C:\WINDOWS\System32\Uft.exe
O4 - HKCU\..\Run: [Dlj] C:\WINDOWS\System32\Nga.exe
O4 - HKCU\..\Run: [Rrh] C:\WINDOWS\System32\Mjt.exe
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4438/mcfscan.cab
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
toharra
11 Posts
0
March 13th, 2005 12:00
Hi Mike,
Here is the latest Hijackthis logfile.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 8:46:14 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\MSMSGS.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Hek] C:\WINDOWS\Kqt.exe
O4 - HKCU\..\Run: [Glk] C:\WINDOWS\Mjn.exe
O4 - HKCU\..\Run: [Ket] C:\WINDOWS\System32\Rac.exe
O4 - HKCU\..\Run: [Sea] C:\WINDOWS\System32\Pjl.exe
O4 - HKCU\..\Run: [Fim] C:\WINDOWS\Jpr.exe
O4 - HKCU\..\Run: [Eqd] C:\WINDOWS\System32\Nkv.exe
O4 - HKCU\..\Run: [Vdf] C:\WINDOWS\System32\Uft.exe
O4 - HKCU\..\Run: [Dlj] C:\WINDOWS\System32\Nga.exe
O4 - HKCU\..\Run: [Rrh] C:\WINDOWS\System32\Mjt.exe
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4438/mcfscan.cab
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
Midnight Star
4.8K Posts
0
March 13th, 2005 17:00
Let's continue with the fix...
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [Hek] C:\WINDOWS\Kqt.exe
O4 - HKCU\..\Run: [Glk] C:\WINDOWS\Mjn.exe
O4 - HKCU\..\Run: [Ket] C:\WINDOWS\System32\Rac.exe
O4 - HKCU\..\Run: [Sea] C:\WINDOWS\System32\Pjl.exe
O4 - HKCU\..\Run: [Fim] C:\WINDOWS\Jpr.exe
O4 - HKCU\..\Run: [Eqd] C:\WINDOWS\System32\Nkv.exe
O4 - HKCU\..\Run: [Vdf] C:\WINDOWS\System32\Uft.exe
O4 - HKCU\..\Run: [Dlj] C:\WINDOWS\System32\Nga.exe
O4 - HKCU\..\Run: [Rrh] C:\WINDOWS\System32\Mjt.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\Kqt.exe
C:\WINDOWS\Mjn.exe
C:\WINDOWS\System32\Rac.exe
C:\WINDOWS\System32\Pjl.exe
C:\WINDOWS\Jpr.exe
C:\WINDOWS\System32\Nkv.exe
C:\WINDOWS\System32\Uft.exe
C:\WINDOWS\System32\Nga.exe
C:\WINDOWS\System32\Mjt.exe
Search for...
snim.dll
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
-
Mike.
toharra
11 Posts
0
March 14th, 2005 23:00
Hi Mike,
My latest hijackthis logfile. Things are much better.
Thanks for all your help so far. Please let me know what I need to do on an on-going basis to keep my computer clean.
Jim
Logfile of HijackThis v1.99.1
Scan saved at 8:42:23 PM, on 03/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SVCHOST] C:\WINDOWS\System32\click3.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4438/mcfscan.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
Midnight Star
4.8K Posts
0
March 15th, 2005 01:00
Great news - I'm glad to hear it!
-
We're not quite out of the woods yet; there's still a couple of entries that we need to remove, then try running a different scan, just to see if it can pick up something that HiJackThis can't see.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O4 - HKCU\..\Run: [SVCHOST] C:\WINDOWS\System32\click3.exe
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
Now, with all windows closed except HiJackThis, click " Fix checked".
