Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

gunghohm1

8 Posts

7827

December 22nd, 2004 23:00

SYSTEM BOOT UP ERROR MESSAGE

Every time I turn on the old confuser, I get the following pop-up message that reads:
 
"McAfee Active Shield has detected a virus on your computer.  We recommend you use the scan feature to scan all the drives of your computer for viruses."  This will pop up three to four times and then go away until the next power up.
 
 
Scan as I might, it won't go away.  I turned off the System Restore and scanned, unloaded and reloaded my McAfee security programs, and run every spyware/adware program known to modern man, all to no avail.

Midnight Star

4.8K Posts

December 22nd, 2004 23:00

gunghohm,

Try posting up a HiJackThis log for review, and i'll see if anything there might help us to see what's going on.

Mike.

zbestwun2001

4 Apprentice

 • 

8.8K Posts

December 23rd, 2004 00:00

Please go to http://www.majorgeeks.com/download3155.html and download HiJackThis to its own folder that you create on your C:/ drive.
After it is downloaded open the program and click on the Scan button.
When that is done, click on Save to log.
Please post the log that it generates right here so that it maybe viewed and analyzed for problems

Thanks
Steve

gunghohm1

8 Posts

December 23rd, 2004 00:00

OK, you lost me on that one.  A little help, please.

zbestwun2001

4 Apprentice

 • 

8.8K Posts

December 23rd, 2004 01:00

gunghohm1
Before we analyze your log can you do a couple things first?
Go to this sight http://www.trendmicro.com/en/home/us/enterprise.htm and do an online scan and delete whatever it finds. Be sure to highlight the drives you want to have searched.

After that could you please go to http://www.majorgeeks.com/download506.html and download AdAwareSE, and it scan your system and delete what it finds. Then while using AdAware, click on add-ons and get their plug-in for the VX2 variant, and run that and delete what it finds.
After that please go to http://www.majorgeeks.com/download2471.html and download SpyBot and run that and delete what it finds.
Please keep in mind that I will not be the one that analyzes the log. So be patient we deal with several time zones as to availabiltiy. If it is not attended to tonight.... it will be tomorrow.


Steve

Message Edited by zbestwun2001 on 12-22-2004 07:07 PM

gunghohm1

8 Posts

December 23rd, 2004 20:00

I did all the scans and now post this per your request:
 
Logfile of HijackThis v1.99.0
Scan saved at 2:04:37 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Comcast\Security Manager\app\Prism.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\w?wexec.exe
C:\Documents and Settings\Owner\Application Data\dosr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40C1DF64-168C-687D-FF0D-6F9448ED8291} - C:\WINDOWS\system32\rbfle.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Dimkj] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Memo] C:\Documents and Settings\Owner\Application Data\dosr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXX50US
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range:  (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\muprmbju.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmdpc.dll
O23 - Service: Curtains for Windows System Service - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: icservice - ONTRACK Data International, Inc. - C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Midnight Star

4.8K Posts

December 24th, 2004 00:00

gunghohm,

Let's see what we can do with this...

First, download CWShredder, unzip it to your desktop and run it. Then:

1.  Check for and download any new program updates.

2.  Click "Fix ->"

-

Reboot into "Safe Mode".

Go to Add/Remove programs and remove(uninstall) then following:

MyWebSearch

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32  /u  rbfle.dll
regsvr32  /u  iegfxfrw.dll

It's ok, if these aren't found.


Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, will lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.


Now, let's run HiJackThis, then:

1.  click "Config..."
2.  click "Misc Tools"
3.  click "Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:

   C:\Documents and Settings\Owner\Application Data\dosr.exe
    C:\WINDOWS\system32\auserinit.exe
    C:\WINDOWS\system32\rbfle.dll
    C:\Documents and Settings\Owner\Application Data\ttuh.exe
    C:\WINDOWS\System32\iegfxfrw.dll
    C:\Program Files\Internet Explorer\muprmbju.exe

5.  when prompted to "Reboot Now", after selecting each file, select "No"


Run HiJackThis and click " Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe

O2 - BHO: (no name) - {40C1DF64-168C-687D-FF0D-6F9448ED8291} - C:\WINDOWS\system32\rbfle.dll

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Dimkj] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Memo] C:\Documents and Settings\Owner\Application Data\dosr.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXX50US

O9 - Extra button: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra button: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {D440A2B7-AE54-44B7-AF28-84837B323F43} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range:  (HKLM)

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\muprmbju.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

Reboot your computer normally.

Post back a new log.

Mike.

 

Was this post helpful?

View All

No Events found!

Top