Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Justifiable Homicide [RESOLVED]

Started by mumsmenagerie , Jul 01 2005 11:05 AM

  • This topic is locked This topic is locked

#1
mumsmenagerie
Posted 01 July 2005 - 11:05 AM

mumsmenagerie

    Member

  • Member
  • PipPip
  • 15 posts
(Sigh) :tazz:

I need a good way to keep SOMEONE off of those bad websites....

I am having problems - again.. Please let me know which ones to delete. Thank you

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:07 AM, on 7/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\javaqx32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\HijackThis.exe
c:\program files\mcafee.com\shared\mghtml.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2818B797-4E38-0CF8-5455-D4914850AA30} - C:\WINDOWS\system32\mfccp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [javaqx32.exe] C:\WINDOWS\system32\javaqx32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -

http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://bin.mcafee.co...81/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) -

http://classlive.eco...aste/lsiw2k.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://anu.popcap.co...aploader_v6.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netst.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
Guest_usetobe_*
Posted 01 July 2005 - 11:28 AM

Guest_usetobe_*
  • Guest
Well here we go again apparently

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY HERE
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find . Remote Procedure Call (RPC) Helper
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uydqx.dll/sp.html#69959
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2818B797-4E38-0CF8-5455-D4914850AA30} - C:\WINDOWS\system32\mfccp32.dll
O4 - HKLM\..\Run: [javaqx32.exe] C:\WINDOWS\system32\javaqx32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netst.exe

Ensure no windows open except HJT and click FIX CHECKED.

Now in HJT click on misc tools section, then on delete an NT Service. In the popup box copy and paste the following. IT IS IMPORTANT THAT YOU PUT A SPACE IN FRONT OF THE FIRST NUMBER 1 AFTER YOU HAVE COPIED AND PASTED IT OR IT WILL NOT WORK

11Fßä#·ºÄÖ`I

Click ok.

now using windows explorer locate the following files/folders and delete them.

C:\WINDOWS\system32\mfccp32.dll
C:\WINDOWS\system32\javaqx32.exe
C:\WINDOWS\netst.exe

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here, so we can sort out any remnants

Edited by usetobe, 02 July 2005 - 12:31 AM.

  • 0

#3
mumsmenagerie
Posted 01 July 2005 - 11:38 AM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Jiminy Christmas!!!! (okay...okay, I'm keeping my mouth clean....)

as that saying goes.... "I'll be back!" ( today I hope)
  • 0

#4
mumsmenagerie
Posted 01 July 2005 - 01:27 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I got about halfway through and realized that I might be missing part of the directions... the original says:
[QUOTE]Now in HJT click on misc tools section, then on delete an NT Service. In the popup box copy and paste the following. IT IS IMPORTANT THAT YOU PUT A SPACE IN FRONT OF THE FIRST NUMBER 1 AFTER YOU HAVE COPIED AND PASTED IT OR IT WILL NOT WORK

Click ok.

But....it doesn't tell me what to type in - Please let me know if I am missing something.

I am having real trouble getting my explorer to stay up so if you have access to my e-mail address - could you please send it that way as well?

Sorry to be such a pain!!!!!
  • 0

#5
Guest_usetobe_*
Posted 01 July 2005 - 01:47 PM

Guest_usetobe_*
  • Guest
OOPS :tazz:

Must have had a blond moment

this is what you need to enter

11Fßä#·ºÄÖ`I
  • 0

#6
mumsmenagerie
Posted 01 July 2005 - 01:50 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
okay will start over and add that lil bit - no worries!
  • 0

#7
mumsmenagerie
Posted 01 July 2005 - 11:50 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ya know what? let's just start over....

I've run the above instuctions 3 times and I am still not getting anywhere - but it may be easier to begin again from scratch.

I have a little more information...between mcafee and ewido I have been informed that I have the following trojans on my system.

Ewido= TrojanDownloader.Agent.bq

Mcafee= Downloader-abw; startpage-du.dll; downloader-acc, spy-agent.d

So now that I've probably made hash of the previous attempts.....Here's the latest.


Logfile of HijackThis v1.99.1
Scan saved at 12:34:03 AM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\nttl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\apput.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [apput.exe] C:\WINDOWS\system32\apput.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...81/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://classlive.eco...aste/lsiw2k.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nttl.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#8
Guest_usetobe_*
Posted 02 July 2005 - 12:53 AM

Guest_usetobe_*
  • Guest
Hi Again,

OK we will run through this all again.

Please print out a copy of these instructions so that you have them handy when you need to reboot and also copy them to notepad and save it to your desktop to access when you are in SAFE MODE.

As you should already have all the programs downloaded and updated, we can skip all that part out and proceed straight to the fix.

Ensure PC set to show hidden files

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find . Remote Procedure Call (RPC) Helper
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy and paste it into notepad or word and save it where you can remember, such as desktop so you can post it in this thread.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wipmh.dll/sp.html#69959
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [apput.exe] C:\WINDOWS\system32\apput.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nttl.exe" /s (file missing)

Ensure no windows open except HJT and click FIX CHECKED.

Now in HJT click on misc tools section, then on delete an NT Service. In the popup box copy and paste the following. IT IS IMPORTANT THAT YOU PUT A SPACE IN FRONT OF THE FIRST NUMBER 1 AFTER YOU HAVE COPIED AND PASTED IT OR IT WILL NOT WORK

11Fßä#·ºÄÖ`I

Click ok.

now using windows explorer locate the following files/folders and delete them if found.

C:\WINDOWS\system32\apput.exe
C:\WINDOWS\nttl.exe

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Run this online virus scan: [b]ActiveScan - Save the results from the scan

Carry out another HJT scan and post the log back here, so we can sort out any remnants
  • 0

#9
mumsmenagerie
Posted 02 July 2005 - 12:27 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay- now we might be getting somewhere...LOL

I followed instructions and made notes as I went along. My notes are in red

First, the notes....

Click Yes to allow it to shutdown explorer.exe. not happeningIt will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end
restarted here...
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. none infected

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply. not infected Log results are:

(7/2/05 8:31:53 AM) SPSeHjFix started v1.1.2
(7/2/05 8:31:53 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/2/05 8:31:53 AM) Language: english
(7/2/05 8:31:53 AM) Win-Path: C:\WINDOWS
(7/2/05 8:31:53 AM) System-Path: C:\WINDOWS\System32
(7/2/05 8:31:53 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(7/2/05 8:31:55 AM) Disinfection started
(7/2/05 8:31:55 AM) Bad-Dll(IEP): (not found)
(7/2/05 8:31:55 AM) Bad-Dll(IEP) in BHO: (not found)
(7/2/05 8:31:55 AM) UBF: 7 - UBB: 0 - UBR: 17
(7/2/05 8:31:55 AM) UBF: 7 - UBB: 0 - UBR: 17
(7/2/05 8:31:55 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(7/2/05 8:31:55 AM) Stealth-String not found
(7/2/05 8:31:55 AM) Not infected->END

Next, many cups of coffee later:

At the end of the[Ewido] scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy and paste it into notepad or word and save it where you can remember, such as desktop so you can post it in this thread. did not give me the option - nothing found.

Then ran HJT and took out the following:

R3 - Default URLSearchHook is missing took out
O4 - HKLM\..\Run: [apput.exe] C:\WINDOWS\system32\apput.exe took out


Then I followed these instructions:

Now in HJT click on misc tools section, then on delete an NT Service. In the popup box copy and paste the following. IT IS IMPORTANT THAT YOU PUT A SPACE IN FRONT OF THE FIRST NUMBER 1 AFTER YOU HAVE COPIED AND PASTED IT OR IT WILL NOT WORK

[b]11Fßä#·ºÄÖ`I

Click ok. put space and it was not found
now using windows explorer locate the following files/folders and delete them if found.

C:\WINDOWS\system32\apput.exe rmovedC:\WINDOWS\nttl.exe rmvd

I then ran Cleanup and rebooted to normal in which my explorer still came up as soon as the computer started;

I ran Activescan and 200,000 + files later this is their log.....


Incident Status Location

Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Owner\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Owner\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Owner\Favorites\Seven days of free [bleep].url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Virus:Bck/Zapchast.Q Disinfected C:\WINDOWS\SYSTEM\mirc.ini

and last but not least I ran HJT again and now have this:


Logfile of HijackThis v1.99.1
Scan saved at 1:24:32 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\Removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...81/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://classlive.eco...aste/lsiw2k.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#10
Guest_usetobe_*
Posted 02 July 2005 - 01:49 PM

Guest_usetobe_*
  • Guest
Copy the file paths below and paste into Notepad and save it to desktop

yOU WILL NEED TO CHECK YOUR PANDA SCAN LOG AND CHANGE THE THIRD ENTRY ACCORDINGLY TO REPLACE THE WORD BLEEPED OUT BY OUR BOARDS.

C:\Documents and Settings\Owner\Favorites\Only sex website.url
C:\Documents and Settings\Owner\Favorites\Search the web.url
C:\Documents and Settings\Owner\Favorites\Seven days of free [bleep].url
C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
C:\WINDOWS\Downloaded Program Files\popcaploader.inf

* Please download the http://www.bleepingc...es/killbox.php]Killbox by Option^Explicit[/url]. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

How is your pc running now?
  • 0

Advertisements

#11
mumsmenagerie
Posted 02 July 2005 - 03:00 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay -ran the Killbox and it rebooted automatically, but again when it rebooted the first thing that came up was internet explorer....
  • 0

#12
Guest_usetobe_*
Posted 02 July 2005 - 03:04 PM

Guest_usetobe_*
  • Guest
OK we'll get rid of that then, i've let it annoy you enough :tazz:

Reboot into safe mode. Scan with hjt and check the following entry

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

Ensure no windows open except HJT and click fix checked.

Reboot pc normally.

Did it open up?
  • 0

#13
mumsmenagerie
Posted 02 July 2005 - 03:18 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
:help: :yeah: :yeah: :tazz: :beer:
:tazz: ;) ;) :help: :help:

Some people just can't help their sense of humor

Yes, that fixed that minor insignificant little itty bitty tiny problem...


Now, other than physical restraints, how can I curtail access to those questionable sites so that only I can change the settings? Preferably wihout him knowing I did it?

( See you're not the only one with a sense of humor!!!!!)
  • 0

#14
Guest_usetobe_*
Posted 02 July 2005 - 03:27 PM

Guest_usetobe_*
  • Guest
There are several things you can do.

1. Install a programme such as net nanny, that will restrict access to sites.

2. put questionable sites that the person visit in blocked sites list

3.Activate content advisor in control panel/internet options/content

4 Set up a new profile in users and block their abilty to install programs change settings

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#15
mumsmenagerie
Posted 02 July 2005 - 03:42 PM

mumsmenagerie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
:help: :help: :help:

Okay, Okay! I know it's Windows - but I haven't had time yet to play with the alternatives. I've been too busy downloading illegal programs and cracks to try it.
About the only thing NOT illegal on this computer IS Windows!

I had already downloaded about 90% of what you had listed for spyware removal and prevention but a reminder never hurts.

Thank you for all your help and hopefully I won't be back here any time soon. Unless.... I decide to learn how to fix these myself and then....Bwhahahahaha!


Again - my sincere thanks and admiration. :tazz: ;) ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP