Unsolved
This post is more than 5 years old
21 Posts
0
5574
May 2nd, 2008 19:00
Please help, HijackThis Log - Slow computer and other issues
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:00 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mastercommunities.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PUFLITE - http://randieshelman.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://newcor1/ConnectComputer/nshelp.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161189017616
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193683555074
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.newcor.net/Remote/msrdp.cab
O16 - DPF: {A8E0BF1E-5537-459A-8C70-A1FA785EFDD6} (PowerWeb Control) - http://imagedrec.water.az.gov/pwfiles/PowerWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\Software\..\Telephony: DomainName = newcor.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcor.local
O22 - SharedTaskScheduler: heterotroph - {de5ede53-9db0-422d-b32d-5c41c96d6f52} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe (file missing)
--
End of file - 5805 bytes
Please see my hijackthis log above. This is one of our work computers in the office, and I am having a hard time getting some things to work. For one, the comuter runs very slow. Two, the Trend Micro Security software we have was working, but now no longer does. I tried running HouseCall even and that won't complete. Can anyone tell me if this log suggests things I need to fix?
Thank you in advance for any help - and I could use this help ASAP! Thanks!
SpotCheckBilly
932 Posts
0
May 2nd, 2008 21:00
Welcome to the DCF forums.
The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.
Please do not run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you are running P2P filesharing program(s).
- Many of these programs come with unwanted components bundled with them.
- To find out whether the one(s) you are using are considered safe, click here or here.
Quote: Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.My recommendation is you uninstall it.
If you decide to keep it/them, do not use them until your computer is cleaned.
If you are running any cracked/pirated software, uninstall it before proceeding. Many helpers -- myself included -- will not assist you if you are using such software.
Remember, we are in this process together. We must cooperate with each other or the fix will surely fail. If, at any time, there is something you don't understand or a scan that you cannot run -- Do not skip the step or scan.. Please take a moment to stop and ASK! Always remember -- there is no such thing as a stupid question.
That being said, let's get started. :)
First thing, are you the person in charge of IT for your company? If not, my first suggestion would be that you take your difficulties up with that person. If you are that person, well, I guess you don't get to dump the problems on someone else,'eh? :)
I also have a couple of questions for you. Have you run any other "fixes" or anti-malware scans? It appears that you may have a partially removed Smitfraud infection. Knowing what steps you have already taken will help immensely in knowing where to start. Also, have you disabled any programs that normally would start with Windows? Or edited your HJT scan in any way? If you have done either, please reenable the startup items and post back a full, on edited HJT log.
I look forward to working with you. :) -- SCB
npatrick
21 Posts
0
May 2nd, 2008 22:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:41 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
\NEWCOR1\OFCSCAN\AutoPcc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mastercommunities.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusRanger] "C:\Program Files\VirusRanger\VirusRanger.exe" /s
O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrustedProtection] "C:\Program Files\TrustedProtection\pgs.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PUFLITE - http://randieshelman.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://newcor1/ConnectComputer/nshelp.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161189017616
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193683555074
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.newcor.net/Remote/msrdp.cab
O16 - DPF: {A8E0BF1E-5537-459A-8C70-A1FA785EFDD6} (PowerWeb Control) - http://imagedrec.water.az.gov/pwfiles/PowerWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\Software\..\Telephony: DomainName = newcor.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcor.local
O22 - SharedTaskScheduler: heterotroph - {de5ede53-9db0-422d-b32d-5c41c96d6f52} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe (file missing)
--
End of file - 7977 bytes
Ok, here is another HijackThis Log with more of the items running from startup. Please let me know if this helps and again if you can help me...
Thanks!
npatrick
21 Posts
0
May 2nd, 2008 22:00
SpotCheckBilly,
Thanks for your start of helping. I am unfortunately the one "in charge" of the IT stuff in our office - we are a small company.
As for your questions:
"Have you run any other "fixes" or anti-malware scans?"
Like I mentioned - we have Trend Micro for small bus. and that utility was running until today. It seemed to lock up today and has not restarted correctly since. I have been attempting to run the Trend Micro HouseCall internet program today, with little luck. As for anything else done to this computer, I do not know - it was at another location and the person that was using it is no longer working for us, they are the one that I believe got the computer infected.
"Also, have you disabled any programs that normally would start with Windows?"
Yes, I have disabled several junk programs that "normally" would start with Windows from the msconfig file. I have not changed any of these settings recently myself though - not since the major issues have been noticable. I am not very interested in having most of those programs run at startup either. Like I mentioned above - I also ended the process that was running for Trend Micro - since it had crashed and was giving an error when we tried to access the program stating that a system error occured with the program.
"Or edited your HJT scan in any way?"
I did not edit the HJT scan at all.
I hope this helps, and I hope you can help me as soon as possible so we can get this employees computer back up and running.
Thanks!
SpotCheckBilly
932 Posts
0
May 3rd, 2008 19:00
Okay, there's quite a bit of stuff going on here. The main problem is that you have a Smitfraud infection. Secondary to that, and very likely a major cause of slow performance is that it appears that there are several different antivirus programs -- or at least remnants of them -- installed on your machine. We'll take care of that after we fix the Smitfraud infection.
Please download SmitfraudFix (by S!Ri) to your Desktop.
Next, Please download ATFCleaner by Atribune to your desktop.
Finally, please download Malwarebytes' Anti-Malware to your desktop.
Please print out or copy these instructions to Notepad. Much of the removal process will be done in Safe Mode and the Internet will not be available. Please Note that it is very important to work through all the Steps in the exact order in which they are presented. Read through the entire procedure and if there are any steps that you don't understand, ask your question(s) before moving on with the fixes.
====STEP: 1====
Boot your computer into Safe Mode.
Once in Safe Mode,
The tool will also check to see if wininet.dll is infected. If it is, and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
NOTE: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Reference article
IMPORTANT: Do NOT run any other options until you are asked to do so!
====STEP: 2====
Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
If you use Firefox and/or Opera browser- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.====STEP: 3====
Close ALL open Windows / Programs / Folders. Close ALL open Windows / Programs / Folders.
Launch Malwarebytes Anti-Malware.
- Once the program has loaded, select Perform Full Scan
- Click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad.
- Please save it to your desktop.
NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:If Malware is found...
====STEP: 4====
In your next reply, please post:
:) -- SpotCheckBilly
npatrick
21 Posts
0
May 5th, 2008 15:00
npatrick
21 Posts
0
May 6th, 2008 00:00
npatrick
21 Posts
0
May 6th, 2008 00:00
npatrick
21 Posts
0
May 6th, 2008 00:00
Run from C:\Documents and Settings\dturner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{de5ede53-9db0-422d-b32d-5c41c96d6f52}"="heterotroph"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\dturner\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\VirusProtectPro 3.7\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{1117DFD8-E49A-455C-903B-A63B3ECD88E9}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{531D3D38-B38F-4A40-9052-52EFBA55506B}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B39D46D7-7293-459F-B375-CD67B18F1882}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1117DFD8-E49A-455C-903B-A63B3ECD88E9}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{531D3D38-B38F-4A40-9052-52EFBA55506B}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B39D46D7-7293-459F-B375-CD67B18F1882}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1117DFD8-E49A-455C-903B-A63B3ECD88E9}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{531D3D38-B38F-4A40-9052-52EFBA55506B}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B39D46D7-7293-459F-B375-CD67B18F1882}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Post 1 - note also that this site has edited some of the HTML in the log for some reason. FYI.npatrick
21 Posts
0
May 6th, 2008 00:00
npatrick
21 Posts
0
May 6th, 2008 00:00
npatrick
21 Posts
0
May 6th, 2008 00:00
npatrick
21 Posts
0
May 6th, 2008 00:00
Scan saved at 6:02:10 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusRanger] "C:\Program Files\VirusRanger\VirusRanger.exe" /s
O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PUFLITE - http://randieshelman.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://newcor1/ConnectComputer/nshelp.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161189017616
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193683555074
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.newcor.net/Remote/msrdp.cab
O16 - DPF: {A8E0BF1E-5537-459A-8C70-A1FA785EFDD6} (PowerWeb Control) - http://imagedrec.water.az.gov/pwfiles/PowerWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\Software\..\Telephony: DomainName = newcor.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcor.local
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe (file missing) --
End of file - 7067 bytes Network Login HijackThis hijackthis.txt log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:07 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\applnch.exe
C:\WINDOWS\system32\ctfmon.exe
\NEWCOR1\OFCSCAN\AutoPcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\userinit.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mastercommunities.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusRanger] "C:\Program Files\VirusRanger\VirusRanger.exe" /s
O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrustedProtection] "C:\Program Files\TrustedProtection\pgs.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PUFLITE - http://randieshelman.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://newcor1/ConnectComputer/nshelp.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161189017616
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193683555074
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.newcor.net/Remote/msrdp.cab
O16 - DPF: {A8E0BF1E-5537-459A-8C70-A1FA785EFDD6} (PowerWeb Control) - http://imagedrec.water.az.gov/pwfiles/PowerWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\Software\..\Telephony: DomainName = newcor.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A825E022-2C16-46D6-A1C4-47012E126842}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcor.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcor.local
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe (file missing) --
End of file - 7374 bytes Hope this helps us finish up fixing this machine - again much thanks for your help! Sorry for all the posts! YIKES! Also, just a reminder that this site edited some of the "invalid HTML" from the logs.
SpotCheckBilly
932 Posts
0
May 6th, 2008 19:00
Couple of things. The first is that if there was some HTML deleted from one or more of your logs, is quite likely that you ran into Dell's "smut filter". This is pretty common as the filter is a we bit overzealous. I'm going to send you a PM (private message) with instructions on how to get the complete log(s) to me.
Second thing is that it appears that some of the line breaks got lost which makes reading and analyzing the logs very difficult. Just as a for-future-reference type of thing, here's how to avoid that problem. Before you copy/paste a log, in the Notepad window, click Format and UN-check Word Wrap. Then in the reply window here at Dell make sure that there is a checkmark in the box next to"Automatically convert carriage returns to HTML line breaks". This will ensure proper formatting.
Be on the lookout for my PM, I'll do that right after I get done posting this. :) -- SCB
npatrick
21 Posts
0
May 6th, 2008 19:00
Thanks SCB, you are probably right about the html thing.
As for the line breaks, because of the length of the posts - it kept reducing spaces and line breaks to reduce character count is my guess, because I would paste it just as it was in the txt file - with Word Wrap unchecked, but it would change it to look like it ended up looking like after I pressed submit the first time.
Anyway, thanks and I will look for your PM so I can get you the full logs and so we can move forward.
Thanks!
SpotCheckBilly
932 Posts
0
May 7th, 2008 19:00
Well it looks like SmitfraudFix and Malwarebytes Anti-Malware did a good job of cleaning up your system. Now we need to take care of the left overs. The network and local HijackThis logs are almost identical. So let's clean them up as follows:
First, as you did earlier, do the scan as network admin.
Run HiJackThis and click "Do a system scan only", then check(tick) the following, if present:
O4 - HKLM\..\Run: [VirusRanger] "C:\Program Files\VirusRanger\VirusRanger.exe" /s
O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKCU\..\Run: [TrustedProtection] "C:\Program Files\TrustedProtection\pgs.exe" /min
With all windows closed except HiJackThis, click "Fix checked".
From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"=>Yes to confirm.
4. Click Apply=>OK.
5. Close Control Panel.
folders...
C:\Program Files\VirusRanger
C:\PROGRA~1\MYCONT~1
C:\Program Files\DriveCleaner Freeware
C:\Program Files\Common Files\SystemDoctor
c:\PROGRA~1\mcafee.com
C:\Program Files\TrustedProtection
Note that some of these file(s) may not be present.
Next, scan as a local.
Run HiJackThis and click "Do a system scan only", then check(tick) the following, if present:
O4 - HKLM\..\Run: [VirusRanger] "C:\Program Files\VirusRanger\VirusRanger.exe" /s
O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
With all windows closed except HiJackThis, click "Fix checked".
From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"=>Yes to confirm.
4. Click Apply=>OK.
5. Close Control Panel.
folders...
C:\Program Files\VirusRanger
C:\PROGRA~1\MYCONT~1
C:\Program Files\DriveCleaner Freeware
C:\Program Files\Common Files\SystemDoctor
c:\PROGRA~1\mcafee.com
Note that some of these file(s) may not be present.
After the above steps, reboot. Then create a startup list with HijackThis so that we can take care of the multiple AV programs:
Good work so far. :) -- SCB