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
toharra
11 Posts
0
March 15th, 2005 02:00
File C:\WINDOWS\dhbrwsr.exe infected by "not-a-virus:AdWare.DealHelper.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dhp.dll infected by "not-a-virus:AdWare.DealHelper.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dhp2.dll infected by "not-a-virus:AdWare.DealHelper.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dhsvr.exe infected by "not-a-virus:AdWare.DealHelper.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\DHUn.exe infected by "not-a-virus:AdWare.DealHelper.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dhupdt.exe infected by "not-a-virus:AdWare.DealHelper.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\extract.exe infected by "not-a-virus:AdWare.ToolBar.ImiBar.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ibs.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iconw.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iconzx.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\localNRD.dll infected by "not-a-virus:AdWare.BiSpy.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mxTarget.dll infected by "not-a-virus:AdWare.BiSpy.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\pgtaff.exe infected by "not-a-virus:AdWare.Suggestor.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\QuickBrowserUpgrader.exe infected by "Trojan.Win32.QuickBrowser.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\10min.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\10minsite.exe infected by "not-a-virus:AdWare.AdURL.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\138531.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\141171.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\142515.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\1802.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\2020setup.exe infected by "not-a-virus:AdWare.ShopNav.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\26640125.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\26641796.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\26642359.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\545578.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\553843.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\555015.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6903843.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6904406.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6904796.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6bo4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6do4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6fo4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6go4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6lo4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6no4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6qo4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6zo4svc.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AbAAMON.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\add.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AeAAMON.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\aid.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ajd.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AlCTRES.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\antispy.exe infected by "not-a-virus:AdWare.AdURL.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apd.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\appwc42u.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ArTIVEDS.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AtAAMON.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\awtiveds.dll infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AxAAMON.DLL infected by "not-a-virus:AdWare.Look2Me.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bcs.dll infected by "Trojan-Dropper.Win32.Small.gv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bcs.dlltmp infected by "Trojan-Dropper.Win32.Small.gv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\BO2802040113.dll infected by "not-a-virus:AdWare.VirtualBouncer.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cacore.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cdsm32.dll infected by "Trojan.Win32.StartPage.io" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dmr_install.exe infected by "Trojan.Win32.SecondThought.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ezStub3.dll infected by "not-a-virus:AdWare.EZula.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fzoxz.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fzoxzf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gold2.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iadk.dll infected by "not-a-virus:AdWare.PurityScan.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iecustme.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iecustme32.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iecustom32.dll infected by "Trojan.Win32.StartPage.sl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\igfx0008.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\inetFuel.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\System32\jtj2071oe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_11.dll infected by "not-a-virus:AdWare.EZula.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_11.exe infected by "not-a-virus:AdWare.EZula.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Lycos.dll infected by "not-a-virus:AdWare.Sidesearch.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MegasearchBarSetup.dll infected by "not-a-virus:AdWare.F1Organizer.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MegasearchBarSetup.exe infected by "Trojan-Downloader.NSIS.Gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\menux32r.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mjutilse.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msbb321.dll infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mseggo.gif infected by "Trojan-Spy.Win32.Delf.dx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msfaol.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msfdje.gif infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msiaih.dll infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msjfbl.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mskceo.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mskhhe.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mskplb.dll infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msnapl.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msnimk.gif infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\n6r20g9oe6.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qtplidq.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sahagent1019.exe infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sicon.dll infected by "Trojan-Downloader.Win32.Miewer.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SplashSpot Games.exe infected by "not-a-virus:AdWare.AdURL.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SplWbr.dll infected by "Trojan-Dropper.Win32.Small.sf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ss.dll infected by "Trojan-Downloader.Win32.Miewer.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sset.exe infected by "not-a-virus:AdWare.Sidesearch.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ss_msi1_setup.exe infected by "not-a-virus:AdWare.Sidesearch.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SWRT01.dll infected by "not-a-virus:AdWare.VirtualBouncer.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\TSP8.EXE infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tv2.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\W2020Setup.dll infected by "Trojan-Dropper.Win32.Small.mh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WebRebates_Auto_InstallSilent.exe infected by "not-a-virus:AdWare.WebRebates.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wintask.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JIMO'H~1\LOCALS~1\Temp\4.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JIMO'H~1\LOCALS~1\Temp\Tvm.upd infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken.
Midnight Star
4.8K Posts
0
March 15th, 2005 13:00
Let's delete these files, then post back one more HiJackThis log, and if we're still in the 'green', we should be ready for the final cleanup:
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\dhp.dll
C:\WINDOWS\dhp2.dll
C:\WINDOWS\dhsvr.exe
C:\WINDOWS\DHUn.exe
C:\WINDOWS\dhupdt.exe
C:\WINDOWS\extract.exe
C:\WINDOWS\ibs.exe
C:\WINDOWS\iconw.exe
C:\WINDOWS\iconzx.exe
C:\WINDOWS\localNRD.dll
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\pgtaff.exe
C:\WINDOWS\QuickBrowserUpgrader.exe
C:\WINDOWS\woinstall.exe
C:\WINDOWS\System32\10min.dll
C:\WINDOWS\System32\10minsite.exe
C:\WINDOWS\System32\138531.exe
C:\WINDOWS\System32\141171.exe
C:\WINDOWS\System32\142515.exe
C:\WINDOWS\System32\1802.dll
C:\WINDOWS\System32\2020setup.exe
C:\WINDOWS\System32\26640125.exe
C:\WINDOWS\System32\26641796.exe
C:\WINDOWS\System32\26642359.exe
C:\WINDOWS\System32\545578.exe
C:\WINDOWS\System32\553843.exe
C:\WINDOWS\System32\555015.exe
C:\WINDOWS\System32\6903843.exe
C:\WINDOWS\System32\6904406.exe
C:\WINDOWS\System32\6904796.exe
C:\WINDOWS\System32\6bo4svc.dll
C:\WINDOWS\System32\6do4svc.dll
C:\WINDOWS\System32\6fo4svc.dll
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\6lo4svc.dll
C:\WINDOWS\System32\6no4svc.dll
C:\WINDOWS\System32\6qo4svc.dll
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\AbAAMON.DLL
C:\WINDOWS\System32\add.dll
C:\WINDOWS\System32\AeAAMON.DLL
C:\WINDOWS\System32\aid.dll
C:\WINDOWS\System32\ajd.dll
C:\WINDOWS\System32\AlCTRES.DLL
C:\WINDOWS\System32\antispy.exe
C:\WINDOWS\System32\apd.dll
C:\WINDOWS\System32\appwc42u.dll
C:\WINDOWS\System32\ArTIVEDS.DLL
C:\WINDOWS\System32\AtAAMON.DLL
C:\WINDOWS\System32\awtiveds.dll
C:\WINDOWS\System32\AxAAMON.DLL
C:\WINDOWS\System32\bcs.dll
C:\WINDOWS\System32\BO2802040113.dll
C:\WINDOWS\System32\brew.dll
C:\WINDOWS\System32\cacore.dll
C:\WINDOWS\System32\cdsm32.dll
C:\WINDOWS\System32\dmr_install.exe
C:\WINDOWS\System32\ezStub3.dll
C:\WINDOWS\System32\fzoxz.dll
C:\WINDOWS\System32\fzoxzf.exe
C:\WINDOWS\System32\gold2.dll
C:\WINDOWS\System32\iadk.dll
C:\WINDOWS\System32\iecustme.exe
C:\WINDOWS\System32\iecustme32.exe
C:\WINDOWS\System32\iecustom32.dll
C:\WINDOWS\System32\igfx0008.dll
C:\WINDOWS\System32\inetFuel.exe
C:\WINDOWS\System32\instsrv.exe
C:\WINDOWS\System32\jtj2071oe.dll
C:\WINDOWS\System32\KVIF_11.dll
C:\WINDOWS\System32\KVIF_11.exe
C:\WINDOWS\System32\Lycos.dll
C:\WINDOWS\System32\MegasearchBarSetup.dll
C:\WINDOWS\System32\MegasearchBarSetup.exe
C:\WINDOWS\System32\menux32r.dll
C:\WINDOWS\System32\mjutilse.dll
C:\WINDOWS\System32\msbb321.dll
C:\WINDOWS\System32\msfaol.dll
C:\WINDOWS\System32\msiaih.dll
C:\WINDOWS\System32\msjfbl.dll
C:\WINDOWS\System32\mskceo.dll
C:\WINDOWS\System32\mskhhe.dll
C:\WINDOWS\System32\mskplb.dll
C:\WINDOWS\System32\msnapl.dll
C:\WINDOWS\System32\n6r20g9oe6.dll
C:\WINDOWS\System32\qtplidq.dll
C:\WINDOWS\System32\sahagent1019.exe
C:\WINDOWS\System32\sicon.dll
C:\WINDOWS\System32\SplashSpot Games.exe
C:\WINDOWS\System32\SplWbr.dll
C:\WINDOWS\System32\ss.dll
C:\WINDOWS\System32\sset.exe
C:\WINDOWS\System32\ss_msi1_setup.exe
C:\WINDOWS\System32\SWRT01.dll
C:\WINDOWS\System32\TSP8.EXE
C:\WINDOWS\System32\tv2.dll
C:\WINDOWS\System32\W2020Setup.dll
C:\WINDOWS\System32\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\System32\wintask.exe
C:\DOCUME~1\JIMO'H~1\LOCALS~1\Temp\4.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Mike.
toharra
11 Posts
0
March 16th, 2005 01:00
Hey Mike,
I deleted all the files and ran a new hihackthis. Thanks!!
Logfile of HijackThis v1.99.1
Scan saved at 10:13:56 PM, on 03/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4438/mcfscan.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe