[greyknight17]

Sorry about that. Here is the link.

[Advertisements]

Logs following:


(6/26/05 19:55:41) SPSeHjFix started v1.09
(6/26/05 19:55:41) OS: WinME (4.90.73010104)
(6/26/05 19:55:41) Language: english
(6/26/05 19:55:43) Disinfect started
(6/26/05 19:55:43) Bad-Dll(IEP): (not found)
(6/26/05 19:55:43) Bad-Dll(IEP) in BHO: (not found)
(6/26/05 19:55:43) UBF: 4
(6/26/05 19:55:43) UBB: 3
(6/26/05 19:55:43) UBR: 35
(6/26/05 19:55:43) Bad IE-pages:
(6/26/05 19:55:43) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/26/05 19:55:43) File added to delete: c:\windows\faultllg.txt
(6/26/05 19:55:43) Reboot
(6/26/05 19:56:38) SPSeHjFix 2nd Step
(6/26/05 19:56:39) RunServicesOnce-Key: (alex)
(6/26/05 19:56:43) Cleaned

26/06/2005 19:55:11 SPhjFix started v1.07
26/06/2005 19:55:11 Stealth-String not found -> Programm terminated

Nothing found on this logon will keep you posted thanks.

[billywhizz]

Logs following:


(6/26/05 19:55:41) SPSeHjFix started v1.09
(6/26/05 19:55:41) OS: WinME (4.90.73010104)
(6/26/05 19:55:41) Language: english
(6/26/05 19:55:43) Disinfect started
(6/26/05 19:55:43) Bad-Dll(IEP): (not found)
(6/26/05 19:55:43) Bad-Dll(IEP) in BHO: (not found)
(6/26/05 19:55:43) UBF: 4
(6/26/05 19:55:43) UBB: 3
(6/26/05 19:55:43) UBR: 35
(6/26/05 19:55:43) Bad IE-pages:
(6/26/05 19:55:43) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/26/05 19:55:43) File added to delete: c:\windows\faultllg.txt
(6/26/05 19:55:43) Reboot
(6/26/05 19:56:38) SPSeHjFix 2nd Step
(6/26/05 19:56:39) RunServicesOnce-Key: (alex)
(6/26/05 19:56:43) Cleaned

26/06/2005 19:55:11 SPhjFix started v1.07
26/06/2005 19:55:11 Stealth-String not found -> Programm terminated

Nothing found on this logon will keep you posted thanks.

[miekiemoes]

Hello,

Are you still having the same alerts from McAfee?

If so.. we'll need to delete it in DOS.

Do you have a bootdisk and know how to boot in DOS?
If not, read here how to create a bootdisk:
http://www.computerhope.com/boot.htm

So boot in DOS and type next commands:

cd c:\ <press enter>

cd windows <press enter>

del FAULTLLG.TXT <press enter>

Reboot your computer and run SPSeHjFix again to get rid of the leftovers.

Post a new hijackthislog afterwards.

[billywhizz]

Log following after deleting the File in DOS:

(6/29/05 17:40:31) SPSeHjFix started v1.09
(6/29/05 17:40:31) OS: WinME (4.90.73010104)
(6/29/05 17:40:31) Language: english
(6/29/05 17:40:34) Disinfect started
(6/29/05 17:40:34) Bad-Dll(IEP): (not found)
(6/29/05 17:40:34) Bad-Dll(IEP) in BHO: (not found)
(6/29/05 17:40:34) UBF: 4
(6/29/05 17:40:34) UBB: 3
(6/29/05 17:40:34) UBR: 38
(6/29/05 17:40:34) Bad IE-pages:
(6/29/05 17:40:34) Stealth-String not found:
(6/29/05 17:40:34) Not infected->END

Looking good? I had an error message on startup "RUNDLL ERROR File FAULTLLG.TX NOT FOUND"

Thanks again.

[miekiemoes]

Seems like we got rid of it...

Now let's deal with that error message you get on startup..

* Open notepad and copy and paste next in the field in it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Save this as fix.reg , choose for save as *all files and save it on your desktop.
Doubleclick fix.reg
*Answer Yes when prompted to add the contents to the registry.

Reboot and post a hijackthislog as a final checkup.

[billywhizz]

Error message hasn't come back so haven't run the reg edit yet. No sign of trojan either..

Here is HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 20:31:56, on 29/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE QUICKCLEAN\PLGUNI.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOWNLOADS\VIRUS SPYWARE FIXES SEE GEEKS TO GO WEB SITE\HJT REG FIX\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

[miekiemoes]

This log looks clean.

You may want to fix next in it, because they're known as resource hogs:

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!

Ps: And thx ofcourse to greyknight who already did a great job here, but is now on holiday, that's why I took over.

[billywhizz]

Many thanks and also to Greyknight for all the work. I can't believe where all this stuff comes from, but hopefully now have enough tools to stop it happening again.

One thing in the HJT log - can I get rid of these;

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

I don't recognise them, and they haven't appeared before.

Thanks again.

[miekiemoes]

The O1 - Hosts: 64.91.255.87 www.dcsresearch.com is from TDS-3

http://tds.diamondcs.com.au/

You may fix it if you want, but not necessary

And I missed the leftover: O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

so fix them.

[billywhizz]

OK will do. Many thanks once again to Greyknight and yourself for all your help.

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.