[colinmac]

I have a problem with maware. I have several removal programs running and although Ewido and Mcafee virusscan detect them when my default browser is launched, pressing the clear button usually kills the default browser. If using IE then it wants to send an error meassage to Microsoft. If I use Firefox the error message gives a memory location and says it cannot be written to.

I have not managed to spot the troublesome exe files nor can I see what process keeps spawning them. I have tried using Ewido, Mcafee, CounterSpy, Adaware SE, Spybot search and Destroy, Registry Mechanic, all with no success. I would really appreciate a little help in getting rid of these difficult to remove pests.

Here is my HJT logfile:-

Logfile of HijackThis v1.99.1
Scan saved at 13:23:30, on 08/09/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUCTIONI\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray2.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\cnmsm58.exe
C:\Program Files\Hijackthis V1_99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsof...obby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve...rch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BJ Status Monitor Canon i560.lnk = C:\Documents and Settings\Administrator\cnmss Canon i560 (Local).exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: ADVFN 4 - http://www.advfn.com/loader4.cab
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.s...ex/viewdw32.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

[Advertisements]

After reading a lot ouf threads covering similar problems. I have been able to resolve the situation myself with help from some of your tools.
HJT, Silent Runners and Rkfiles showed nothing which was making really frustrated.

However it turned out to be a rootkit infection which Blacklight found. There were three files which it found which when renamed using blacklight and deleted using Killbox solved the problem.

Here is my Blacklight log

09/09/05 15:57:34 [Info]: BlackLight Engine 1.0.23 initialized
09/09/05 15:57:34 [Info]: OS: 5.0 build 2195 (Service Pack 3)
09/09/05 15:57:34 [Note]: 4019 0
09/09/05 15:57:34 [Note]: 4019 1
09/09/05 15:57:34 [Note]: 4019 2
09/09/05 15:57:34 [Note]: 4019 3
09/09/05 15:57:34 [Note]: 4019 4
09/09/05 15:57:34 [Note]: 4005 0
09/09/05 15:57:45 [Note]: 4006 0
09/09/05 15:57:45 [Note]: 4011 1156
09/09/05 15:57:46 [Note]: FSRAW library version 1.7.1011
09/09/05 15:57:50 [Info]: Hidden file: C:\WINNT\asx3test.exe
09/09/05 15:57:50 [Note]: 10002 1
09/09/05 15:58:27 [Info]: Hidden file: C:\WINNT\system32\wbem\wbemtest.exe
09/09/05 15:58:27 [Note]: 10002 1
09/09/05 15:58:32 [Info]: Hidden file: C:\WINNT\system32\csxfs.exe
09/09/05 15:58:32 [Note]: 4003 1
09/09/05 15:58:32 [Note]: 10002 1
09/09/05 15:58:35 [Info]: Hidden file: C:\WINNT\system32\ntfsnlpa.exe
09/09/05 15:58:35 [Note]: 10002 1
09/09/05 15:58:36 [Info]: Hidden file: C:\WINNT\system32\rdsndin.exe
09/09/05 15:58:36 [Note]: 4002 5
09/09/05 15:58:36 [Note]: 4003 1
09/09/05 15:58:36 [Note]: 10002 1
09/09/05 16:00:51 [Note]: 4007 0.

My computer has been running sweet as a nut for the past three days so maybe everything is OK now.

What will we do when Blacklight is no longer free at the beginning of October?

Thanks anyway, your site has been really useful.

Colinmac

[colinmac]

After reading a lot ouf threads covering similar problems. I have been able to resolve the situation myself with help from some of your tools.
HJT, Silent Runners and Rkfiles showed nothing which was making really frustrated.

However it turned out to be a rootkit infection which Blacklight found. There were three files which it found which when renamed using blacklight and deleted using Killbox solved the problem.

Here is my Blacklight log

09/09/05 15:57:34 [Info]: BlackLight Engine 1.0.23 initialized
09/09/05 15:57:34 [Info]: OS: 5.0 build 2195 (Service Pack 3)
09/09/05 15:57:34 [Note]: 4019 0
09/09/05 15:57:34 [Note]: 4019 1
09/09/05 15:57:34 [Note]: 4019 2
09/09/05 15:57:34 [Note]: 4019 3
09/09/05 15:57:34 [Note]: 4019 4
09/09/05 15:57:34 [Note]: 4005 0
09/09/05 15:57:45 [Note]: 4006 0
09/09/05 15:57:45 [Note]: 4011 1156
09/09/05 15:57:46 [Note]: FSRAW library version 1.7.1011
09/09/05 15:57:50 [Info]: Hidden file: C:\WINNT\asx3test.exe
09/09/05 15:57:50 [Note]: 10002 1
09/09/05 15:58:27 [Info]: Hidden file: C:\WINNT\system32\wbem\wbemtest.exe
09/09/05 15:58:27 [Note]: 10002 1
09/09/05 15:58:32 [Info]: Hidden file: C:\WINNT\system32\csxfs.exe
09/09/05 15:58:32 [Note]: 4003 1
09/09/05 15:58:32 [Note]: 10002 1
09/09/05 15:58:35 [Info]: Hidden file: C:\WINNT\system32\ntfsnlpa.exe
09/09/05 15:58:35 [Note]: 10002 1
09/09/05 15:58:36 [Info]: Hidden file: C:\WINNT\system32\rdsndin.exe
09/09/05 15:58:36 [Note]: 4002 5
09/09/05 15:58:36 [Note]: 4003 1
09/09/05 15:58:36 [Note]: 10002 1
09/09/05 16:00:51 [Note]: 4007 0.

My computer has been running sweet as a nut for the past three days so maybe everything is OK now.

What will we do when Blacklight is no longer free at the beginning of October?

Thanks anyway, your site has been really useful.

Colinmac