[bmsherrill]

Howdy >>>

First thanks for looking/helping ... I'm a NASA electrical engineer with a daughter who IM's 24*7 ... Shoulda known better ... However, this new shiny Dell box collected 9 malware entities ... Cleansed 8 off through vigorous manipulations ... What remains may or may not be a problem - That's where I could use expert assistance.

At this point the use of (highly touted) "Kaspersky On-Line Scanner" results in one detection:
Infected = not-a-virus:AdWare.Win32.Maxifiles.m
Location = C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP73\A0011963.exe

This looks like a problem to me, but please advise ... I have followed your multi-step process (several times if truth be told) ... Alas this "Maxifiles" item is resistant to removal ... Am tempted just to delete this exe file, but think I'll get your comment.

In other words all these overlapping checks now yield only this one 'notable' in this one 'scanner' ... Alrightie, will be standing by ... Night!

>>> Mark In Virginia

Attached Files

•  hijackthis.txt   8.86KB   128 downloads

[Advertisements]

Hi Mark and welcome to GTG.

For CWShredder, make sure you move it out of the temporary folder. It shouldn't be there since they're called temporary folders for a reason Move it somewhere else instead, like a folder on your desktop or Program Files folder.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Darth\Local Settings\Temporary Internet Files\Content.IE5\QL7WPWVU\cwshredder[1].exe

Restart and run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Hi Mark and welcome to GTG.

For CWShredder, make sure you move it out of the temporary folder. It shouldn't be there since they're called temporary folders for a reason Move it somewhere else instead, like a folder on your desktop or Program Files folder.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Darth\Local Settings\Temporary Internet Files\Content.IE5\QL7WPWVU\cwshredder[1].exe

Restart and run a new HijackThis scan. Save the log file and post it here.

[bmsherrill]

Staff ~>

Appreciate your valuable time in diagnosing our (new) box.

Will run through manipulations below but this time in Safe-Mode (which had not been in effect before) ... Am writing here to clarify steps about System-Restore ... Do you simply want it disabled/reenabled momentarily OR do you want it brought down for the whole period while machine is in Safe-Mode? ... Also don't worry about issuing warnings - I'll be careful around the Registry ... We don't want extra problems!

Will wait for a reply before starting (since need to know about System-Restore) ... Later!

~> Mark

[greyknight17]

Hi Mark, disable System Restore in Normal Mode (no need to go to Safe Mode to do it. Restart and then enable it again so you have a fresh restore point. Then boot into Safe Mode and do the fixes.

No need to worry about the registry entries. No manual edits here since we will use HijackThis to do the job

[bmsherrill]

Staff :::

Ok, reporting in (after some good rest with fam').

Have forced a Restore Point ... Got into Safe-Mode (after updating Ad-aware, Spybot and Ewido programs) ... Ran the three scanners (which noted nothing more than Cookies).

Ran Hijack and deleted keys that you advised on (shown in bold text earlier) ... BTW "dell-myway" entites appear legit (in being confirmed/connected to Dell) ... Restarted (again in Safe-Mode just to be on conservative side) ... Reran Hijack to produce attached file (which shows early keys absent).

In this logfile I see little that is unexplainable/suspicious ... Hope there is some 'meat' though in it for you to chew on!

BTW last night I noted that the Logon Picture had changed mysteriously for my main (Administrator) account and that I was locked out of accessing the web by my CyberPatrol app (via a Denied Page 'style' that does not even exist as far as I can determine) despite attempts to Override/Shutdown ... However, after I rebooted this behavior disappeared ... Confirmation of gremlins maybe?

Another point - Should I continue to disable Network Connection to web each time I finish with machine ... Daughter leaves it on 24*7 (so I think severing it is safer) ... What thinks yee?

Alrightie, thanks for peeking ... Later.

::: Mark

Attached Files

•  hijackthis.txt   6.46KB   117 downloads

[greyknight17]

Mark, is this log you attached in Safe Mode or Normal Mode? The new log I asked for MUST be scanned in Normal Mode. I don't want a scan in Safe Mode because it won't be showing us all the startup entries.

Disable the network connection or power off your router/modem if you wish...definitely better than leaving it on when no one's using it.

Please give me a new log in Normal Mode. Try not to attach it. Instead copy and paste the whole log here

[bmsherrill]

GreyKnight ~>

Ahhh sooo ... Come to think of it that makes sense ... Now have captured logfile in Normal-Mode which follows below (pasted directly into message as you asked).

Because of this turn-around delay I can now report (as it has finished) on my last run of "Kaspersky" online-scanner which produced the earlier highly-resistant 'Maxifiles' notification ... Must inform now (at this point in our cleansing game) that this particular analysis yields a Green-Board with no/zero detections ... Hmmm.

Guess if you Sir peruse Hijack log and declare clean, then this round of virus war is over ... Would conclude that this is only for the time being (until I erect proper/superior overall defenses) ... However, that is an "if" conditioned by a good reading on your end!

Welp, your new (Normal) logfile follows ... Thanks so much ... Looking forward to resolution.

~> Mark-O-Matic

++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 5:26:56 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberPatrol\cphq.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberPatrol\cpserver.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CyberPatrol\cpACtrl.exe
C:\Program Files\CyberPatrol\cpCCtrl.exe
C:\Program Files\CyberPatrol\cpkbinst.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ewido\ewidoguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Darth\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...pnav_undeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CyberPatrolNew] "C:\Program Files\CyberPatrol\cphq.exe" /m
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125483864015
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GXSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe" "WMP54GX.exe (file missing)

[greyknight17]

Check and fix these two in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

No need for a new log.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[bmsherrill]

GreyKnight ~>

Welp ... For the short evaluation period following the completion of all 'fixes' asked this Dell now scans cleanly (on all online/offline tools and seems in general to act stably) ... I conclude that you are at the end of your trail with me, Cowboy ... Cool!

As for me though more miles have I to go before I sleep ... Because of worries about dreads like 'RootKit' thingies I'll be keeping a proverbial eye out for further oddities ... Will I ever know that this machine is free of ghosts - Guess not.

My main homework now is to decide/determine which 'accessory' software will be best to include in my protective utilites (on each of three machines at my home) ... Certainly have got a number of free 'trial period' applications running thsee days now after all this effort ... Will try to downselect from them one good paid service (if it's even possible for just one to do good/effective guarding).

Funny, up until recently I thought that my up-to-date Symantec Corporate AntiVirus product (in concert with the XP Firewall and CyberPatrol for safing kids) was doing a kick-butt job of watching the ol' back ... However, now after just a few weeks of IM'ing (on a spanking new Dell) and collecting almost a dozen 'bad things' the daughter here has blown that assumption out of the water!

Truly this all must be (as I've heard) just a cat-and-mouse game ... Thanks for building me/us a trap and loading it with cheese ... Hope coming hunting for you is bountiful (and satisfying) ... I appreciate the help, Sir ... Ok, night!

~> Mark-O-Matic

[greyknight17]

No problem Mark, glad we could help. If you want, I'll try to narrow down on what I have (which are all free or have free editions):

Grisoft AVG - anvirus

ZoneAlarm - firewall

Ad-aware - antispyware (detection and removal)

Spybot - antispyware (detection and removal)

Modified HOSTS file - block out sites known to be bad (even though some may be legit - read more about it in the AntiSpyware Tutorial)

IE-Spyad - block out marketers, bad popup sites...etc..similar to HOSTS in a way

SpywareBlaster - block out bad ActiveX controls

SpywareGuard - use this for real time spyware protection

For Spybot, it has a program called TeaTimer which you may want to use. Also provides real time registry/system monitoring. Asks you for permission before making any registry changes.

All free there I don't ask users to buy any programs, but if you want, you may. None in my opinion will give you 100% protection. Spyware changes frequently and one day this program may be the best, but before you know it, another one tops it the next month...

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.