Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Trojans/Malware just need a little help

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 2 posts
Greetings to the forum,

have a nice little infection on my PC that I'm trying to cure and could use some assitance.

lets start with the Basics:

Windows - XP SR ? build 2600
Pentium III 930 MHz

McAfee Virus Plus 2007 - updated
Ver. 11 build: 11.0.213

ok, now the meat, as it were....

I've run SmitFraudFix (ver. 2.110) and cleaned some of the minor nasty trash out, but having a problem still in that I have processes running (even in SafeMode) maxing out the processor and preventing me from further scanning or cleaning the rest of the major problems.

I was able to run HiJackThis and the Log is posted below (this was Pre SmitFraudFix being run) couldn't run it again since the system processor maxed out and I couldn't do anything but shut down and wait it out.

this is the log, I didn't check anything because I wasn't sure exactly what needed to be checked and fixed (better safe than sorry...at least until you get a professional opinion). Which is why I'm here, need some help targeting those items in the log that need to be fixed so that further scans can be run.

please take a look and any assitance would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:43:11 AM, on 10/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msc\mcuimgr.exe
c:\program files\mcafee\msc\mcshell.exe
c:\program files\mcafee\msc\mcupdui.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Xenia Crow.XENIA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EFDB938B-026E-50B1-6BE2-56807F385295} - C:\WINDOWS\System32\gfp.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe init32x.exe vmmdiag32.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{306615E0-03A2-1033-0726-000525000001}\MyToolBar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xkpmsmj.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xkpmsmj.dll,cjxafff
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\2ns.exe
O4 - HKLM\..\Run: [win_drivr32] C:\DOCUME~1\XENIAC~1.XEN\LOCALS~1\Temp\119231.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] C:\WINDOWS\System32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\ADMINI~2\LOCALS~1\Temp\17891\gm.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] C:\WINDOWS\System32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunOnce: [!mcagntps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee.com\agent\mcagntps.dll
O4 - HKLM\..\RunOnce: [mcagent.exe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe -regserver
O4 - HKLM\..\RunOnce: [!mcmispps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcmispps.dll
O4 - HKLM\..\RunOnce: [!mccfgmgr.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mccfgmgr.dll
O4 - HKLM\..\RunOnce: [!mccfgpv.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mccfgpv.dll
O4 - HKLM\..\RunOnce: [mclogsrv.exe] c:\PROGRA~1\mcafee\msc\mclogsrv.exe -regserver
O4 - HKLM\..\RunOnce: [!mcmismgr.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcmismgr.dll
O4 - HKLM\..\RunOnce: [!mcmscver.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcmscver.dll
O4 - HKLM\..\RunOnce: [!mcmnumgr.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcmnumgr.dll
O4 - HKLM\..\RunOnce: [!mcdemenu.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcdemenu.dll
O4 - HKLM\..\RunOnce: [mcpromgr.exe] c:\PROGRA~1\mcafee\msc\mcpromgr.exe -regserver
O4 - HKLM\..\RunOnce: [!mcprtcnt.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcprtcnt.dll
O4 - HKLM\..\RunOnce: [!mcprotpv.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcprotpv.dll
O4 - HKLM\..\RunOnce: [mcshell.exe] c:\PROGRA~1\mcafee\msc\mcshell.exe -regserver
O4 - HKLM\..\RunOnce: [!mcshllps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcshllps.dll
O4 - HKLM\..\RunOnce: [mcuimgr.exe] c:\PROGRA~1\mcafee\msc\mcuimgr.exe -regserver
O4 - HKLM\..\RunOnce: [!mcuicfg.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcuicfg.dll
O4 - HKLM\..\RunOnce: [mcupdmgr.exe] c:\PROGRA~1\mcafee\msc\mcupdmgr.exe -regserver
O4 - HKLM\..\RunOnce: [mcupdui.exe] c:\PROGRA~1\mcafee\msc\mcupdui.exe -regserver
O4 - HKLM\..\RunOnce: [mcusrmgr.exe] c:\PROGRA~1\mcafee\msc\mcusrmgr.exe -regserver
O4 - HKLM\..\RunOnce: [!qcmisp.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\mqc\qcmisp.dll
