Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My Log...Please Help! [RESOLVED]

Started by daddy , Jun 09 2005 10:13 PM

This topic is locked

#1
daddy

Posted 09 June 2005 - 10:13 PM

Member

Member
115 posts

AdClicker.CS trojan has invaded my girlfreinds computer. We have ran all the regular anti virus stuff, but it's still there even though the virus scan says it is not. Please help us repair without a re-install.

Here is her log:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:38 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\ERDCENC.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hiasegb.dll
O2 - BHO: SDWin32 Class - {8E2F6564-6593-453C-A636-595C5E0FC07A} - C:\WINDOWS\system32\stcwy.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [shyx] C:\WINDOWS\shyx.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Embqtu.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ERDCENC] C:\WINDOWS\ERDCENC.EXE
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [23rW3nh] cnetmgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [wjppeds] c:\windows\system32\lbobkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [J006RhNpe] cabtadmn.exe
O4 - HKCU\..\Run: [aolgpw] C:\WINDOWS\system32\aolgpw.exe
O4 - HKCU\..\Run: [wmvnmp] C:\WINDOWS\system32\wmvnmp.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [rmwi] C:\PROGRA~1\COMMON~1\rmwi\rmwim.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002245.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B803716-123A-4635-BBAA-E278921CC92E}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: hgareas - Unknown owner - C:\WINDOWS\system32\hgareas.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks,
peace out...daddy

#2
Excal

Posted 14 June 2005 - 09:46 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi daddy and welcome to GeeksToGo! My name is Excal and I will be helping you.

If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

:tazz:

Excal

#3
daddy

Posted 14 June 2005 - 10:08 PM

Member

Topic Starter
Member
115 posts

Hi Excalibur190! Thanks for getting to me. Also as a side note, this trojan has made it impossible for me to restore windows to a previous date. When I try, it fails every time. Anyhoo, here is the up to date log, and please give me step by step instructions for I have never done this before.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:24 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\huaeybt.exe
C:\WINDOWS\system32\hgaiecj.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\ERDCENC.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\stubinstaller5975.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hiasegb.dll
O2 - BHO: SDWin32 Class - {8E2F6564-6593-453C-A636-595C5E0FC07A} - C:\WINDOWS\system32\stcwy.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [shyx] C:\WINDOWS\shyx.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Embqtu.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ERDCENC] C:\WINDOWS\ERDCENC.EXE
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [23rW3nh] cnetmgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [wjppeds] c:\windows\system32\lbobkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [J006RhNpe] cabtadmn.exe
O4 - HKCU\..\Run: [aolgpw] C:\WINDOWS\system32\aolgpw.exe
O4 - HKCU\..\Run: [wmvnmp] C:\WINDOWS\system32\wmvnmp.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [rmwi] C:\PROGRA~1\COMMON~1\rmwi\rmwim.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5975.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002952.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B803716-123A-4635-BBAA-E278921CC92E}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: hgareas - Unknown owner - C:\WINDOWS\system32\hgareas.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

peace out,
daddy

#4
Excal

Posted 14 June 2005 - 10:21 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi daddy and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from Here
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. :tazz:

#5
daddy

Posted 16 June 2005 - 11:12 PM

Member

Topic Starter
Member
115 posts

Ok...here we go. Followed directions and ran Ewido scan.

During the Ewido scan I received a message that read:

An infected file was found inside an archive and cannot be cleaned. Do you want to delete the whole archive?
C:\\AOL\\Backup\QFle0530200519286672905.asw

It gave me the options to "Delete All", "Delete" or "Ignore". I clicked on ignore.

The following is the results from the Ewido scan:
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:24:43 PM, 6/16/2005
+ Report-Checksum: 8DEF1056

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 45 min
+ Scanned Files: 43113
+ Speed: 15.94 Files/Second
+ Infected files: 81
+ Removed files: 80
+ Files put in quarantine: 80
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\

+ Scan result:
C:\Documents and Settings\user\Cookies\user@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\auf0.exe -> TrojanDownloader.Apropo.s -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\B182260709\build3.exe -> Spyware.Isearch -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\ICD2.tmp\QDow_AS2.dll -> TrojanDownloader.QDown.s -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\ICD4.tmp\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\vmstmp\vmstmp.exe -> Spyware.DelphinMediaViewer -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0LYBSPMZ\fwbar2_main2[1].dll -> Spyware.CoolBar.a -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\11622892.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\11623744.asw -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\11624144.asw -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21783753.asw -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21786577.asw -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21786978.asw -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22399518.asw -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22400039.asw -> Spyware.Websearch -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22400840.asw -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\37259979.asw -> Trojan.Delf.gh -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\37292921.asw -> Spyware.TopMoxie -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\65145273.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\65151283.asw -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\65156183.asw -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\75484541.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\97247631.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle05282005193326198831.asw -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0530200519286672584.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0530200519286672905.asw/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Error during cleaning
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle05312005184344382759.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle06022005181632499211.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle06032005204329787642.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0607200506324142636.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle06092005104712030539.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0610200519314731563.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle06122005125010397080.asw -> Spyware.MediaPass -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem05282005193426220302.asw -> TrojanDownloader.Wintool.f -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem06092005104712028476.asw -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING14.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\DS3.dll -> TrojanDownloader.Agent.jt -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\QDow_AS2.dll -> TrojanDownloader.QDown.s -> Cleaned with backup
C:\WINDOWS\edow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\WINDOWS\system32\adstartup.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\system32\Cache\SSK3_B5 Advagency.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\system32\dnoqo.dll -> TrojanDownloader.Qoologic.l -> Cleaned with backup
C:\WINDOWS\system32\dun.exe -> Spyware.DealHelper.x -> Cleaned with backup
C:\WINDOWS\system32\EDow_AS2.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\WINDOWS\system32\hgareas.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\hiasegb.dll -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\main.exe -> TrojanDownloader.Agent.hw -> Cleaned with backup
C:\WINDOWS\system32\modgxyz.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\nsk143.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\spebegp.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\system32\stcwyc.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\system32\stcwyd.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\system32\stcwyf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\unpack.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\user@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup

::Report End

AND THE NEW HIJACK LOG:::::

Logfile of HijackThis v1.99.1
Scan saved at 9:27:29 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hiasegb.dll (file missing)
O2 - BHO: SDWin32 Class - {8E2F6564-6593-453C-A636-595C5E0FC07A} - C:\WINDOWS\system32\stcwy.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [shyx] C:\WINDOWS\shyx.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ERDCENC] C:\WINDOWS\ERDCENC.EXE
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [23rW3nh] cnetmgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [wjppeds] c:\windows\system32\lbobkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [J006RhNpe] cabtadmn.exe
O4 - HKCU\..\Run: [aolgpw] C:\WINDOWS\system32\aolgpw.exe
O4 - HKCU\..\Run: [wmvnmp] C:\WINDOWS\system32\wmvnmp.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [rmwi] C:\PROGRA~1\COMMON~1\rmwi\rmwim.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5975.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002952.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: hgareas - Unknown owner - C:\WINDOWS\system32\hgareas.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ok...where do we go now? Thanks bro!

peace out,
daddy

#6
Excal

Posted 17 June 2005 - 07:20 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Daddy,

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted

Is this your internet service provider (isp)? internal.cahch.com

Sometimes during the fixing of Malware, AntiMalware Programs (Virus, spyware ect.) get in the way of fixing problems, even though they are well meaning :tazz:

. I need you to disable all of your AntiMalware programs for this fix, Please reenable them once you have finished.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy

Download CWShredder here to its own folder.

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

We will be using this program later.

Download and install CleanUp! Here
We will use this program later.

Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from Here
Unzip it to the desktop but please do NOT run it yet.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Then please run Ewido, and run a full scan. Post the log from the scan here for me.

6. Close all browsers, windows and unneeded programs.

7. Go to Start->Run and type in services.msc and hit OK. Then look for hgareas - Unknown owner - and double click on it. Click on the Stop button and under Startup type, choose Disabled.

8. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\Nail.exe

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hiasegb.dll (file missing)
O2 - BHO: SDWin32 Class - {8E2F6564-6593-453C-A636-595C5E0FC07A} - C:\WINDOWS\system32\stcwy.dll
O4 - HKLM\..\Run: [shyx] C:\WINDOWS\shyx.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ERDCENC] C:\WINDOWS\ERDCENC.EXE
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [23rW3nh] cnetmgr.exe
O4 - HKLM\..\Run: [wjppeds] c:\windows\system32\lbobkm.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [J006RhNpe] cabtadmn.exe
O4 - HKCU\..\Run: [aolgpw] C:\WINDOWS\system32\aolgpw.exe
O4 - HKCU\..\Run: [wmvnmp] C:\WINDOWS\system32\wmvnmp.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [rmwi] C:\PROGRA~1\COMMON~1\rmwi\rmwim.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5975.exe"
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002952.cab
O23 - Service: hgareas - Unknown owner - C:\WINDOWS\system32\hgareas.exe (file missing)

11. click the Fix Checked box

12. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Media Access
Surf Enhance
180Solutions

13. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Media Access
C:\Program Files\sf
C:\PROGRA~1\COMMON~1\rmwi

14. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\hiasegb.dll
C:\WINDOWS\system32\stcwy.dll
C:\WINDOWS\shyx.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\ERDCENC.EXE
C:\WINDOWS\system32\guarnset.exe
c:\windows\system32\lbobkm.exe
C:\WINDOWS\system32\aolgpw.exe
C:\WINDOWS\system32\wmvnmp.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\stubinstaller5975.exe
C:\WINDOWS\system32\hgareas.exe
cabtadmn.exe<----Start>Search to find this one.
cnetmgr.exe<----Start>Search to find this one.

15. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

16. Run the program CleanUp!

17. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

18. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.

#7
daddy

Posted 17 June 2005 - 08:09 PM

Member

Topic Starter
Member
115 posts

Excalibur...couple things before I begin.

You asked: Is this your internet service provider (isp)? internal.cahch.com

My answer: This is my girlfriends computer...she works on billing at a hospice org. This is a network thing and she needs to connect there to do her work. Her connection to the internet is Yahoo! DSL, but she uses th AOL network and browser to surf the net.

You said: Sometimes during the fixing of Malware, AntiMalware Programs (Virus, spyware ect.) get in the way of fixing problems, even though they are well meaning . I need you to disable all of your AntiMalware programs for this fix, Please reenable them once you have finished.

My question: How and where do I disable all of them...how do I knopw I have disabled all of them???

You said: Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy

My question: What is Spybot Search and Destroy??? Is it already on her computer and if so, how do I access it???

Ok...that is what I need to know before I begin. I understand the rest of the process after that.

Thank you,
daddy

#8
Excal

Posted 17 June 2005 - 08:31 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Daddy, (that feels soooo wrong saying that...lol

)

My answer: This is my girlfriends computer...she works on billing at a hospice org. This is a network thing and she needs to connect there to do her work. Her connection to the internet is Yahoo! DSL, but she uses th AOL network and browser to surf the net.

So internal.cahch.com is something to do with here network? The reason I ask is there is a suspcious entry on HiJack this which relates directly to a connection

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com

My question: What is Spybot Search and Destroy??? Is it already on her computer and if so, how do I access it???

This one is my main concern, and for the time being i think its best we just uninstall it. I will give u the link to reinstall it after we get you cleaned up. So go to start>controlpanel>add/remove programs and look for spybot - search & destroy to remove it.

As far as the other ones, look in the tray by where your clock is. Most of the programs you can just right click on and they give you the option to disable. If not, like i said, I am mostly concerned with Spybot (it is a good program, don't get me wrong, just interferes with the fixes)

Good luck with the fix, I will be here most of the nite, so if you get it done before 1AM EST, i can reply back to you,.

Thanks,

:tazz:

Excal

#9
daddy

Posted 18 June 2005 - 05:02 AM

Member

Topic Starter
Member
115 posts

Ok....I did everything and things were looking really great UNTIL I ran the very last scan with active scan. It said I still had over 50 infected files!!!! How??? Well, here are all my reports.

Activescan results:

Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\wsxsvc
Adware:Adware/Gator No disinfected C:\WINDOWS\FT*_GEPFAH.EXE
Adware:Adware/nCase No disinfected C:\WINDOWS\180ax.log
Spyware:Spyware/ISTbar No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\payload2.inf
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\swin32.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\DealHelper
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\retpdat32.xml
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WUpd No disinfected C:\Program Files\Media Pass
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\user\Favorites\Finances & Business
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\bsx32.ini
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\11623954.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\15032605.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\15034428.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21787168.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21787839.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\21787859.asw
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22400540.asw
Adware:Adware/Envolo No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22401181.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\37297431.asw
Adware:Adware/IPInsight No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\37299231.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41319511.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41320411.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41321111.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41321711.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41322311.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41323111.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41323821.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41324421.asw
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\41325021.asw
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\65153583.asw
Adware:Adware/Envolo No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle05282005193326203178.asw
Adware:Adware/nCase No disinfected C:\WINDOWS\180ax.log
Adware:Adware/nCase No disinfected C:\WINDOWS\180axau.dat
Adware:Adware/nCase No disinfected C:\WINDOWS\180ax_gdf.dat
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/WinTools No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\QDow_AS2.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/Gator No disinfected C:\WINDOWS\FT2_0_0_629_GEPFAH.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\payload2.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\retpdat32.xml
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\sp32.xml
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\SWin32.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:45:55 AM, 6/18/2005
+ Report-Checksum: 4EE7033D

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 50 min
+ Scanned Files: 43244
+ Speed: 14.25 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\

+ Scan result:
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@hotlog[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tradedoubler[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0530200519286672905.asw/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me.ab -> Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:27:29 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hiasegb.dll (file missing)
O2 - BHO: SDWin32 Class - {8E2F6564-6593-453C-A636-595C5E0FC07A} - C:\WINDOWS\system32\stcwy.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [shyx] C:\WINDOWS\shyx.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ERDCENC] C:\WINDOWS\ERDCENC.EXE
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [23rW3nh] cnetmgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [wjppeds] c:\windows\system32\lbobkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [J006RhNpe] cabtadmn.exe
O4 - HKCU\..\Run: [aolgpw] C:\WINDOWS\system32\aolgpw.exe
O4 - HKCU\..\Run: [wmvnmp] C:\WINDOWS\system32\wmvnmp.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [rmwi] C:\PROGRA~1\COMMON~1\rmwi\rmwim.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5975.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002952.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: hgareas - Unknown owner - C:\WINDOWS\system32\hgareas.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

OK EXcalibur...where to now bro??? Thanks for your help...let's kill this horsie!

daddy

#10
Excal

Posted 18 June 2005 - 06:42 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Daddy,

I need you to run HiJackThis Again. and give me a new/fresh scan. Make sure you save it to your desktop so you remember where it is. The last one you gave me is old. Scan saved at 9:27:29 PM, on 6/16/2005

Also, did you uninstall Spaybot search and destroy?

Thanks,

:tazz:

Excal

#11
daddy

Posted 18 June 2005 - 03:56 PM

Member

Topic Starter
Member
115 posts

Hey Excalibur...thank you for being so prompt. I was so tired last night after that 2 hour ACTIVESCAN (I did a full comp. scan) that I grabbed the wrong hijack log!!!

Here is a new log I just did as well as a new scan from Ewido.

Logfile of HijackThis v1.99.1
Scan saved at 2:12:45 PM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:50:14 PM, 6/18/2005
+ Report-Checksum: 177021BB

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 40352
+ Speed: 18.82 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\

+ Scan result:
No infected files found!

::Report End

Ok...her computer is running better, but not back to normal yet. When I did all the fixes last night, I turned off her McAfee scan but could not figure out how to disable her AOL scan. I was not connected to the internet at all when I did the fixes...and YES...I got rid of the Spybot Search And Destroy before I started anyhting, and I put hijack in it's own folder so it can create the backup logs.

When we started the computer this morning with the McAfee back on, it said it found trojan virus AdClicker.CS again and that it cleaned it??? I don't understand this one. Ok bro...let me know what to do next. Thanks

peace out,
daddy

#12
Excal

Posted 18 June 2005 - 05:05 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Daddy,

Now thats much better!!! Phew.....lol

Ok lets try to clean up the odds and ends.

