Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot set my browser home page

Started by vpsolis , Apr 03 2006 07:29 PM

  • Please log in to reply

#1
vpsolis
Posted 03 April 2006 - 07:29 PM

vpsolis

    New Member

  • Member
  • Pip
  • 5 posts
Cannot set my default home page in my MS Internet Explorer. Running XP personal Edition.

necessaryupdates.com seems to have control of my browser home page setting. Cannot change it with 'Tools!Options' from the browser.

Below is the log file produced when I ran HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 8:13:40 PM, on 4/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Internet Explorer\syssmss.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Win xp\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp8711.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinsSystem] C:\Program Files\Internet Explorer\syssmss.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.equibase.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.iwin.com/...bugs/axhost.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)


I appreciate any help you can provide. Thanks, Vance
  • 0

Advertisements

#2
Mark
Posted 03 April 2006 - 10:30 PM

Mark

    Sari'z the bestest admin in da worldz!

  • Expert
  • 2,360 posts
Hello vpsolis, and welcome to GeeksToGo :whistling:

Looks like you have a Desktop Hijack there. Let's go find it :

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
vpsolis
Posted 04 April 2006 - 04:06 PM

vpsolis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Replying with contents of the results of running 'smitfraudfix.cmd'.

SmitFraudFix v2.28

Scan done at 17:00:56.36, Tue 04/04/2006
Run from C:\Documents and Settings\Win xp\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\mssearchnet.exe FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\nvctrl.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Win xp\Application Data

C:\Documents and Settings\Win xp\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareQuake 2.0.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Win xp\Favorites


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Thank you so much for you help. It is greatly appreciated.

Sincerely, Vpsolis.
  • 0

#4
Mark
Posted 04 April 2006 - 06:32 PM

Mark

    Sari'z the bestest admin in da worldz!

  • Expert
  • 2,360 posts
Thank you for the report :whistling:

Let's move on to phase 2, shall we ? :

Please download ATF Cleaner by Atribune. Save it to the Desktop. Don't run it just yet.
This program is for XP and Windows 2000 only

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode,Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
~~~~~~~~~~~~~~~~~~

Still from Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Post a new HijackThis! log as well. We'll deal with a backdoor trojan you have in the next phase. Good luck :blink:

Edited by ~Mark, 04 April 2006 - 06:36 PM.

  • 0

#5
vpsolis
Posted 05 April 2006 - 05:13 PM

vpsolis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Replying with contents of 'rapport.txt' :

SmitFraudFix v2.28

Scan done at 17:08:22.36, Wed 04/05/2006
Run from C:\Documents and Settings\Win xp\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\mssearchnet.exe Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\nvctrl.exe Deleted
C:\Documents and Settings\Win xp\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareQuake 2.0.lnk Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End


Next is the follow up report from HiJackThis.exe, after cleaning completed.


Logfile of HijackThis v1.99.1
Scan saved at 5:49:20 PM, on 4/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Internet Explorer\syssmss.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Win xp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.equibase.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinsSystem] C:\Program Files\Internet Explorer\syssmss.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.equibase.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.iwin.com/...bugs/axhost.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)

---------------------------------------------------------------------------------------------------------------------

Restart in normal windows mode indicates that the effect of the virus no longer manifest itself. I've got back control of my browser, and can set Internet Options once again. Thank you so very much for your courteous and benifical assistance. In your last post you mentioned something about dealing with a backdoor trojan in the next phase. Thank you for your perservance.

Sincerely, vpsolis
  • 0

#6
Mark
Posted 06 April 2006 - 12:02 AM

Mark

    Sari'z the bestest admin in da worldz!

  • Expert
  • 2,360 posts
I'm glad that you have your Desktop back !! :blink:

Yes, let's go after that trojan now. We need to change a few options to allow you to view hidden files ;

To show hidden files under Windows XP :
Launch Windows Explorer by right-clicking on Start >> choose Explore
Select the Tools menu and click Folder Options. Select the View Tab :

Check the "Display the contents of system folders" option.
Under the "Hidden files and folders" heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Better print these next instructions out, or copy them to a NotePad file for reading while in Safe Mode.

Please download, install, and update the free version of Ewido Anti-Malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
Reboot into Safe Mode : restart the computer and immediately start tapping the F8 key until a menu with boot options appears. Using the keyboard arrows, select "Safe Mode" and hit "Enter". OK the prompts, and select your regular account (not Administrator).

Once into Safe Mode, launch HijackThis! and click "Do a system scan only", then check these lines and click "Fix checked" :


R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [WinsSystem] C:\Program Files\Internet Explorer\syssmss.exe

O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot


Close HijackThis!. Using Windows Explorer, locate and delete this file (if found) :

C:\Program Files\Internet Explorer\syssmss.exe <<


Still in Safe Mode : run Ewido again.
  • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Reboot back into Normal mode.
~~~~~~~~~~~~~~~~~~~~~

I want to make sure no traces of that trojan are left behind ; so please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Reboot once the scan is done. Post the Kaspersky report here, along with the Ewido report and a new HijackThis! log please. Good luck :whistling:

Edited by ~Mark, 06 April 2006 - 12:03 AM.

  • 0

#7
vpsolis
Posted 07 April 2006 - 04:27 AM

vpsolis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Whew....sorry it took so long to reply. The scans ran for hours. Please find below the log from the latest HiJackThis run.

Logfile of HijackThis v1.99.1
Scan saved at 5:09:54 AM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\mysql\bin\mysqld-nt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Win xp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.equibase.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.equibase.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.iwin.com/...bugs/axhost.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)



-------------------------------- Kaspersky Report Next ----------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, April 07, 2006 4:59:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 7/04/2006
Kaspersky Anti-Virus database records: 186644
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Z:\

Scan Statistics:
Total number of scanned objects: 143883
Number of viruses found: 5
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 03:00:22

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0168130.exe Infected: Trojan-Downloader.Win32.Zlob.jx skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169714.tlb Infected: Trojan-Downloader.Win32.Zlob.js skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169715.exe Infected: Backdoor.Win32.Delf.agh skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169716.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169717.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169718.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169719.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1319\A0169720.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

Scan process completed.


---------------------------------------- Next is the Ewido Report ---------------------------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:04:12 PM, 4/6/2006
+ Report-Checksum: D7453342

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING61.exe -> Downloader.Adload.a : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\[bleep]snow.exe -> Backdoor.Delf.adj : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Win xp\Cookies\win xp@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1313\A0168020.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1313\A0168034.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1313\A0168107.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0168122.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0168123.dll -> Downloader.Zlob.jx : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169138.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169150.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169198.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169312.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169330.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169347.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169428.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1314\A0169443.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1315\A0169458.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1316\A0169495.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1317\A0169528.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1318\A0169568.tlb -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1318\A0169587.exe -> Downloader.Zlob.is : Cleaned with backup
C:\System Volume Information\_restore{C5182735-73DB-4050-A3B7-9857F78264B7}\RP1318\A0169589.exe -> Downloader.Zlob.js : Cleaned with backup
C:\Recycled\Dc2.exe -> Backdoor.Delf.adj : Cleaned with backup
C:\Downloads\MahJongSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\WheelOfFortuneSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\JEOPARDYSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\OregonTrail-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\TyperSharkSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
F:\Racing\CharlesTown\2005\Charts\20050513.txt -> Worm.Simpsalapim.j : Cleaned with backup


::Report End

-----------------------------------------------------------------------------------------------------------------------------

Thank you once again for hanging in there and for all your assistance.

Sincerely, Vpsolis
  • 0

#8
Mark
Posted 08 April 2006 - 08:09 AM

Mark

    Sari'z the bestest admin in da worldz!

  • Expert
  • 2,360 posts
Thank you for those reports ; it looks great now :whistling:

Just one little thing left ; if you don't use ViewPoint, you can safely get rid of it. We see it used with AOL sometimes, but I don't see any AOL stuff on your computer.

Just go to Control Panel >> "Add/Remove Programs" and uninstall anything ViewPoint you see there, such as:

ViewPoint Manager
ViewPoint Media Player

Once done, delete this folder :

C:\Program Files\Viewpoint <<

The rest is clean :help: Let me know how the computer is running.
========================================

I see you only have SP1 installed for your operating system. As you will read below, it is extremely important to keep Windows updated with the latest critical updates and Service Pack (SP2).

In order to better protect your computer, here are a few important last steps :

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* UNSELECT "Display the contents of system folders"
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future, I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place. It doesn't run in the background, but acts as a vaccine. Update it every other week.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
If you don't use one of these already, please consider surfing with a better, safer browser than Internet Explorer (both are free !) :**For Firefox, be sure to install both the AdBlock and NoScript extensions for added security.

You should also have a good firewall (the Windows firewall just isn't good enough..). Here are 2 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date, visitmonthly. And to keep your system clean, run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet, read this excellent article by TonyKlein: So how did I get infected in the first place?

Safe surfing :blink:

Edited by ~Mark, 08 April 2006 - 08:13 AM.

  • 0

#9
vpsolis
Posted 08 April 2006 - 09:13 PM

vpsolis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you, thank you, thank you so very much for your gracious assistance. This is the first time I've used this format to communicate. My daughter a college student suggested your website because she said she has used it several time to dis-infect some of her fellow students' infected computers. After all this time I notice in the left hand side at to top the name ~Mark. Is this the gentleman who has been assisting me all along? If so God Bless you Mark you are very much appreciated. Thank you for educating me on what to be aware of and for suggested remedies on how to keep my computer clean. My computer is running fine now thanks to you.

Sincerely, Vpsolis
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP