[fancyx]

i posted a hijack this log and it seemed like there were no problems. scanned with mcafee, no problems. but the panda active scan shows several files. now i don't know what to do to get rid of them. here's the scan results and a hijack log, any help is greatly appreciated. thanks


Incident Status Location

Adware:Adware/Naupoint No disinfected C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
Dialer:Dialer.NQ No disinfected C:\axexx.chm[on-line.exe]
Virus:Exploit/CodeBase.S No disinfected C:\axexx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\axexx.chm[htm2chm_explorer]
Possible Virus. No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\FOREX\rapidforex_cp_v101b.exe
Virus:Eicar.Mod No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\My Documents\data1.cab[eicar.html]
Adware:Adware/MyWay No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\Audiogalaxy Satellite\ui.dll
Virus:Eicar.Mod Renamed C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\eicar.html
Adware:Adware/BrilliantDigitalNo disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\KaZaA Lite\bdcore.dll
Spyware:Spyware/New.net No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\NewDotNet\uninstall3_88.exe
Adware:Adware/Naupoint No disinfected C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll



HIJACKTHIS



Logfile of HijackThis v1.99.1
Scan saved at 6:49:43 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\me\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122012957906
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Advertisements]

Hi fancyx and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[Trevuren]

Hi fancyx and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[fancyx]

ok fixed the HJ thing that you explained. here's the log, as well as the panda scan results. thanks for the reply.


Logfile of HijackThis v1.99.1
Scan saved at 1:13:28 AM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122012957906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



PANDA SCAN RESULTS



Incident Status Location

Adware:Adware/Naupoint No disinfected C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
Dialer:Dialer.NQ No disinfected C:\axexx.chm[on-line.exe]
Virus:Exploit/CodeBase.S No disinfected C:\axexx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\axexx.chm[htm2chm_explorer]
Possible Virus. No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\FOREX\rapidforex_cp_v101b.exe
Virus:Eicar.Mod No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\My Documents\data1.cab[eicar.html]
Adware:Adware/MyWay No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\Audiogalaxy Satellite\ui.dll
Virus:Eicar.Mod Renamed C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\eicar.html
Adware:Adware/BrilliantDigitalNo disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\KaZaA Lite\bdcore.dll
Spyware:Spyware/New.net No disinfected C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\NewDotNet\uninstall3_88.exe
Adware:Adware/Naupoint No disinfected C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll

[Trevuren]

1. I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• Registry
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.



2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

• Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed.
• Once the updates are installed do the following:
  • REBOOT into Safe Mode
  • Run EWIDO
  • Click on scanner
  • Click on Start Scan
  • Let the program scan the machine
  • While the scan is in progress you will be prompted to clean files, click OK
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
• Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply Also please provide a list of the infected files found through mwav

Regards,

Trevuren

[fancyx]

hey trevuren,

so eight hours later the mwav thing was still scanning, i had to use the computer and just couldn't wait anymore, but i've included the infected list at the bottom. preceding are the ewido scan results and a new hijack log as requested. man, there was quite a few things on both those logs, does mcafee just suck? also a note any files in the Q Drive Dump, which there seems to be a few, are files from an old drive that are sitting on my desktop. i don't think that the problems in it are system-wide. thanks for taking the time, this is turning out to be quite educational.


EWIDO SCAN

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:32:58 PM, 8/10/2005
+ Report-Checksum: FA620F3F

+ Scan result:

HKU\S-1-5-21-1644491937-1004336348-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
C:\data -> TrojanDownloader.IstBar.ja : Cleaned with backup
C:\Documents and Settings\me\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\me\Desktop\DESKTOP\QUE DRIVE DUMP\C DRIVE!!\Program Files\NewDotNet\uninstall3_88.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll -> Spyware.MegaSearch : Cleaned with backup
:mozilla.9:F:\Documents and Settings\Fancy\Application Data\Phoenix\Profiles\default\zj8j7y8o.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.10:F:\Documents and Settings\Fancy\Application Data\Phoenix\Profiles\default\zj8j7y8o.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Porngraph : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@hotlog[2].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\fancy@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
F:\Documents and Settings\Fancy\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End


HIJACK LOG AFTER EWIDO SCAN


Logfile of HijackThis v1.99.1
Scan saved at 3:49:19 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122012957906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


