Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spy-agent.i and adclicker.bw [RESOLVED]


  • This topic is locked This topic is locked

#1
steveb1475

steveb1475

    Member

  • Member
  • PipPip
  • 11 posts
Having problems getting rid of spy-agent.i and adclicker.bw trojans. McAffee keeps finding and deleting files but it comes right back. I keep getting a balloon popup that says: your spyware protection is bad, click this "baloon" (notice misspelling) and another popup that says same thing. Here's my HJT log, it looks pretty clean to me but I'm not an expert. This has been going on for 3 weeks and its driving me crazy.
Thanks, Steve


Logfile of HijackThis v1.99.1
Scan saved at 12:38:43 PM, on 9/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [HWIPER.EXE] C:\WINDOWS\SYSTEM\HWIPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dmaza.exe] C:\WINDOWS\SYSTEM\dmaza.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Steven and welcome to GTG.

Sorry for the delay in reply...closed your other topic...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [HWIPER.EXE] C:\WINDOWS\SYSTEM\HWIPER.EXE
O4 - HKLM\..\Run: [dmaza.exe] C:\WINDOWS\SYSTEM\dmaza.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\HWIPER.EXE
C:\WINDOWS\SYSTEM\dmaza.exe


Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here. Also give me this log:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#3
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi, Thanks for your help...

I ran HJT in safemode and found the first two keys, but there isn't a [dmaza.exe] that I could see. The closest thing that I could see was [dmxqw.exe]. Here's a copy of the log.

Thanks,
Steve

Logfile of HijackThis v1.99.1
Scan saved at 4:12:29 PM, on 9/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
D:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [HWIPER.EXE] C:\WINDOWS\SYSTEM\HWIPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dmxqw.exe] C:\WINDOWS\SYSTEM\dmxqw.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
  • 0

#4
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok, mcaffee just came up saying that bndmod.exe was infected by spy-agent.i and came up right after that saying that hlmicro.exe was infected by adclicker.bw. This is nothing new, same thing every time, just some more info for you. Also after doing the scan in safemode, the key that was refering to dmxqw.exe looks like it is called dmlow.exe now.
Thanks,
Steve

Logfile of HijackThis v1.99.1
Scan saved at 7:22:00 PM, on 9/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [HWIPER.EXE] C:\WINDOWS\SYSTEM\HWIPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dmlow.exe] C:\WINDOWS\SYSTEM\dmlow.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you do an online scan at TrendMicro and Panda yet? Please give me the Panda log.

Also where is the mwav log? Run that scan also. Something is lurking in your system and I want to make sure it's not a trojan that's hiding from us.
  • 0

#6
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK, I killed the three registry keys. The third [dmaza.exe] had renamed itself to [dmyzx.exe]. I also deleted the two system files hwiper.exe and dmyzx.exe.

Housecall came up clean, here is the log from panda:


Incident Status Location

Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\SYSTEM\csvnt.exe
Dialer:Dialer.BND No disinfected C:\WINDOWS\SYSTEM\EGHTMLDialer.dll
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\SYSTEM\cszma.exe
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\SYSTEM\csnzz.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\Application Data\wo.tmp

Here is the log from mwav:

Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "EGroup Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "PurityScan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Microsoft Office Tools\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Logitech WingMan\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Logitech WingMan\WingMan Utilities\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Logitech WingMan\WingMan Online\". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "D:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{50D994ED-8834-11D3-8BBE-0000E85F332D}" refers to invalid object "C:\PROGRAM FILES\CLEANER EZ 5.0\CLEANERPS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{50D994EE-8834-11D3-8BBE-0000E85F332D}" refers to invalid object "C:\PROGRA~1\CLEANE~1.0\CLEANE~1.EXE". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C171D40-8277-11D5-AD55-00010333D0AD}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{46186AAF-14D9-4C78-913D-1E89B2D60E5A}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\LMKP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{fba38bcf-e23d-4979-811e-1326bbadb8c8}" refers to invalid object "C:\PROGRAM FILES\WINAMP3\WACS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{44b09a5f-5dee-4539-8001-d4b2d45c2876}" refers to invalid object "C:\PROGRAM FILES\WINAMP3\WACS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{d4387178-98ca-4929-b8e3-a11cd2f333a6}" refers to invalid object "C:\PROGRAM FILES\WINAMP3\WACS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43918f8f-f3be-4760-b4bb-6c89d9d91487}" refers to invalid object "C:\PROGRAM FILES\WINAMP3\WACS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{96632d1e-f3eb-4f54-ba79-9969692db659}" refers to invalid object "C:\PROGRAM FILES\WINAMP3\WACS\CDDBUIWINAMP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F674C38B-1B37-4503-8BBA-0F31DE3BB717}" refers to invalid object "C:\THEAXE~1\BIN\DNAMMC~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{14118FF0-8895-4938-A59E-92357C4BB728}" refers to invalid object "C:\THEAXE~1\BIN\DNAMMC~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C9B50189-F7DA-44E2-8BB7-A2D54A6EA79C}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4A7D96F-436D-4103-AEB4-98666C7DD58F}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2893A75F-979B-4BE4-975A-C310F3E08B79}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77B53F0C-23FE-41F3-9E7B-C952349D96B6}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B65B658B-7001-4878-83C9-1779072F7B23}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02ADC9A0-16EE-46F8-BB26-D270BA156985}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5650A7A6-188D-461B-A94B-C2503EB2F831}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{64011898-FE63-416F-83E8-490985E98DA3}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{51DE39CB-7036-40BA-8583-381C21E68950}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F8547FE2-7548-4A07-A82C-947F1539B265}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5FF19695-A57C-43D6-B255-E448014038D6}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{983A43FC-3C12-41A6-AC3A-AE08707D110E}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{687DBEF1-80EA-45CB-B7BE-1A3B73953045}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{68B43FA4-7F6C-4B37-A621-71E6025B41DF}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{65D6E0E3-35BB-4843-ADF5-E8A268302066}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B11E5D12-2890-447E-882B-68594F294EF3}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}" refers to invalid object "C:\THEAXEEFFECT\BIN\REGTOOL5.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A7BE06-0508-4A22-A361-8D5ED3028D6D}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F42DFC7-F1C3-47AB-9DA3-6AEAC0C15A20}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C8BBE636-FE8A-4122-BA04-69BF9A2D20B7}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3C2FD4B4-FA68-4C0A-A02D-17D0C62588F5}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D5C94876-DA30-49D6-AD45-2F0CB3960E3D}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD1A8EE5-C793-46EB-BE2E-729186358C17}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C2B13C17-343F-40BE-8B48-B8BF97D61360}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A42987AE-10AA-41E1-891B-92D6060BF795}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FBC4AD75-F096-4E95-9982-BE4A4187AC3B}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04CDF7C9-B874-49B9-9FDE-5976798FB98B}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA8953AC-F0E7-47BF-BBA9-91E6A7D739BF}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBD57DE2-35B6-475C-9105-EC66C2DBC982}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{136FFBC8-AC59-48D5-AD25-C701015E0206}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{05D32F04-BDAD-4951-B304-36EC9ED3FFD5}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4DB7ABCD-ECED-42AC-812E-64A2CBD533AB}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6AF09503-3DFF-4825-8A6C-011DAFB5ABF8}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AD2F108D-D000-4284-B540-16140DB881FC}" refers to invalid object "C:\PROGRAM FILES\MCAFEE.COM\SHARED\MCUICFG\6,0,0,4\MCUICFG.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4928379D-88CC-45DD-BEDC-FB5B51A4C8C3}" refers to invalid object "C:\PROGRAM FILES\MCAFEE.COM\SHARED\MCUICFG\6,0,0,4\MCUICFG.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{002C9B00-F6E0-4E14-B96C-96E1A547F58B}" refers to invalid object "C:\PROGRAM FILES\MCAFEE.COM\SHARED\MCUICFG\6,0,0,4\MCUICFG.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9BE8D7B2-329C-442A-A4AC-ABA9D7572602}" refers to invalid object "C:\PROGRAM FILES\MCAFEE.COM\AGENT\SUBMGR\6,0,0,13\MCSUBMGR.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C1EF9672-B679-11D5-9FED-F4409890F342}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7B0BF3B2-D0B0-11D5-9FED-AA481EF64C42}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{86EB5BD6-D0BF-11D5-9FED-0048546DCCF8}" refers to invalid object "C:\WINDOWS\TEMP\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{50D994E1-8834-11D3-8BBE-0000E85F332D}" refers to invalid object "C:\PROGRAM FILES\CLEANER EZ 5.0\CLEANEREZ5.tlb". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5FAC78B2-14D0-11D6-9FED-603DB9C10000}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9B5492B0-EC9A-11ce-935A-0800099EB3B7}" refers to invalid object "C:\PROGRA~1\AUTOCA~1\ACLT.TLB". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{F0012D80-989C-11D3-B7C5-0090271D5CA7}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\MYYAHOO.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{390CE9E4-C4A0-11D4-8A92-0090271D4F88}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\YCRWIN32.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8E926E2D-BF6C-11D2-A33D-00A0C94B8D0E}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\STOCK.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{600DCBB2-61B5-11D6-9FED-3022B9C10000}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{0F03FAFC-98A5-4043-9654-1DB9B521FB24}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\LMKP.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{066F4BD2-730B-11D6-9FED-503DB9C10000}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B366F228-E2B3-11D6-9FED-90B1B8C10000}" refers to invalid object "C:\WINDOWS\TEMP\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5742D3EF-1874-11D8-9FEF-B05AB7C16900}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A1CE1F98-0184-45C5-B49D-F6053174EAC7}" refers to invalid object "C:\PROGRAM FILES\COMMON FILES\ANSWERWORKS 4.0\AWAPI4.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C5D5D4C8-610B-11D9-9FF0-30D0B7C10000}" refers to invalid object "C:\WINDOWS\TEMP\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B33EECD9-7020-4B31-9CF0-71DBD7FA8407}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNAMMCONTROL.OCX". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B404E9AD-A1E7-4D4A-A000-E1F0F896ADBD}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1BCD446E-7095-11D0-9C4E-00AA00BDD685}" refers to invalid object "C:\THEAXEEFFECT\BIN\REGTOOL5.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{32B785C6-8F5B-4D67-9E06-C1703E30E1AF}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{BB5C2B72-B765-11D9-9FF1-C056B6C11608}" refers to invalid object "C:\WINDOWS\TEMP\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{370BDC44-CCA3-11D9-9FF1-D080B3C1598D}" refers to invalid object "C:\WINDOWS\TEMP\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B3AB03F6-0E9B-11DA-9FF1-80D4B7C10000}" refers to invalid object "C:\WINDOWS\TEMP\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{01118C01-3E00-11D2-8470-0060089874ED}" refers to invalid object "E:\INSTALL.EXE". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{01118401-3E00-11D2-8470-0060089874ED}" refers to invalid object "C:\PROGRAM FILES\SUPPORT.COM\BIN\SDCNETCHECK.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{01118B01-3E00-11D2-8470-0060089874ED}" refers to invalid object "C:\PROGRAM FILES\SUPPORT.COM\BIN\SSCTLNWK.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{01118D01-3E00-11D2-8470-0060089874ED}" refers to invalid object "C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCTLPW.DLL". Action Taken: No Action Taken.
Entry "HKCR\.eps" refers to invalid object "Photoshop.EPSFile". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\.cda" refers to invalid object "Winamp3.File". Action Taken: No Action Taken.
Entry "HKCR\.pct" refers to invalid object "Photoshop.PICTFile". Action Taken: No Action Taken.
Entry "HKCR\.tga" refers to invalid object "Photoshop.TGAFile". Action Taken: No Action Taken.
Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken.
Entry "HKCR\.aip" refers to invalid object "aip_file". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.det" refers to invalid object "DETFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.frg" refers to invalid object "Access.Fragment". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.idc" refers to invalid object "idcfile". Action Taken: No Action Taken.
Entry "HKCR\.ldb" refers to invalid object "Access.LockFile.9". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.SC2" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.SCD" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.SCH" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\ZAMailSafe\shell\open\command" refers to invalid object ""d:\ZoneAlarm\zonealarm.exe" -warning %1". Action Taken: No Action Taken.
Entry "HKCR\.pict" refers to invalid object "Photoshop.PICTFile". Action Taken: No Action Taken.
Entry "HKCR\RollmUp.RecordedGame\shell\open\command" refers to invalid object "C:\PROGRA~1\ROLL'M~1\Rollemup.exe %1". Action Taken: No Action Taken.
Entry "HKCR\.bpl" refers to invalid object "Winamp3.File". Action Taken: No Action Taken.
Entry "HKCR\.UMX" refers to invalid object "Winamp3.File". Action Taken: No Action Taken.
Entry "HKCR\app_auto_file\shell\open\command" refers to invalid object "C:\PROGRAM "%1"". Action Taken: No Action Taken.
Entry "HKCR\288File\shell\open\command" refers to invalid object "C:\Program Files\Hammer Software\FloppyBase\FloppyBase.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\360File\shell\open\command" refers to invalid object "C:\Program Files\Hammer Software\FloppyBase\FloppyBase.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.BrowserContainer.1" refers to invalid object "{01118c00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.BrowserContainer" refers to invalid object "{01118c00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.SdcNetCheck.1" refers to invalid object "{01118400-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.SdcNetCheck" refers to invalid object "{01118400-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.Ssctlnwk.1" refers to invalid object "{01118b00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.Ssctlnwk" refers to invalid object "{01118b00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.TgPassCtl.1" refers to invalid object "{01118d00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
Entry "HKCR\SdcUser.TgPassCtl" refers to invalid object "{01118d00-3e00-11d2-8470-0060089874ed}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\EGHTMLDialer.dll tagged as "not-a-virus:Dialer.Win32.E-Group.1048". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\EGHTMLDialer.dll tagged as "not-a-virus:Dialer.Win32.E-Group.1048". Action Taken: No Action Taken.
File C:\Program Files\Logitech\Resource Center\installers\weatherbug\wethrbug.exe tagged as "not-a-virus:AdWare.Gator.1023". Action Taken: No Action Taken.


And here is the new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:11:39 PM, on 9/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#7
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
BTW, can I just delete the registry keys that refer to invalid objects?
Thanks,
Steve
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you may delete those registry entries (invalid objects) manually if you wish. Make sure you backup the registry first. They are basically harmless though. If you want, you can use a registry cleaner to see if it cleans it out faster.

Delete these if found:

C:\WINDOWS\Application Data\wo.tmp
C:\WINDOWS\SYSTEM\EGHTMLDialer.dll
C:\Program Files\Logitech\Resource Center\installers\weatherbug\wethrbug.exe


Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok, deleted the files. Everything looks good so far, no more "baloons" popups and website redirections are gone as well. One thing though, I was reading your page on spyware and I saw that you should run msconfig and make sure that everything in the startup tab is checked... I didn't do this. Should I post one more log just to be sure, or do you think all the other scans have found everything? Thanks so much for all your help!
Steve
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Steve, if you want, you may enable everything and post one more HijackThis log just to make sure everything is ok. But if you go into msconfig and know what everything is for in there, then you should be all set :tazz:
  • 0

#11
steveb1475

steveb1475

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I know what everything is that I have turned off. Thanks for all your help! You can close this topic.
Thanks again,
Steve
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP