Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Found malware-CW.MSConfig, BHO and BackWeb

Started by halfopus , May 07 2005 01:15 AM

Please log in to reply

#61
halfopus

Posted 14 June 2005 - 08:53 PM

Member

Topic Starter
Member
44 posts

Happy Birthday coachwife6!

I installed ZoneAlarm. Many alerts pop up from 192.168.2.100 -- a benign website.

My internet connection will suddenly be lost and rebooting will reenable it. I tried resetting cable modem, router, enable/disable/repair internet connection...nothing would work except rebooting.

Cannot delete the following key related to Effective-i -- any hints?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatability\{44BE0690-5429-47F0-85BB-3FFD8020233E}

Thanks for your continued help-hope you had a good day! :tazz:

#62
halfopus

Posted 15 June 2005 - 12:52 AM

Member

Topic Starter
Member
44 posts

I installed ZoneAlarm. Many alerts pop up from 192.168.2.100 -- a benign website.

TrendMicro reported the above attack type as an "ICMP Echo Request." :tazz:

#63
coachwife6

Posted 16 June 2005 - 02:47 PM

SuperStar

Retired Staff
11,413 posts

H-O: Sorry it took me so long to get back to you. :tazz:

1. Disable System Restore (Windows Me/XP).
2. Update ewido or any other virus scanner you have been using..
3. Run a full system scan and delete all the files detected as Adware.UCMore.
4. Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

How to turn off system restore

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

2. Update viral program and scan - delete anything picked up.

3. To delete the value from the registry
Important: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, how to back up your registry" for instructions.

1. Click Start > Run.
2. Type regedit

Then click OK.
3. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

In the right pane, delete the value:

"{44BE0690-5429-47f0-85BB-3FFD8020233E}" = "UCmore - The Search Accelerator"

4. Delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator
HKEY_LOCAL_MACHINE\SOFTWARE\Effective-i
HKEY_CURRENT_USER\Software\Effective-i
HKEY_CURRENT_USER\Software\Maxthon

Run CleanUp! Post a new log and tell me how it's running.

#64
halfopus

Posted 27 June 2005 - 12:03 AM

Member

Topic Starter
Member
44 posts

Hello CW6,
Here is my most recent HJT log. I think I finally got rid of Effective-i!

Do I need the following or can I delete them safely?:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R3 - Default URLSearchHook is missing

Logfile of HijackThis v1.99.1
Scan saved at 8:38:37 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Folder Shield\FSService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Folder Shield\fsp.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPC129~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [fspr] "C:\Program Files\Folder Shield\FolderShield.exe" CR
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Dell Computer\Dell Image Expert\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpyKiller] C:\Program Files\SpyWare Killer\spyware_killer.exe /scan
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#65
coachwife6

Posted 27 June 2005 - 10:08 PM

SuperStar

Retired Staff
11,413 posts

Those entries aren't hurting anything and you will have to disable many of your spyware programs to get it done.

Is it running OK?

#66
halfopus

Posted 29 June 2005 - 03:08 PM

Member

Topic Starter
Member
44 posts

Hello,

I have finally gotten rid of a few bad registery entries by using scanners in safe mode and using CleanUp! and CCleaner before reboot.

I'm having problems removing the following reg entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\ActiveX compatability\{44BE0690-5429-47F0-85BB-3FFD8020233E} presumably related to Effective-i.

Each time I delete this key value, it reappears next time I open regedit, reganalyzer, or reglite. How do I terminate it for good?

The following have been returning occasionally:
CoolWebSearch (found by MS AntiSpyware)
Effective-i Inc (found by SpySubtract)
ClearSearch (found by SpyWare Killer)
unknown BHO (defined unclearly as "URL Search" BHO by MSAS)

Also, a new Administrator folder has been created named "Administrator.#####", (where ##### is my computer number). Could this folder be harboring the recurrent malware?

Thanks again! :tazz:

#67
coachwife6

Posted 29 June 2005 - 09:53 PM

SuperStar

Retired Staff
11,413 posts

Kill Bit Setting

Administrators and users can set a kill bit flag in the registry to make Internet Explorer not load specific controls. In order to do so the control's CLASSID must be known. Then the following registry key must be located or created: HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatability\{CLASSID}. Locate the Compatibility Flag key. By default, it can be several values. Setting it to 400 will instruct Internet Explorer not to load the control. This is a good way for administrators to prevent known controls from running if they've had a problem with them previously.

http://www.oreilly.c...apter/ch11.html

This is my advice:

1. Is the machine is running properly? If it's not, then we'll tackle the next problem.

#68
halfopus

Posted 30 June 2005 - 12:56 AM

Member

Topic Starter
Member
44 posts

Hi!

Just a quick note...Compatibility Flag key is already set to 400.