MWAV INFECTED LIST


File C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll tagged as "not-a-virus:AdWare.BHO.MegaSearch.b". Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0215EB02-8DA8-11D4-A833-D5C37E25DF70}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0215EB04-8DA8-11D4-A833-D5C37E25DF70}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04B202E1-7044-495E-BFC8-8D71887E3797}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04B202E2-7044-495E-BFC8-8D71887E3797}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0F977BE9-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{18A8D388-8DEA-4429-B2CF-159791F6CBCD}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D22D407-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2BA5BF6D-F456-45E1-B78E-7ADB166B62FF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2E130DC2-63EB-4B0C-810B-603FDD609A9C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{38FFB667-D599-45CD-951A-099FC9719B0C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4BBEC3C9-654F-444E-8DE4-F9E5B2A05794}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5E1E2CA3-AF4F-11D4-97AF-9CC8A1041279}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{76E3292B-87AF-48A1-9A92-3D3CBB192398}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{80A52E2B-72F2-4BD4-B67D-F7A674A82964}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83FDD082-7419-43E9-803A-71205A019090}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E925C02-AA02-11D4-97AF-CAF1D1DACA7A}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}" refers to invalid object "C:\DOCUME~1\me\LOCALS~1\Temp\CMDLIN~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99C08A2F-81D0-11D4-A832-444553546170}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A068133D-1A21-45ED-BB29-9F4488EA967E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A59EB362-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494862-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494864-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494866-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B09FC359-C80E-4087-BB83-80850810D137}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F91-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F93-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F95-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9D242AC-47D6-486E-837B-D3DA8EECCD67}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DBB2B290-4C6E-4129-BED2-716BF47F57E0}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\A3d" refers to invalid object "{d8f1eee0-f634-11cf-8700-00a0245d918b}". Action Taken: No Action Taken.
Entry "HKCR\A3dApi" refers to invalid object "{92FA2C24-253C-11d2-90FB-006008A1F441}". Action Taken: No Action Taken.
Entry "HKCR\A3dDAL" refers to invalid object "{442D12A1-2641-11d2-90FB-006008A1F441}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ILogic.Logic" refers to invalid object "{76CE1CC0-7932-11D1-9509-00A0C9925315}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService.1" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\axexx.chm infected by "Trojan.Win32.Dialer.ce" Virus! Action Taken: No Action Taken.
File C:\data infected by "Trojan-Downloader.Win32.IstBar.ja" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00001604. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002155. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002160. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002246. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002272. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002535. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00002694. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00008814. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00008815. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00008906. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00011254. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00011262. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00011976. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00011980. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00012506. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00012575. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00013434. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00013452. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00016575. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00016576. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00016947. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00017099. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00017220. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00017304. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00017445. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00018912. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00020704. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00020705. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00020740. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00022853. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00022887. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00023267. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025555. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025621. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025622. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025623. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025624. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025625. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025626. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025627. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025628. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025629. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025630. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025631. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025632. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025649. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00025928. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00026380. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00026381. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00026511. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00027026. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00028007. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00028031. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00028033. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\RECYCLER\NPROTECT\00028058. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File F:\System Volume Information\_restore{94EAE56C-BCB3-49EC-8685-B643C8D13A7A}\RP1\A0000002.exe tagged as "not-a-virus:AdWare.IGetNet". Action Taken: No Action Taken.
File F:\System Volume Information\_restore{94EAE56C-BCB3-49EC-8685-B643C8D13A7A}\RP1\A0000003.DLL tagged as "not-a-virus:AdWare.IGetNet". Action Taken: No Action Taken.
File F:\System Volume Information\_restore{94EAE56C-BCB3-49EC-8685-B643C8D13A7A}\RP1\A0000004.DLL tagged as "not-a-virus:AdWare.IGetNet". Action Taken: No Action Taken.
File C:\axexx.chm infected by "Trojan.Win32.Dialer.ce" Virus! Action Taken: No Action Taken.
File C:\data infected by "Trojan-Downloader.Win32.IstBar.ja" Virus! Action Taken: No Action Taken.

[Trevuren]

This is the best I can do without a complete mwav report. Most of what is there is either in Norton Quart. or in temp folders that will be cleaned up at the end. I suggest that you let the scan run all night and the report should be ready for you in the morning.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

• First we need to make all files and folders VISIBLE:
  • Go to start>control panel>folder options>view (tab)
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
  
  
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System in Safe Mode
  
  How to use the F8 method to Start Your Computer in Safe Mode
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
• Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):
  
  C:\axexx.chm
  C:\data
  
  
• Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

[fancyx]

ok followed the steps, and deleted those files (only the axexx one was there), and here's the new HJ log. i feel we're making progress here, thanks so much. i'll do a complete mwav report tonight and post it in the morning. do you recommend just buying that program, it seems to be much more effective than my current mcafee?

Logfile of HijackThis v1.99.1
Scan saved at 5:58:52 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122012957906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[fancyx]

here's the new mwav scan. looks a lot better. let me know what you think. thanks trevuren


Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0215EB02-8DA8-11D4-A833-D5C37E25DF70}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0215EB04-8DA8-11D4-A833-D5C37E25DF70}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04B202E1-7044-495E-BFC8-8D71887E3797}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04B202E2-7044-495E-BFC8-8D71887E3797}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0F977BE9-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{18A8D388-8DEA-4429-B2CF-159791F6CBCD}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D22D407-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2BA5BF6D-F456-45E1-B78E-7ADB166B62FF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2E130DC2-63EB-4B0C-810B-603FDD609A9C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{38FFB667-D599-45CD-951A-099FC9719B0C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4BBEC3C9-654F-444E-8DE4-F9E5B2A05794}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}" refers to invalid object "C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7E}" refers to invalid object "C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7F}" refers to invalid object "C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5E1E2CA3-AF4F-11D4-97AF-9CC8A1041279}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{76E3292B-87AF-48A1-9A92-3D3CBB192398}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{80A52E2B-72F2-4BD4-B67D-F7A674A82964}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83FDD082-7419-43E9-803A-71205A019090}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E925C02-AA02-11D4-97AF-CAF1D1DACA7A}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}" refers to invalid object "C:\DOCUME~1\me\LOCALS~1\Temp\CMDLIN~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99C08A2F-81D0-11D4-A832-444553546170}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A068133D-1A21-45ED-BB29-9F4488EA967E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A59EB362-A677-11d3-A773-00C04F68F44E}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494862-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494864-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9494866-A935-11D4-97AF-CF4D3C800A79}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B09FC359-C80E-4087-BB83-80850810D137}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F91-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F93-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB0D8F95-C1F5-11D5-A152-000244036A12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9D242AC-47D6-486E-837B-D3DA8EECCD67}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DBB2B290-4C6E-4129-BED2-716BF47F57E0}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\A3d" refers to invalid object "{d8f1eee0-f634-11cf-8700-00a0245d918b}". Action Taken: No Action Taken.
Entry "HKCR\A3dApi" refers to invalid object "{92FA2C24-253C-11d2-90FB-006008A1F441}". Action Taken: No Action Taken.
Entry "HKCR\A3dDAL" refers to invalid object "{442D12A1-2641-11d2-90FB-006008A1F441}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ILogic.Logic" refers to invalid object "{76CE1CC0-7932-11D1-9509-00A0C9925315}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService.1" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{25268EC9-292B-42C1-8F23-73E09764BD22}\RP159\A0191591.dll tagged as "not-a-virus:AdWare.BHO.MegaSearch.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{25268EC9-292B-42C1-8F23-73E09764BD22}\RP159\A0191591.dll tagged as "not-a-virus:AdWare.BHO.MegaSearch.b". Action Taken: No Action Taken.

[Trevuren]

Please provide me with a fresh HJT log so I can get you on your way


Trevuren

[fancyx]

here's a fresh HJ log. hope it looks okay. thanks so much for your time and attention.


Scan saved at 12:45:49 AM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - blank (file missing)
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122012957906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Trevuren]

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

• Right-click "My Computer", and then left click "Properties".
• Left click on "System Restore Tab"
• Check box beside "Turn Off System Restore"
• Left click on "Apply"

TO ENABLE SYSTEM RESTORE

• Remove check mark from "Turn Off System Restore"
• Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

[fancyx]

great! thanks so much for the help trevuren. i really appreciate it.

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.