Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - mherrett


  • Please log in to reply
5 replies to this topic

#1 mherrett

mherrett

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 28 June 2005 - 11:57 PM

I had my cable modem replaced last week by Comcast (is there a bleep and moan section about cable companies?). The tech disabled my McAfee Firewall to download something from Comcast to get it running again. I forgot to enable it before surfing onto apparently unsavory sites. I contracted SmitFraud and some other spyware.

My McAfee Internet Security Suite became disabled and I was unable run or re-install Virus scan. McAfee Tech Chat was no help. Thanks to your website I was able to get rid of SmitFraud but I still have something that is disabling my McAfee software and not allowing me to run Spybot or AdAware.

Here's my HijackThis log. Many thanks in advance for the assistance.

Logfile of HijackThis v1.99.1
Scan saved at 9:20:52 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hijackthis\Hijackthis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe,diskrity.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\diskrity.exe,C:\Documents and Settings\MICHAEL HERRET\Application Data\Explorer\diskrity.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...73/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...519/mcfscan.cab
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O21 - SSODL: Themes Explorer - {8DFDDEAE-FF3F-460E-B6F7-E1F4571DA901} - C:\WINDOWS\System32\kbdcrsrc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2005 - 12:44 PM

Hi mherrett and Welcome!

Sounds like Comcast is as bad as Charter!!! :thumbsup:

Try and locate 2 files and send them to me!

C:\WINDOWS\System32\diskrity.exe

C:\WINDOWS\System32\kbdcrsrc.dll

Right Click the Desktop and Select Compressed(zipped)Folder and place them in there!

Email the zipped folder here>> filesubmit@charter.net

Download a program called LSPfix. Here's the link where to get it:

http://cexx.org/lspfix.htm

Run the program and follow these directions:

1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select all instances of flsmngr.dll
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Locate and Delete the following if found

C:\WINDOWS\System32\diskrity.exe<< File

C:\WINDOWS\System32\kbdcrsrc.dll<< File

C:\WINDOWS\System32\flsmngr.dll<< File

C:\WINDOWS\web\related.htm<< File

C:\Documents and Settings\MICHAEL HERRET\Application Data\Explorer\diskrity.exe<< File

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

F2 - REG:system.ini: Shell=Explorer.exe,diskrity.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\diskrity.exe,C:\Documents and Settings\MICHAEL HERRET\Application Data\Explorer\diskrity.exe

O4 - HKLM\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe

O4 - HKCU\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O21 - SSODL: Themes Explorer - {8DFDDEAE-FF3F-460E-B6F7-E1F4571DA901} - C:\WINDOWS\System32\kbdcrsrc.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the reports from Ewido and Panda!

Edited by Cretemonster, 29 June 2005 - 12:48 PM.


#3 mherrett

mherrett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 30 June 2005 - 01:55 AM

Cretemonster:
Followed all of your steps. I was unable to delete diskrity.exe. Access denied.
I tried disabling it in msconfig.
It came up as disinfected in the ActiveScan.
I was able to reinstall McAfee.
All of the scary no name/weird character processes running in Task Manager seem to have disappeared. Whew
Problem now is I keep getting a McAfee VirusScan popup telling me:
The file C:\WINDOWS\system32\WININET.dll is infected by the W32/Alemod.dll virus and cannot be cleaned. It won't let me delete or quarantee the file and the popup won't go away.

Here's my HJT log followed by the Ewido report and the ActiveScan report:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:04 PM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\Hijackthis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...73/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...519/mcfscan.cab
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O21 - SSODL: Themes Explorer - {507EAAC1-ED25-4A93-AFC0-52E1390AF39C} - C:\WINDOWS\System32\kbdcrsrc.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:51:15 PM, 6/29/2005
+ Report-Checksum: 21B8B5FB

+ Date of database: 6/30/2005
+ Version of scan engine: v3.0

+ Duration: 40 min
+ Scanned Files: 71397
+ Speed: 29.04 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\LocalService\Cookies\michael herret@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\michael herret@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@servedby.netshelter[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Cookies\michael herret@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\Cookies\michael herret@90594700[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\Cookies\michael herret@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\Cookies\michael herret@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\Cookies\michael herret@servedby.netshelter[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\Cookies\michael herret@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\dimfkpmd.exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\mekllpmd.exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp17.tmp -> TrojanDownloader.Murlo.w -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp1F.tmp -> TrojanDownloader.Murlo.w -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp3.tmp -> TrojanDownloader.Murlo.w -> Cleaned with backup
C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp5.tmp -> TrojanDownloader.Murlo.w -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@bravenet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@ehg-enotes.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@ehg-legonewyorkinc.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@ehg-zoomerang.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@servlet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Natalia\Cookies\natalia@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup


::Report End

Ewido Start up Report:
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 8:55:01 PM, 6/29/2005
+ Report-Checksum: DADC9E8B

