Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

worm_bagz.c [CLOSED]

Started by crhubbard , Mar 08 2006 05:13 PM

This topic is locked

#1
crhubbard

Posted 08 March 2006 - 05:13 PM

Member

Member
10 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:08:49 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BevRick\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla firefox.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128022451857
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128023678749
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
Trevuren

Posted 08 March 2006 - 07:04 PM

Old Dog

Retired Staff
18,699 posts

Hi crhubbard and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
- Download Ad-Aware SE Personal 1.06:
  - Download Ad-Aware SE Personal 1.05.
  - Save aawsepersonal.exe to a convenient location.
- Install Ad-Aware SE Personal 1.06:
  - Double-click on aawsepersonal.exe to install the program.
  - Follow the default settings for installation.
  - After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
- Update Ad-Aware SE Personal 1.06:
  - Double-click the Ad-Aware SE Personal icon on your desktop.
  - Click "Check for updates now" then click "Connect".
  - It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
- Configure Ad-Aware SE Personal 1.06:
  - Click on the Gear button at the top of the window.
  - Click "General" on the left hand side to display the General Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Automatically save logfile"
    - "Automatically quarantine objects prior to removal"
    - "Safe Mode (always request confirmation)"
    - "Prompt to update outdated definitions" - change to 7 days from the default 14.
- Click "Scanning" on the left hand side to display the Scan Settings box.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  - "Scan within archives"
  - "Select drives & folders to scan" - select your hard drive(s).
  - "Scan active processes"
  - "Scan registry"
  - "Deep-scan registry"
  - "Scan my IE favorites for banned URLs"
  - "Scan my Hosts file"
- Click "Advanced" on the left hand side to display the Advanced Settings box.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  - "Move deleted files to Recycle Bin"
  - "Include additional object information"
  - "Include negligible objects information"
  - "Include environment information"
- Click "Defaults" on the left hand side to display the Default Settings box.
  - Make sure these items have your preferred settings in them.:
  - "Default homepage"
  - "Default searchpage"
- Click "Tweak" on the left hand side to display the Tweak Settings box.
  - Click the + (plus) sign next to the Log Files section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Include basic Ad-Aware settings in log file"
    - "Include additional Ad-Aware settings in log file"
    - "Include reference summary in log file"
    - "Include alternate data stream details in log file"
  - Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Unload recognized processes & modules during scan"
    - "Scan registry for all users instead of current user only"
    - "Obtain command line of scanned processes"
  - Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Always try to unload modules before deletion"
    - "During removal, unload Explorer and IE if necessary"
    - "Let Windows remove files in use at next reboot"
    - "Delete quarantined objects after restoring"
- Once you are done with these settings, click "Proceed" to save them.
- This will take you back to the main screen.
Run Ad-Aware SE Personal 1.06:
- Click the "Start" button.
- Uncheck the "Search for negligible risk entries" entry.
- Choose the "Use custom scanning options" scan mode.
- Click the "Next" button.
- Ad-Aware will begin to scan for malware residing on your computer.
- Allow the scan to finish.
- Right-click on any entry in the list and click "Select All" to select the whole list.
- Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

Regards,

Trevuren

#3
crhubbard

Posted 09 March 2006 - 06:11 PM

Member

Topic Starter
Member
10 posts

Here is the results from the scan on Webroot: I am still seeing a slow response on the system..and also a
lot of drop down screens never been there before?
thanks for helping...hope this makes it easier?

10:02 PM: | Start of Session, Wednesday, March 08, 2006 |
10:02 PM: Spy Sweeper started
10:02 PM: Sweep initiated using definitions version 629
10:02 PM: Starting Memory Sweep
10:07 PM: Memory Sweep Complete, Elapsed Time: 00:05:19
10:07 PM: Starting Registry Sweep
10:08 PM: Registry Sweep Complete, Elapsed Time:00:00:36
10:08 PM: Starting Cookie Sweep
10:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:08 PM: Starting File Sweep
10:08 PM: Found Trojan Horse: trojan downloader matcash
10:08 PM: c:\program files\common files\inetget2 (ID = -2147471395)
10:08 PM: Found Adware: mediabuddy (filefreedom)
10:08 PM: c:\program files\filefreedom (8 subtraces) (ID = -2147480607)
10:09 PM: Found Adware: maxifiles
10:09 PM: x.bmp (ID = 69314)
10:09 PM: autoit3.exe (ID = 119348)
10:30 PM: File Sweep Complete, Elapsed Time: 00:22:04
10:30 PM: Full Sweep has completed. Elapsed time 00:28:05
10:30 PM: Traces Found: 12
6:26 AM: Removal process initiated
6:26 AM: Quarantining All Traces: trojan downloader matcash
6:26 AM: Quarantining All Traces: maxifiles
6:26 AM: Quarantining All Traces: mediabuddy (filefreedom)
6:26 AM: Removal process completed. Elapsed time 00:00:09
********
9:22 PM: | Start of Session, Wednesday, March 08, 2006 |
9:22 PM: Spy Sweeper started
9:22 PM: Sweep initiated using definitions version 629
9:22 PM: Starting Memory Sweep
9:26 PM: Memory Sweep Complete, Elapsed Time: 00:04:48
9:26 PM: Starting Registry Sweep
9:27 PM: Registry Sweep Complete, Elapsed Time:00:00:42
9:27 PM: Starting Cookie Sweep
9:27 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:27 PM: Starting File Sweep
9:27 PM: Found Adware: mediabuddy (filefreedom)
9:27 PM: c:\program files\filefreedom (8 subtraces) (ID = -2147480607)
9:27 PM: Found Trojan Horse: trojan downloader matcash
9:27 PM: c:\program files\common files\inetget2 (ID = -2147471395)
9:28 PM: Found Adware: maxifiles
9:28 PM: x.bmp (ID = 69314)
9:28 PM: autoit3.exe (ID = 119348)
9:51 PM: Warning: Invalid file - not a PKZip file
9:51 PM: Warning: Invalid file - not a PKZip file
9:52 PM: Warning: Invalid Stream
9:52 PM: Warning: Invalid file - not a PKZip file
9:52 PM: Warning: Invalid file - not a PKZip file
9:52 PM: Warning: Invalid file - not a PKZip file
9:52 PM: Warning: Invalid Stream
9:53 PM: File Sweep Complete, Elapsed Time: 00:25:30
9:53 PM: Full Sweep has completed. Elapsed time 00:31:08
9:53 PM: Traces Found: 12
10:02 PM: | End of Session, Wednesday, March 08, 2006 |
********
9:18 PM: | Start of Session, Wednesday, March 08, 2006 |
9:18 PM: Spy Sweeper started
9:20 PM: Your spyware definitions have been updated.
9:22 PM: | End of Session, Wednesday, March 08, 2006 |

Here is the hjt...results....

Logfile of HijackThis v1.99.1
Scan saved at 7:08:33 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\BevRick\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla firefox.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128022451857
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128023678749
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4
Trevuren

Posted 09 March 2006 - 06:33 PM

Old Dog

Retired Staff
18,699 posts

One of your major problems now is that you are running way too many "real-time" monitoring services:

Trojan Hunter --- Tauscan = Both trojan specific (Remove one)
Ewido, Microsoft, Spybot and SpySweeper. You only need one running "shields", the rest, if you want to keep all of them, can be stopped from starting up automatically and continuously scanning thus freeing up a considerable amount of resources. Look at all the programs that I have to get you to turn off to make simple changes. Overkill.

===================================

Please disable Ewido Security Suite (EwidoGuard)

1. Launch Ewido
2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive.

We must disable Spy Sweeper for it may interfere with our fix

To disable SpySweeper:

Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left, click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction

I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

Open Microsoft AntiSpyware.
Click on Options, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

Make double sure to disable Spybot's Tea Timer for now, as it can interfere with the fixing of problems.

Open Spybot and and make sure you are in Advanced mode (check it in the 'Mode' menu). Go to the Tools section and click resident and then uncheck the box for Tea Timer.

Then, REBOOT

Please RUN HijackThis.
. Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
Reboot Your System
Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.

Regards,

Trevuren

#5
crhubbard

Posted 10 March 2006 - 05:29 PM

Member

Topic Starter
Member
10 posts

Here is the HJS after I did what you asked....also:
I get the error message VSTSKMGR.EXE that says I have encounterd a problem do I want to send error
report? I have been sending them.
I also keep getting drop downs from Network Associates.
and finally, I get drop downs on start up that state "Could not access server"

thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 6:25:51 PM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BevRick\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla firefox.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128022451857
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128023678749
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6
Trevuren

Posted 10 March 2006 - 05:43 PM

Old Dog

Retired Staff
18,699 posts

All these error messages pertain to your Antivirus program. It may well be corrupted. We never touched it.

This is what I recommend you do:

1. 1. Download Hoster Here: http://www.funkytoad...load/hoster.zip

2. Unzip Hoster to your desktop

3. Open up the Hoster program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

4. Physically disconnect from the internet.

5. Uninstall McAfee

6. Re-install McAfee

7. Please post to tell me if this has resolved the question.

Regards,

Trevuren

#7
crhubbard

Posted 10 March 2006 - 10:37 PM

Member

Topic Starter
Member
10 posts

Trevuren....

Still having problems....Internet Explorer does not work only Mozilla.
Search feature locks up!
Still getting message need RESXX\McShield.dll
Tried to delete Network Associates, all gone except one dll file?
McAffee will not let me delete, it goes into a wait state...nothing happens? Looks like part of the program
is missing? Only program showing is McAffee Enterprise?

#8
Trevuren

Posted 10 March 2006 - 10:46 PM

Old Dog

Retired Staff
18,699 posts

We may have to DELETE Mc Afee manually so you can then reinstall it if you so choose. The first thing we have to do is get you a new Antivirus to cover our "you know what" until we can get this mess sorted out.

Please download AVG7 Free, install it, configure it, update it and do a full scan with it. The link is at the bottom of my post in my signature pane.

Once that is done, please post a fresh HJT log for review and tell me if you want to go through the process. It takes several posts.

Regards,

Trevuren

#9
crhubbard

Posted 11 March 2006 - 08:25 PM

Member

Topic Starter
Member
10 posts

Tre....

I downloaded the program you mentiond, the 7.1 ....it will not let me load it...it is asking for a certificate number.
It also says there is a conflict with Roxio and to delete it...I can't delete it either! It says there already is
a program being deleted? I can't see where it is?
also...I can not delete Mcafee

I will stay with it as long as you can help...

thanks

#10
Trevuren

Posted 11 March 2006 - 08:55 PM

Old Dog

Retired Staff
18,699 posts

You may have downloaded the pay version.

Try this link: http://free.grisoft....2/lng/us/tpl/v5

Trevuren

#11
crhubbard

Posted 12 March 2006 - 09:11 AM

Member

Topic Starter
Member
10 posts

Tre..

That worked...it is installed....still got the error message on Roxio? I can not go thru add/delete and
delete either Roxio or Mcaffe?
Computer still a little slow on response...
Here you go on the latest HJT...
Let me know what you want me to do?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:40 AM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\BevRick\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla firefox.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128022451857
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128023678749
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\mcshield.exe (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12
Trevuren

Posted 13 March 2006 - 07:42 PM

Old Dog

Retired Staff
18,699 posts

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the following into Notepad:

sc stop McTaskManager
sc delete McTaskManager
sc stop McShield
sc delete McShield
sc stop McAfeeFramework
sc delete McAfeeFramework
del delete.bat

3. Save the file as "delete.bat". Make sure to save it with the quotes.

4. Double click delete.bat.

5. Run HJT, click scan and place a checkmark beside the following entries:

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

Now, with all windows closed, click Fix checked and EXIT HJT.

6. Reboot into Safe Mode:

How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

7. Now using Windows Explorer (Windows Key + E), locate and DELETE the following folders (If still present):

C:\Program Files\Network Associates<==Folder and content
C:\Program Files\Common Files\Network Associates<==Folder and content

8. Reboot into Normal Windows Mode.

9. a. Download "Registry Search Tool" (RegSrch.vbs) from HERE to your desktop

b. Start the program by clicking on it and paste in the following word(s) McAfee.

c. Wait for it to complete the search, click ok at the prompt.

d. Then when wordpad opens, copy/paste the text as a reply into this thread. This is going to be a very long list of entries. You may need to spread it over a couple of posts.

Regards,

Trevuren

#13
crhubbard

Posted 13 March 2006 - 08:51 PM

Member

Topic Starter
Member
10 posts

Tre..

under #5 on the instructions....none of the lines that started with 04 were there as you described?
I did earlier delte all those reg files that were not being used?

Here is the results from the Reg Scan Tool:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Mcafee" 3/13/2006 9:46:26 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}]
"LocalService"="McAfeeFramework"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\BB1D3FD5E498DCD4285751A99C28B934]
"ProductName"="McAfee VirusScan Enterprise"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{51199FE2-2D9C-4047-A61E-81A9F6A0D806}]
@="IMcAfeeScript"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7A9ECE1F-5CAD-4017-999F-552270E45D92}]
@="_IMcAfeeScriptEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{963B7D71-C519-4A5D-B8E7-742B08628F5D}]
@="_IMcAfeeUpdateEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A33F52E5-9F67-459C-95D3-8420B50E7183}]
@="IMcAfeeUpdate2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D831533D-0324-4EA4-B3FD-073AFEE85181}]
@="IMcAfeeUpdate"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript]
@="McAfeeScript Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript\CurVer]
@="ScriptSubSys.McAfeeScript.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript.1]
@="McAfeeScript Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate]
@="McAfeeUpdate Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate\CurVer]
@="UpdateSubSys.McAfeeUpdate.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate.1]
@="McAfeeUpdate Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BB1D3FD5E498DCD4285751A99C28B934\InstallProperties]
"URLInfoAbout"="http://www.mcafeesecurity.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BB1D3FD5E498DCD4285751A99C28B934\InstallProperties]
"DisplayName"="McAfee VirusScan Enterprise"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DF3D1BB-894E-4DCD-8275-159AC9829B43}]
"URLInfoAbout"="http://www.mcafeesecurity.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DF3D1BB-894E-4DCD-8275-159AC9829B43}]
"DisplayName"="McAfee VirusScan Enterprise"

[HKEY_USERS\S-1-5-21-1390067357-527237240-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="mcafee"

#14
Trevuren

Posted 13 March 2006 - 08:57 PM

Old Dog

Retired Staff
18,699 posts

Is that the extent of them?

Trevuren

#15
Trevuren

Posted 13 March 2006 - 10:22 PM

Old Dog

Retired Staff
18,699 posts

1. Backup the registry by going to Start>Run> and type ‘regedit’ without the quotes. Once the Registry Editor opens, please do the following:

Highlight My Computer
From the file menu choose ‘export’ in XP.
Choose Desktop as the destination
Under Export Range, choose "ALL"
Use Sysreg as the file name
Click Save and EXIT the Registry Editor once the operation is completed
To verify that the export was successful, you should see a "blue cube icon" on your desktop named Sysreg.reg

If a restore of the registry is required, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successful.

2. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}]
"LocalService"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\BB1D3FD5E498DCD4285751A99C28B934]
"ProductName"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{51199FE2-2D9C-4047-A61E-81A9F6A0D806}]
@=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7A9ECE1F-5CAD-4017-999F-552270E45D92}]
@=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{963B7D71-C519-4A5D-B8E7-742B08628F5D}]
@=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A33F52E5-9F67-459C-95D3-8420B50E7183}]
@=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D831533D-0324-4EA4-B3FD-073AFEE85181}]
@=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ScriptSubSys.McAfeeScript.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UpdateSubSys.McAfeeUpdate.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BB1D3FD5E498DCD4285751A99C28B934\InstallProperties]
"URLInfoAbout"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BB1D3FD5E498DCD4285751A99C28B934\InstallProperties]
"DisplayName"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DF3D1BB-894E-4DCD-8275-159AC9829B43}]
"URLInfoAbout"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DF3D1BB-894E-4DCD-8275-159AC9829B43}]
"DisplayName"=-

[HKEY_USERS\S-1-5-21-1390067357-527237240-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"002"=-

3. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Reboot your computer.

5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.