O4 - HKLM\..\RunOnce: [!shrmisp.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\mshr\shrmisp.dll
O4 - HKLM\..\RunOnce: [!mcnmcsps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcnmcsps.dll
O4 - HKLM\..\RunOnce: [!mcnmcsrv.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcnmcsrv.dll
O4 - HKLM\..\RunOnce: [!mcnmcprv.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcnmcprv.dll
O4 - HKLM\..\RunOnce: [!mcnmcver.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcnmcver.dll
O4 - HKLM\..\RunOnce: [!mccoreps.dll] regsvr32.exe /s c:\PROGRA~1\COMMON~1\mcafee\core\mccoreps.dll
O4 - HKLM\..\RunOnce: [!mcevtbrk.dll] regsvr32.exe /s c:\PROGRA~1\COMMON~1\mcafee\core\mcevtbrk.dll
O4 - HKLM\..\RunOnce: [!MCNASV~1.DLL] regsvr32.exe /s c:\PROGRA~1\COMMON~1\mcafee\mna\MCNASV~1.DLL
O4 - HKLM\..\RunOnce: [mcnasvc.exe] c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe -regserver
O4 - HKLM\..\RunOnce: [!mcuj.dll] regsvr32.exe /s c:\PROGRA~1\COMMON~1\mcafee\mna\mcuj.dll
O4 - HKCU\..\Run: [bwv5RWfmW] msietoledb40.exe
O4 - HKCU\..\Run: [Ebrl] "C:\WINDOWS\System32\WNSXS~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Kqlrkg] ?$?????$\?ti2evxx.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\z26213584.exe
O4 - HKCU\..\Run: [Winstb] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [win_drivr32] C:\DOCUME~1\XENIAC~1.XEN\LOCALS~1\Temp\119231.exe
O4 - HKCU\..\Run: [Winsth] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstu] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstg] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstz] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstm] C:\WINDOWS\System32\z262116384.exe
O4 - HKCU\..\Run: [Winstt] C:\WINDOWS\System32\z262116384.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {8CB1D4C7-0A08-4C16-8866-72F0631EA1F9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8CB1D4C7-0A08-4C16-8866-72F0631EA1F9} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F0E8E490-34C8-45BC-A539-EAC48049373D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F0E8E490-34C8-45BC-A539-EAC48049373D} - (no file) (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{301214CB-BE07-4DF9-8D1C-6B47B918551B}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF724BF-BF52-42AB-9FA6-F7D60832C8B0}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F7F6D17-8AAA-47A4-9CFB-E0F9D1443BA6}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{9110D7C7-1E84-40B0-98C7-51566A4F3CDE}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{A91B5910-CA53-463D-9D94-42E4861570DA}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{301214CB-BE07-4DF9-8D1C-6B47B918551B}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O20 - AppInit_DLLs: C:\WINDOWS\System32\systv01.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: GrpeGLt - {306615E1-9ACC-BF4B-7ABF-B49261C90DC2} - C:\WINDOWS\System32\gffeco.dll (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

If I am able to get the PC to work for me again I'll be running a new HiJackThis (post SmitFraudFix) to see what was cleaned and what's still there.

I have already surffed around and have determined that the following are definitely undesireable:


F2 - REG:system.ini: Shell=Explorer.exe init32x.exe vmmdiag32.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe

O4 - HKLM\..\RunServices: [_mzu_stonedrv3] C:\WINDOWS\System32\_mzu_stonedrv3.exe

Looking for assitance in finding anyother problems and the best solutions to remove them.

  • 0




    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

You have a badly infected computer, however, there really is no way to secure your computer without first patching and updating Windows to close numerous security holes in your current system. Please visit Windows Update and install Service Pack 1.


Once you have done that, please post a fresh hijackthis log back here as a reply in this thread.
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I would love to be able to update but, with the infection, I can't even get on-line. What I will probably do is run HiJack and clean the ones that I know for sure now must be cleaned and then see if that does enough of a fix so that I can do a windows update. If that works I'll then run HiJack and post the log.

  • 0



    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's see if we can just get you validated and then we'll go from there.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP