Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I NEED HELP


  • This topic is locked This topic is locked
40 replies to this topic

#1 birdman405

birdman405

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 10 July 2005 - 11:40 AM

I had spysheriff and antivirus gold and i think smitfraud. I followed your instructions to get rid of them but i still can't change my screen windows and buttons to XP style. And now McAfee says it found a virus that cannot be cleaned, deleted, or quarantined. It says use a rescue disk but I don't have one. Here is my HJT log. PLEASE HELP!


Logfile of HijackThis v1.99.1
Scan saved at 12:38:17 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Local Settings\Temp\Temporary Directory 4 for HijackThis.zip\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.180.155/5/s1//q.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116192723267
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


m

#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 11 July 2005 - 12:59 PM

Could you provide a link to your original log when you had those infections?

#3 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 11 July 2005 - 01:08 PM

I can't find my logs from when I had spysheriff and avgold, if those are the ones your talking about. Maybe I'm looking in the wrong place but I'm not sure if I even saved them right. I also had a lot of stuff about oneclicksearches that were on my HJT log while I was infected with all the spyware but I deleted that using a different site. The oneclicksearches messed up my homepage but it's back to normal now. I don't know if that will help at all. Also McAfee says the virus name is W32/Alemod.b.dll and the file path is C:\WINDOWS\system32. Thanks for your help and hopefully some of this can help.

Edited by birdman405, 11 July 2005 - 02:04 PM.


#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 11 July 2005 - 03:02 PM

I thought you had a previous post at this forum that I could review, since you said we had helped you before. I'll review your log and see if we can get you on track again.

Looks like you have probably gone through this step before, but please download, install, update and scan your system with the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


#5 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 12 July 2005 - 11:36 AM

Alright, here's the reports. Thanks again, I really apreciate your help.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:27:19 PM, 7/12/2005
+ Report-Checksum: 8B961C24

+ Scan result:

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{14A3221B-1678-1982-A355-7263B1281987} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Wast -> Spyware.BroadCastPC : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6124 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6577 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6665 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6685 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6720 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6726 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6831 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_6862 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_7134 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_2\Seqn_7366 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_3 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_3\Seqn_5398 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_0\Level_4\Seqn_6728 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_1\Seqn_5624 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_1\Seqn_6191 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2\Seqn_5064 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2\Seqn_7000 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2\Seqn_7120 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2\Seqn_7137 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_2\Seqn_7549 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_3 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Loct_1\Level_4\Seqn_7346 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Services -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Services\Queue -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\Cydoor\Adwr_270\Services\Status -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\DownloadWare -> Spyware.Downloadware : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\DownloadWare\Prefs -> Spyware.Downloadware : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\General -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\Links -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\Log -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\Path -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\SRM -> Spyware.TOPicks : Cleaned with backup
HKU\S-1-5-21-436374069-1383384898-854245398-1003\Software\ToPicks\Threads -> Spyware.TOPicks : Cleaned with backup
C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Andrew\Cookies\andrew@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jim\Cookies\jim@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jim\Cookies\jim@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jim\Cookies\jim@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Jim\Cookies\jim@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\scott@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\system32\BO2202031216.dll -> Spyware.BargainBuddy : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 12:29:27 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Jim\Local Settings\Temp\Temporary Directory 1 for

HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program

Files\OpenOffice.org1.1.0\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...ite.cab?1116192

723267
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe

#6 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 12 July 2005 - 12:07 PM

Please do this.
Click My Computer, then C:\
In the menu bar, choose File, New, Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis" by right clicking on the folder name and choose "rename". Now you have C:\HJT\ folder.

Download Hijack This
Put your HijackThis.exe in the file you just created, and double click to run it, and hit "Do a system Scan and save log". A separate window will come up in notepad with the log. Press Ctrl-A to Select All, and copy its contents into your reply. Most of what it lists will be harmless or even essential, don't fix anything yet.

Scan with Hijack This and put a checkmark next to the following entries:
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Close all browsers and windows and click "fix checked".

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Locate this file in c: and delete it: counter.cab

Please download CCleaner from here
Install and run it.

Restart your computer and post another log.

Edited by viccy, 12 July 2005 - 12:08 PM.


#7 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 13 July 2005 - 10:45 AM

ok, here's my HJT log before I fixed checked

Logfile of HijackThis v1.99.1
Scan saved at 11:42:39 AM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116192723267
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#8 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 13 July 2005 - 10:55 AM

I posted my HJT log and then went to delete counter.cab in C: but I couldn't find it. Should I just download CCleaner and use it or is it in there somewhere and I'm just looking in the wrong spot or just missed it.

#9 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 13 July 2005 - 10:57 AM

Can you post a log after fixes?

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Do a search for the file again.

You can certainly run Ccleaner also.

Then post another log.

Edited by viccy, 13 July 2005 - 11:01 AM.


#10 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 13 July 2005 - 12:35 PM

Here's my HJT log after the fixes, but before downloading Ccleaner

Logfile of HijackThis v1.99.1
Scan saved at 1:28:07 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\devldr32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\imapi.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116192723267
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#11 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 13 July 2005 - 12:38 PM

Always post a Hijack This log that has been run after following instructions. Did you find counter.cab ?

#12 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 13 July 2005 - 12:49 PM

I couldn't find the file but I did run Ccleaner. McAfee is still saying that there's a virus that can't be cleaned deleted or quarantined though. It says that the file thats infected is C:\WINDOWS\system32\WININET.dll I don't know if thats any help or not.

#13 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 13 July 2005 - 06:19 PM

Run Hijack This and put a checkmark next to the following entries:
R3 - Default URLSearchHook is missing


These are optional fixes, but will free up some resources. It does not remove the program, just keeps it from loading at startup. When you want to run those programs, just open them through "Start", "Programs", and then the Program name.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

It's important all steps be done exactly otherwise you will lose Internet access. Please print them out!

If you do not understand something, please let me know before continuing!

I need you to reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit Enter.

Once in Safe Mode:

Using Windows Explorer (You can get to Windows Explorer, by Going to Start > "My Computer", then double-clicking "C:\"), locate this file:

C:\WINDOWS\System32\wininet.dll

Right-click on it and select "Rename" and rename it to wininet.old

Then go into this folder (it will be hidden so make sure hidden files are showing!):

C:\WINDOWS\SYSTEM32\DLLCACHE

Inside the "DLLCACHE" folder, locate wininet.dll. Right-click on it and choose "copy" (NOT cut!).

Then go back into C:\WINDOWS\System32
Right-click an open space and choose "Paste".

Delete the following:
C:\WINDOWS\System32\wininet.old

Reboot your computer into normal mode and post a new HiJackThis log.

#14 birdman405

birdman405
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 14 July 2005 - 10:49 AM

I did everything you said, but when I tried to delete the wininet.old it wouldn't delete and said-

Cannot delete wininet.old: Access is denied

Make sure the disk is not full or write-protected and that the file is not currently in use.

#15 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:07:18 AM

Posted 15 July 2005 - 09:13 AM

We want to take ownership of the file wininet.old

How to take ownership of a file
Note You must be logged on to the computer with an account that has administrative credentials.

To take ownership of a file, follow these steps: 1. Right-click the file that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click Administrator, or click the Administrators group, and then click OK.

The administrator or the Administrators group now owns the file. To change the permissions on the files and folders under this folder, go to step 5.
5. Click Add.
6. In the Enter the object names to select (examples) list, type the user or group account that you want to give access to the file. For example, type Administrator.
7. Click OK.
8. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
9. When you are finished assigning permissions, click OK.

Now try to delete the file. Let me know if you have any problems with this

Then, run Ewido, save the log and post it and a new Hijack This log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users