Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need to get rid of Malware [RESOLVED]

Started by fletch11 , Jul 21 2005 09:58 AM

This topic is locked

#1
fletch11

Posted 21 July 2005 - 09:58 AM

Member

Member
52 posts

I'm hoping you can help me.

I have been afflicted with many forms of malware - the most painful was Aurora. I ran the tools that you recommended and they seemed to work (at least to get rid of Aurora). However, now my computer is running painfully slow. Would you mind checking my hijackthis log to see if I can clean-up my computer any further. Here is what I did...

I downloaded and ran:

1. Cleanup
2. Ad-Aware SE
3. CW-Shredder
4. Spybot S&D
5. Ewindo Security Suite

I also run Checkit86 to block spam (or at least attempt to) and I'm not sure what is all is running on Microsoft XP (I have disabled instant messaging). I also run the latest version of McAfee virus protection (not using their spam protector). I disabled Ewindo Guard because I thought it might be slowing down my pc - did not help.

I try to run a pretty tight ship --- I only use my computer for word processing, email and listenting to music. I would like to remove anything that is not absolutely necessary on my pc.

Do you have any suggestions? -- I would greatly appreciate your help!

Thanks so much -

Logfile of HijackThis v1.99.1
Scan saved at 8:44:42 AM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\l?gonui.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bbc.co.uk...ice/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} -

C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}

- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [LMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe

E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [5FmR39i] avimgr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program

Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Ko55RVG6P] attgmgr.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Nuomddn] C:\WINDOWS\system32\l?gonui.exe
O4 - Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List -

C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 -

{2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) -

https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) -

http://adserver.shar...ver/Install.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) -

https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager

Class) - http://www.ofoto.com..._1/axofupld.cab
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -

McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -

McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe (file missing)

#2
tampabelle

Posted 21 July 2005 - 11:12 AM

Member 5k

Retired Staff
6,363 posts

Hi,

Can you repost the Hijack This log ??

The current format is very difficult to read. While the log is open in Notepad, please click on Format ---> Word Wrap. Then copy and post the log in your reply !!!

#3
fletch11

Posted 22 July 2005 - 08:19 AM

Member

Topic Starter
Member
52 posts

I am so sorry - I didn't even think about it. I just re-ran highjack this -- here is the log.

I am still having problems -- WinFixer 2005 keeps installing itself and running on my computer - even though I have uninstalled it several times. Also, I keep getting shortcuts to various websites posted on my desktop. I keep deleting them and different ones come back.

I am so frustrated and sick of re-running all the cleaning tools.

Thanks so much for your help!!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:13:57 AM, on 7/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\VSO\OasClnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bbc.co.uk...ice/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} -

C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}

- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [LMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe

E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [5FmR39i] avimgr32.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program

Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Ko55RVG6P] attgmgr.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Nuomddn] C:\WINDOWS\system32\l?gonui.exe
O4 - Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List -

C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 -

{2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) -

https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) -

http://adserver.shar...ver/Install.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) -

https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager

Class) - http://www.ofoto.com..._1/axofupld.cab
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -

c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -

McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe (file missing)

#4
tampabelle

Posted 22 July 2005 - 09:17 AM

Member 5k

Retired Staff
6,363 posts

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

Nailfix.exe

Unzip it to the desktop but please do NOT run it yet.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [5FmR39i] avimgr32.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Ko55RVG6P] attgmgr.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Nuomddn] C:\WINDOWS\system32\l?gonui.exe
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.shar...ver/Install.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

180 Solutions

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
c:\program files\180solutions
C:\Program Files\Cas
C:\Program Files\apsi

Files
C:\WINDOWS\system32\l?gonui.exe

E6F1873B.DLL
avimgr32.exe
attgmgr.exe

Use the windows Search function to locate these files

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

#5
fletch11

Posted 22 July 2005 - 11:19 AM

Member

Topic Starter
Member
52 posts

I followed all of the instructions...

Couple of new questions:
1. My computer is now loading my Lexmark print driver twice at start-up. In the "start-up" menus, it only looks like it should be loading once? Any suggestions.
2. Also, my checkit86 is loading twice as well.
3. Computer still a bit slow - any suggestions?

I can't thank you enough --- Here is my latest highjackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:54 AM, on 7/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\VSO\OasClnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bbc.co.uk...ice/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} -

C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}

- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [LMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program

Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark

X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List -

C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 -

{2887F316-8C6C-47ae-A462-D2C9739D2C3D} -

C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) -

https://remote.lw.com/spv3rdpchk.cab
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -

c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -

McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6
tampabelle

Posted 22 July 2005 - 11:44 AM

Member 5k

Retired Staff
6,363 posts

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Startup: LEX125SU.exe.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC and post a fresh HJT log. Make sure the Word Wrap under format in Notepad is not checked. I have to first format your HJT logs in Notepad and then analyze them

#7
fletch11

Posted 25 July 2005 - 12:21 AM

Member

Topic Starter
Member
52 posts

Thank you again for your help....

I fixed the items in HiJackThis -- here is the new log...

Logfile of HijackThis v1.99.1
Scan saved at 11:17:47 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk...ice/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#8
tampabelle

Posted 25 July 2005 - 07:30 AM

Member 5k

Retired Staff
6,363 posts

Hi Fletch11,

Your HJT log looks clean !!!!

Any issues with your PC ????

#9
fletch11

Posted 26 July 2005 - 10:19 PM

Member

Topic Starter
Member
52 posts

Thanks so much for your help.

Everything seems to be running ok. My computer is still running slower than it did - perhaps it is because I have Ewindo Security Guard running. However, maybe I'm just being greedy.

Thanks -

#10
tampabelle

Posted 27 July 2005 - 06:12 AM

Member 5k

Retired Staff
6,363 posts

Hi Fletch11,

Unfortunately you have downloaded the trial version of Ewido. It means that certain features of the product will not be available after the trial period gets over. One of the key features not available would be automatic updates on the signature files. This means that you will have to update the signature files before you scan your PC.

CONGRATULATIONS!!!!!!!! Your PC is clean :tazz:

I would recommend the following steps to keep your PC clean (especially Step 8 now that your PC is clean) –

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.

Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.

Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm

Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.

Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.

System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Go ahead and enjoy a clean PC !!!!!!!!!!!!!

#11
tampabelle

Posted 27 July 2005 - 06:12 AM

Member 5k

Retired Staff
6,363 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.