Reg\HKLM\Run POINTER point32.exe
Shell\CommonStartup WinZip Quick Pick.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
File\SystemIni explorer.exe,diskrity.exe
Reg\HKLM\Run tgcmd "C:\Program Files\Support.com\bin\tgcmd.exe" /server
Reg\HKLM\Run Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Reg\HKLM\Run SM1BG C:\WINDOWS\SM1BG.EXE
Reg\HKLM\Run Truefonts C:\WINDOWS\Fonts\fonts.hta
Reg\HKLM\Run TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Reg\HKLM\Run DeltTray DeltTray.exe
Reg\HKLM\Run iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
Reg\HKLM\Run WildTangent CDA "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
Reg\HKLM\Run SoundMan SOUNDMAN.EXE
Reg\HKLM\Run NeroCheck C:\WINDOWS\System32\NeroCheck.exe
Reg\HKLM\Run Themes Meeting C:\WINDOWS\System32\diskrity.exe
Reg\HKCU\Run WinMX C:\Program Files\WinMX\WinMX.exe -m
Reg\HKCU\Run Themes Meeting C:\WINDOWS\System32\diskrity.exe

Active Scan Report:

Incident Status Location

Virus:Trj/Agent.ZZ Disinfected C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp19.tmp
Virus:Trj/Agent.ZZ Disinfected C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp21.tmp
Virus:Trj/Agent.ZZ Disinfected C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp29.tmp
Virus:Trj/Agent.ZZ Disinfected C:\Documents and Settings\MICHAEL HERRET\Local Settings\Temp\tmp6.tmp
Virus:Trj/Ppdoor.DG Disinfected C:\WINDOWS\system32\diskrity.exe
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll

Ay further advice? What the bleep is diskrity?

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2005 - 06:12 AM

Please locate that file
C:\WINDOWS\System32\WININET.dll

Please Email me a copy of that file just like you did the others!

Do Not Delete that file,we will deal with it in Safe Mode!

Download "The Hoster" from here
http://www.funkytoad.com/download/hoster.zip

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download and Install CleanUp! 4.0
http://downloads.stevengould.org/cleanup/CleanUp40.exe

Go to Add\Remove Programs and Remove

WildTangent
WeatherBug\AWS


Restart back in Safe Mode and be sure Windows is Showing Hidden Files

Physically Unplug you Internet Conection from the back of the PC!

Open Hoster Press "Restore Original Hosts" then press "OK".

Exit Program

From the list of files below,place each into Killboxes "Full Path of File to Delete"

C:\WINDOWS\Fonts\fonts.hta
C:\WINDOWS\system32\OLEADM.dll
C:\WINDOWS\System32\kbdcrsrc.dll
C:\WINDOWS\system32\thn32.dll
C:\WINDOWS\System32\diskrity.exe
C:\WINDOWS\wt
C:\Program Files\WildTangent


When you paste the entry into Killbox make sure there is a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Once those are ticked,Click the Red Circle with the White X in the Middle to Delete!!

Keep a list of any file that Killbox could not delete,we will enter them again just before Restarting!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\Fonts\fonts.hta

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe

O4 - HKCU\..\Run: [Themes Meeting] C:\WINDOWS\System32\diskrity.exe

O21 - SSODL: Themes Explorer - {507EAAC1-ED25-4A93-AFC0-52E1390AF39C} - C:\WINDOWS\System32\kbdcrsrc.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "No" to Logoff!

If you have any files that wouldnt delete,paste them back into killbox and select

"Delete on Reboot"

If more than 1 file

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Stay Disconnected from the Internet for a few minutes until we get this file replaced!

Now Navigate to C:\WINDOWS\System32\dllcache and open that folder!

Verify that you have WININET.dll in that location!

If you dont,do not follow the rest of the directions below,just post back letting me kow that please!

If you were able to locate WININET.dll in the dllcache folder

Open the System32 folder and locate WININET.dll> Right Click and Select "Rename"> Rename it to WININET.old

Now Right Click WININET.dll in the dllcache folder and select Copy

Go back to the System32 folder and Right Click inside the folder and Select paste!

That should place a clean copy of WININET.dll in the System32 folder!

Restart the PC and Scan with Panda again!

Navigate to this site
http://virusscan.jotti.org/

Scan the New WININET.dll in the System32 folder and let me know the results!

Post back with a fresh HijackThis log!


EDIT:

I forgot to tell you to password protect the files you send!

If you still have those files,place them all including WININET into the Zip Folder and with the Zip Folder Open>> Click File>> Click Add a Password

Make the Password infected

Sorry about that!

Edited by Cretemonster, 30 June 2005 - 04:14 PM.


#5 mherrett

mherrett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 July 2005 - 08:44 PM

Hi Cretemonster:
After your last set of instructions my computer cleaned up pretty good. I then spent many frustrating hours trying to get McAfee loaded up and now I'm being told:

"The version of VirusScan that is installed on your computer is designed for a different operating system. If you recently updated your computer from one operating system to another, please uninstall VirusScan, restart your computer, and then reinstall VirusScan to get the correct version for your operating system."

The online techs at McAfee are no help. I plan to hit the Antivirus forum here to get some real help.

Anyhow, here's my HJT log and another Panda log. There a another Spyware in my registry it couldn't disinfect. I scanned my WININET.dll file in virusscan.jotti and came out clean.

Please let me know any further steps and if you have some McAfee advice it would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:31:12 PM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\DeltTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Hijackthis\Hijackthis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\20057116107_mcinfo.exe /insfin
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120252088500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe


Incident Status Location

Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.old

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2005 - 09:12 PM

I say go to Mcafee themselves,there are some decent folks over there!

http://forums.mcafeehelp.com/index.php

Please remove C:\WINDOWS\system32\wininet.old

Also Uninstall Ewido,I cant see where you will need it,unless it gives you that Warm Fuzzy feeling!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users