Please run a free online virus scan at these two sites:
HouseCall
Kaspersky

Please scan your system with Ad-aware: Ad-aware SE - Download - Home Page

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:
Reconfigure Ad-Aware for Full Scan as per the following instructions:
- Launch the program, and click on the Gear at the top of the start screen.
- Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
  - "Automatically save logfile"
  - Automatically quarantine objects prior to removal"
  - Safe Mode (always request confirmation)
  - Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
  - "Unload recognized processes during scanning."
  - "Obtain command line of scanned processes"
  - "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
  - "Automatically try to unregister objects prior to deletion."
  - "During removal, unload explorer and IE if necessary"
  - "Let Windows remove files in use at next reboot."
  - "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

Can you please post these 3 logs

Thanks,

Excal

#13
daddy

Posted 19 June 2005 - 01:53 AM

Member

Topic Starter
Member
115 posts

1st) Ran scan with housecall...no infected files...clean scan...no log

2nd) Went to install second scan from kaspersky. Half way through download, a message tells me to remove my AOL McAfee for it might cause conflict...I disabled it. After installation was complete, a reboot was to take place, but instead the whole computer froze up solid!!! Had to shut down, go into safe mode and remove the kaspersky install to get computer working again. So, I said the heck with that and moved onto installing the Ad-Aware Se.

3rd) Successfully installed Ad-Aware Se and reconfigured to your specs. Here are the results: (to big to post all the results so I attached it!!!)

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, June 19, 2005 12:21:47 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdRotator(TAC index:6):3 total references
AdShooter(TAC index:6):1 total references
BargainBuddy(TAC index:8):7 total references
ClearSearch(TAC index:7):9 total references
DealHelper(TAC index:7):7 total references
EzuLa(TAC index:6):2 total references
IBIS Toolbar(TAC index:5):128 total references
MediaMotor(TAC index:8):2 total references
MRU List(TAC index:0):23 total references
Possible Browser Hijack attempt(TAC index:3):62 total references
PromulGate(TAC index:5):2 total references
Prutect(TAC index:8):1 total references
SahAgent(TAC index:9):1 total references
Tracking Cookie(TAC index:3):4 total references
Win32.TrojanDownloader.Agent.Ay(TAC index:7):2 total references
Win32.TrojanDownloader.Small.aly(TAC index:8):78 total references
Win32.TrojanDownloader.TSUpdate(TAC index:6):3 total references
WindUpdates(TAC index:8):2 total references
VX2(TAC index:10):12 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
CSI Fingerprints total : 886
CSI data size : 30371 Bytes
Target categories : 15
Target families : 679

6-19-2005 12:14:06 AM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R50 13.06.2005
Internal build : 58
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 481146 Bytes
Total size : 1456012 Bytes
Signature data size : 1427935 Bytes
Reference data size : 27565 Bytes
Signatures total : 40456
CSI Fingerprints total : 904
CSI data size : 31134 Bytes
Target categories : 15
Target families : 692

6-19-2005 12:14:18 AM Success
Update successfully downloaded and installed.

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:27 %
Total physical memory:129520 kb
Available physical memory:33708 kb
Total page file size:314284 kb
Available on page file:159808 kb
Total virtual memory:2097024 kb
Available virtual memory:2043972 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-19-2005 12:21:47 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 472
ThreadCreationTime : 6-19-2005 6:39:29 AM
BasePriority : Normal

#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 528
ThreadCreationTime : 6-19-2005 6:39:30 AM
BasePriority : Normal

#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 552
ThreadCreationTime : 6-19-2005 6:39:31 AM
BasePriority : High

#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 596
ThreadCreationTime : 6-19-2005 6:39:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 608
ThreadCreationTime : 6-19-2005 6:39:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 764
ThreadCreationTime : 6-19-2005 6:39:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 820
ThreadCreationTime : 6-19-2005 6:39:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 888
ThreadCreationTime : 6-19-2005 6:39:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 940
ThreadCreationTime : 6-19-2005 6:39:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1024
ThreadCreationTime : 6-19-2005 6:39:35 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1176
ThreadCreationTime : 6-19-2005 6:39:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [acsd.exe]
ModuleName : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
Command Line : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
ProcessID : 1460
ThreadCreationTime : 6-19-2005 6:39:48 AM
BasePriority : Normal

#:13 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1528
ThreadCreationTime : 6-19-2005 6:39:49 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:14 [ewidoguard.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoguard.exe
Command Line : n/a
ProcessID : 1544
ThreadCreationTime : 6-19-2005 6:39:49 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:15 [mpfservice.exe]
ModuleName : C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
Command Line : C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
ProcessID : 1616
ThreadCreationTime : 6-19-2005 6:39:50 AM
BasePriority : Normal
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
ProductName : McAfee Personal Firewall
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2000,2001
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service

#:16 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1760
ThreadCreationTime : 6-19-2005 6:39:54 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [wanmpsvc.exe]
ModuleName : C:\WINDOWS\wanmpsvc.exe
Command Line : "C:\WINDOWS\wanmpsvc.exe"
ProcessID : 1824
ThreadCreationTime : 6-19-2005 6:39:55 AM
BasePriority : Normal
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:18 [mpfagent.exe]
ModuleName : C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
Command Line : C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe -Embedding
ProcessID : 2032
ThreadCreationTime : 6-19-2005 6:40:03 AM
BasePriority : Normal
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
LegalCopyright : Copyright © 2000-2003 Networks Associates Technologies, Inc.
OriginalFilename : MPFAGENT.EXE
Comments : McAfee Personal Firewall Security Center Module

#:19 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 380
ThreadCreationTime : 6-19-2005 6:40:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 444
ThreadCreationTime : 6-19-2005 6:40:15 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:21 [realplay.exe]
ModuleName : C:\Program Files\Real\RealPlayer\RealPlay.exe
Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 972
ThreadCreationTime : 6-19-2005 6:40:27 AM
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:22 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 988
ThreadCreationTime : 6-19-2005 6:40:28 AM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:23 [ltmsg.exe]
ModuleName : C:\WINDOWS\LTMSG.exe
Command Line : "C:\WINDOWS\LTMSG.exe" 7
ProcessID : 1040
ThreadCreationTime : 6-19-2005 6:40:31 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 4
ProductVersion : 3, 0, 0, 4
ProductName : Agere Systems ltmsg
CompanyName : Agere Systems
FileDescription : ltmsg
InternalName : ltmsg
LegalCopyright : Copyright © 2003
OriginalFilename : ltmsg.exe
Comments : Messaging application for Agere Win Modem

#:24 [hpztsb07.exe]
ModuleName : C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
Command Line : "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe"
ProcessID : 1112
ThreadCreationTime : 6-19-2005 6:40:34 AM
BasePriority : Normal
FileVersion : 2,140,0,0
ProductVersion : 2,140,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:25 [aolsp scheduler.exe]
ModuleName : C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
Command Line : "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
ProcessID : 1140
ThreadCreationTime : 6-19-2005 6:40:37 AM
BasePriority : Normal
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 5, 0, 0
ProductName : AOLSP Scheduler
FileDescription : AOLSP Scheduler
InternalName : AOLSP Scheduler
LegalCopyright : Copyright © America Online, Inc. 2004
OriginalFilename : AOLSP Scheduler.exe

#:26 [mcagent.exe]
ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ProcessID : 1244
ThreadCreationTime : 6-19-2005 6:40:40 AM
BasePriority : Normal
FileVersion : 4, 3, 0, 10
ProductVersion : 4, 3, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 1998-2002 Networks Associates Technology, Inc.
OriginalFilename : mcagent.exe

#:27 [mcvsescn.exe]
ModuleName : c:\progra~1\mcafee.com\vso\mcvsescn.exe
Command Line : "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled
ProcessID : 1356
ThreadCreationTime : 6-19-2005 6:40:47 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 30
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:28 [aoltray.exe]
ModuleName : C:\Program Files\America Online 9.0\aoltray.exe
Command Line : "C:\Program Files\America Online 9.0\aoltray.exe" -check
ProcessID : 2240
ThreadCreationTime : 6-19-2005 6:41:19 AM
BasePriority : Normal
FileVersion : 9.00.000
ProductVersion : 9.00.000
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright © America Online, Inc. 1999 - 2003

#:29 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1664
ThreadCreationTime : 6-19-2005 7:13:34 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-af6f-1540eec7f101}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{2c4e6d22-b71f-491f-aad3-b6972a650d50}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c380566d-f343-42ab-987b-6b38a1a35747}

WindUpdates Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mediaaccess.installer

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}

DealHelper Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\dealhelper

DealHelper Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\dealhelper
Value : Changed

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 7

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7

AdShooter Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\internet explorer\toolbar\Webbrowser
Value : {c109664b-ceb1-420b-b353-d55a561536dd}

MRU List Object Recognized!
Location: : C:\Documents and Settings\user\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\user\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\office\11.0\publisher\recent file list
Description : list of recent files used by microsoft publisher

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-746137067-854245398-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : user@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:31
Value : Cookie:[email protected]/
Expires : 6-17-2010 9:17:46 PM
LastSync : Hits:31
UseCount : 0
Hits : 31

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : user@centrport[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 12-31-2029 5:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : user@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 8-9-2006 1:00:54 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/
Expires : 12-31-2009 5:00:00 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 35

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IBIS Toolbar Object Recognized!
Type : File
Data : 11623954.asw
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\

IBIS Toolbar Object Recognized!
Type : File
Data : 22400540.asw
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\

IBIS Toolbar Object Recognized!
Type : File
Data : 65153583.asw
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045071.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP110\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045095.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP110\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045121.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP110\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045176.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP111\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045200.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP111\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045256.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP112\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045283.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP112\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045314.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP112\

IBIS Toolbar Object Recognized!
Type : File
Data : A0045361.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP113\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046356.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP113\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046393.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP113\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046419.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP113\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046468.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP114\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046493.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP114\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046519.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP114\

IBIS Toolbar Object Recognized!
Type : File
Data : A0046543.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP114\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047544.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP115\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047569.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP115\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047596.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP115\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047633.cfg
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP116\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047634.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP116\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047641.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP116\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047669.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP116\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047696.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP116\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047751.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP117\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047764.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP117\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047807.cfg
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP118\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047808.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP118\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047816.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP118\

BargainBuddy Object Recognized!
Type : File
Data : A0047862.srg
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe

IBIS Toolbar Object Recognized!
Type : File
Data : A0047865.cfg
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047866.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0047873.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0048870.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0048903.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0048927.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP119\

IBIS Toolbar Object Recognized!
Type : File
Data : A0048975.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049000.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049028.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049056.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049092.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049121.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP120\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049169.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP121\

BargainBuddy Object Recognized!
Type : File
Data : A0049199.vxd
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP121\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe

IBIS Toolbar Object Recognized!
Type : File
Data : A0049238.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP122\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049263.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP122\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049299.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP122\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049326.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP122\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049363.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP123\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049387.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP123\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049410.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP123\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049450.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP123\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049497.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP124\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049522.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP124\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049547.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP124\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049579.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP124\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049623.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP125\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049668.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP127\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049694.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP127\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049744.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP128\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049793.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP129\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049835.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP130\

IBIS Toolbar Object Recognized!
Type : File
Data : A0049863.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP130\

IBIS Toolbar Object Recognized!
Type : File
Data : A0050863.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP131\

IBIS Toolbar Object Recognized!
Type : File
Data : A0050877.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP131\

IBIS Toolbar Object Recognized!
Type : File
Data : A0050909.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP132\

IBIS Toolbar Object Recognized!
Type : File
Data : A0050944.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP132\

IBIS Toolbar Object Recognized!
Type : File
Data : A0050957.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP132\

IBIS Toolbar Object Recognized!
Type : File
Data : A0051002.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{DE6A7A93-410F-46D8-8048-0C6F034565EE}\RP133\

IBIS Toolbar Object Recognized!
Type : File
Data : A0051072.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information�

Attached Files

adware.TXT 141.01KB 273 downloads

Edited by daddy, 19 June 2005 - 02:06 AM.

#14
daddy

Posted 19 June 2005 - 01:59 AM

Member

Topic Starter
Member
115 posts

wow...guess too much info to fit in one post. Here is the hijack file

Logfile of HijackThis v1.99.1
Scan saved at 12:40:25 AM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104348431241
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cahch.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cahch.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cahch.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

peace out,
daddy

#15
Excal

Posted 19 June 2005 - 08:39 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Daddy,

Everything is looking good

Most of those entries found in there were restore point previous infections and registry Keys. Lets clean up your registry.

Please dowload: RegSeeker.
Click on "Clean The Registry" in the left panel.
Check all boxes (make sure the backup box in the lower left corner is selected!).
After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!

please run this online virus scan: ActiveScan - Save the results from the scan!

Let me know the problems your having with the computer. Only need the ActiveScan Log.

Thanks,

:tazz:

Excal