My system is still lethargic! :tazz:

Thanks for your contiuning support!

#69
coachwife6

Posted 30 June 2005 - 06:52 AM

SuperStar

Retired Staff
11,413 posts

My system is still lethargic!

OK. We'll tackle that problem. We need to get rid of the plethora of programs you have running. I am working now, but give me a couple of hours and I'll throw some ideas out there for you to consider.

Have you ever considered joining GeekU? There's a link in my signature. With your interest and zeal to fight malware, it might be right up your alley. :tazz:

#70
coachwife6

Posted 30 June 2005 - 12:25 PM

SuperStar

Retired Staff
11,413 posts

I have gone through your log and given you some options of what I think you should do. If it's lethargic it may because you have a lot of stuff running on it that you don't need.

I told you what to remove and what to put checkmarks next to.

Logfile of HijackThis v1.99.1
Scan saved at 8:38:37 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Folder Shield\FSService.exe<<you say this is safe. I don't know much about it.
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Folder Shield\fsp.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe<<antiviral or firewall? Use only one
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE<<antiviral or firewall
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe<<get rid of it?
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe<<is this the only firewall?
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe<<get rid of it
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe<<get rid of it
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe<<get rid of it
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe<<antiviral or firewall??
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe<<antiviral or firewall??
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe<<antiviral or firewall??
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe<<get rid of
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe<<get rid of
C:\Program Files\SpywareGuard\sgmain.exe<<get rid of
C:\Program Files\SpywareGuard\sgbhp.exe<<get rid of
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R3 - Default URLSearchHook is missing<<check mark
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll<<check mark
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPC129~1\tools\iesdsg.dll<<get rid of -- check mark
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll<<check mark
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [fspr] "C:\Program Files\Folder Shield\FolderShield.exe" CR
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot<<put a check mark next to it
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"<<get rid of
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Dell Computer\Dell Image Expert\QuickTime\qttask.exe" -atboottime<<put a check mar next to it in hijack this
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"<<get rid of
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe<<get rid of
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe<<check markf
O4 - HKLM\..\Run: [SpyKiller] C:\Program Files\SpyWare Killer\spyware_killer.exe /scan<<get rid of
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q<get rid of
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe<<get rid of
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe<<get rid of
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe<<get rid of

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll<<check mark

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Here is a great tutorial on some things you can do to make your ocmputer more efficient.

Restore Your Computer's Performance

#71
halfopus

Posted 07 July 2005 - 12:14 AM

Member

Topic Starter
Member
44 posts

It's been a while, but you gave me lots of homework on that last post!

Thanks for your great input!

Yes, I have thought about GeekU but my current schedule would not allow proper attention to this matter. I'll keep studying until then!

I have taken your advice and removed what I could from your last recommendations. There are a few I am having trouble removing.

I am trying ZeroSpyware and it found "SpyAnytime PC Spy" a commercial keylogger! :tazz:

I wonder how I have been compromised during this period!

Trend Micro Antivirus found "JS Fortnight.M" but, again, could not find suspicious files or reg keys.

BTW, my system is faster...thanks for the advice!

Here is my current HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:12:56 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FBM Software\ZeroSpyware\ZeroSpyware.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware\
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Edited by halfopus, 07 July 2005 - 12:17 AM.

#72
coachwife6

Posted 07 July 2005 - 12:14 PM

SuperStar

Retired Staff
11,413 posts

I'm sure you already found this info. out:

Virus Characteristics "JS Fortnight.M"

This script virus resides on a web page, which was recently removed. Upon visiting this page previously, a user's email signature file was appended to include a link to malicious webpage. When an infected user manually sent out an email message, a link would appear at the bottom, pointing to a web page on this site.

Again, the malicious page was removed; therefore this virus is currently not a threat. However, users may see this detection in messages sent from infected users.

Symptoms

Sent email messages contain a link to http://link.rawtocas...cgi-bin/omitted.

Here's the info. to delete the keylogger (if it's there)

http://www3.ca.com/s...px?id=453079161

#73
halfopus

Posted 18 July 2005 - 12:05 AM

Member

Topic Starter
Member
44 posts

Hello again CW6!

My system has improved greatly with your prior recommendations. Web surfing seems to be back to normal and my internet connection is not being randomly disabled as before. Thanks for your continued help! :tazz:

XoftSpy found W32.Xabot.Worm is this a false positive? How do I delete?

Trend OnLine Spyware Scanner found “Effective- i” and deleted it. The next few scans find nothing, but then a few days later it returns again--very persistent.

I am considering a Windows XP repair rather than reformatting with a clean install. Any hints on how to do this safely? I cannot reinstall my video driver and an error dialog box appears. Currently my resolution is not good as I am using 32-bit color quality and a resolution of 800 X 600 pixels. Is this malware related?

Thanks!