[Atribune]

Ok that file seems to be a new variant of the infection. Ive updated the fix so it will clean your computer but it isnt ready for others yet heh

Please delete the existing vundofix folder. Then download it again from the same link as before. Run the whole fix again.

[Advertisements]

Am doing so as we speak but possibly I'm downloading it from the wrong location - when I click your link I just get the homepage for atribune so I used Crusty's link something like atribune.org/downloads/vundofix.zip is that the latest version? How can I tell if it is? Well I've run whichever version I've downloaded so I'll get the results in a few seconds.

Update
Well it's working better its run hijackthis itself for the first time. Will post logs in a sec.

Edited by DJJ, 10 August 2005 - 01:02 PM.

[DJJ]

Am doing so as we speak but possibly I'm downloading it from the wrong location - when I click your link I just get the homepage for atribune so I used Crusty's link something like atribune.org/downloads/vundofix.zip is that the latest version? How can I tell if it is? Well I've run whichever version I've downloaded so I'll get the results in a few seconds.

Update
Well it's working better its run hijackthis itself for the first time. Will post logs in a sec.

Edited by DJJ, 10 August 2005 - 01:02 PM.

[DJJ]

OK logs are here I think the two entries have finally gone:



Logfile of HijackThis v1.99.1
Scan saved at 20:05:21, on 10/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\Canon FAX\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
C:\VundoFix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab30149.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TSG.local
O17 - HKLM\Software\..\Telephony: DomainName = TSG.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TSG.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TSG.local
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\Canon FAX\mpservic.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 456 'smss.exe'
Threads [460][464][468]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1012 'explorer.exe'
Killing PID 1012 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 528 'winlogon.exe'
Killing PID 528 'winlogon.exe'
deleting dnsurl.dll
Sucessfully Deleted

[Atribune]

Great Crusty can step back in and help you finish up your cleanup.

[DJJ]

Thanks very much - you've been a great help I hope you enjoyed the challenge of my annoying bug!

[Atribune]

Not really a bug it was a change in the infection. Compared to figuring out the original fix this was nothing. Glad I could help.

[Crustyoldbloke]

Thanks Atri

You're a star!

DJJ

OK, now we've zapped that *%$&^, let's continue.

Please do a search of C:\WINDOWS\ folder and delete all instances of files named lrusnd. They are likely to have a variety of suffixes.

Please let me know what you found and also how the computer is running.

Thanks

[DJJ]

Have found and deleted 4 files: .bak2, .ini, .ini2, .tmp. Computer's a bit better but still slower than it should be I think. Will I still get win antispyware/winantivirus etc popups?

Since I've started trying to clean the machine for some reason the sound has started going a bit weird. Itunes doesn't work properly now it's really crackly and also the mouse is jerky, pausing every now and again. In fact the sound completely stopped working for a while and I had to reinstall a media control device of some sort which brought some sound back but as stated above was crackly. The loadup time when you log-on is quite slow as well. Sorry for throwing all these odd and random problems at you thanks very much for your help!

Edited by DJJ, 10 August 2005 - 02:16 PM.

[Crustyoldbloke]

Thanks for that DJJ

OK, let's look beneath the surface and see what, if anything is lurking.

Please download and run Silent Runners

* Please right click this link and choose save (link) as to download:Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[Crustyoldbloke]

Hello DJJ

Just looking at your original post for clues and realised that I hadn't done a trojan sweep (senility kicking in, or just a senior moment), I recognised Vundo and went for it knowing how difficult it can be to clear.

So let's do that now and at least we can rule that out.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite

Install Ewido Security Suite.

• Install Ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
  • You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.

• The programme will now open to the main screen.
• When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Now that the updates have been installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with Ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop and include it in your reply.

Now close Ewido security suite.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

You post both logs in the same thread if you wish.

[DJJ]

Hello again, here's the silentrunner log I'm just going to do the trojan scans now:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["Networks Associates Technology, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["Networks Associates Technology, Inc"]
"VirusScan" = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" ["Networks Associates Technology, Inc"]
"VirusScan Online" = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled" ["Networks Associates Technology, Inc"]
"AS00_Netgear" = "C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide" [empty string]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"McRegWiz" = "c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{FBE1DB69-5026-42cf-BE97-D52DDB70DB87}" = "AOL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\uk\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\NokiaPhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\ContactView.dll" ["Nokia"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\ethel.TSG\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (DCXNH41J-Administrator)" -> launches: "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (EJ_CITILIONS2-Daniel John)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (EJ_CITILIONS2-Ethel John)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (EJ_CITILIONS2-Jacob John)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (TSG-andy)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (TSG-ethel)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (TSG-jacob)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (TSG30-Ethel John)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["Networks Associates Technology, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}" = "Microsoft CommBand" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
MPService, MPService, "C:\Program Files\Canon\Canon FAX\mpservic.exe" ["Canon Information Systems"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 40 seconds, including 18 seconds for message boxes)

[Crustyoldbloke]

Good news, Silent Runners log is negative.

Let me see the Ewido scan result next please.

[DJJ]

OK I've run into a problem that shows how complicated the computer is- I've been doing everything so far logged into the computer logged in on tsg - a local netwrok in our house. However when I log in to the computer locally all the programs don't run claiming that they're not win32 applications. When I reboot in safemode therefore it goes into the local computer. This includes both the setup of ewido and the prgram itself so I can't currenrtly run them in safe mode. I could try safe mode + networking and try to log in and see what happens. ANy other thoughts?

[DJJ]

I've done the safe mode + networking and am currently scanning will post results asap.

[DJJ]

OK here's the ewido scan, I cleaned most stuff apart from one or two files that I'm pretty sure are bad but thought I'd check with you first - especially something in an archive. Ran CCleaner and agreed to everything - do you need the log (don't think there is one for the issues/reg stuff)?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:57:36, 10/08/2005
+ Report-Checksum: 6548CCF0

+ Scan result:

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP379\A0065723.dll -> Spyware.WildTangent : Ignored
C:\Documents and Settings\ethel.TSG\Cookies\ethel@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\ethel@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\ethel.TSG\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

Edited by DJJ, 10 August 2005 - 04:08 PM.