Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log; help needed


  • Please log in to reply
4 replies to this topic

#1 atta_mudassar

atta_mudassar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 July 2005 - 01:42 AM

hello,
i m facing problem with my computer that when i try to open command prompt window via 'cmd' command at Start menu -> Run, the command prompt window opens and closes immediately. Same thing happens with regedit command. when i enter regedit in Run window, a window similar to command prompt window opens with the title 'regedit.com' and either it closes immediately or remains open with blank screen, and when i close it, a window of 'Program Not responding' is displayed. However, when i open the command prompt window via Start menu -> All Programs -> Accessories -> Command Prompt, the window opens properly, but certain commands in the window don't work e.g ping command doesn't work.
i've tried using different antivirus like McAfee, Panda, NOD32 and also online scan by Panda and Trend Micro (as suggested in this forum under another topic of similar problem). They all reported absence of any virus on the system but House Call by Trend Micro, that reported presence of 'Worm_mugli.I' but failed to clean/remove.
i also scanned the system by Microsoft AntiSpyware (beta), Lavasoft Ad-aware 6, Spyware Blaster. Ad-aware do listed some entries but all were cookies, and were subsequently removed from system.
But the problem still exists, and here is the HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:44 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\igfxtray.exe
E:\WINDOWS\System32\hkcmd.exe
E:\Program Files\ClocX\ClocX.exe
E:\Program Files\Eset\nod32kui.exe
E:\PROGRA~1\Webshots\webshots.scr
E:\Program Files\Eset\nod32krn.exe
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\HijackThis\HijackThis.exe
E:\Program Files\Avant Browser\avant.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shootoutflorida.com/images/mail2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.55:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - E:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ClocX] E:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] e:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E30E69C8-86B2-4DA3-92AA-D899FF43A2AF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: System - {3223468B-3BBB-4127-A653-55028E9AC85A} - mcsys.dll (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

-------
As i mentioned earlier, i installed McAfee and then removed it and now i am using NOD32, the instances of McAfee are still there on the system. The Virus Scan has been removed but McAfee Security center is still there. when i try to remove it via Add/Remove Programs, it says first remove all services of McAfee. But there isn't any service of McAfee listed in the Add/Remove Program list or Program files. i want to remove this Security center as it is residing in system start up.
so plz help me:
1. fixing the problem of cmd and regedit
2. removing McAfee security center.
thanx

BC AdBot (Login to Remove)

 


#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 20 July 2005 - 02:42 AM

You can use hijackthis to prevent mcafee from starting up, close all your running programs. Run Hijackthis and place a check next to the following.

O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] e:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O21 - SSODL: System - {3223468B-3BBB-4127-A653-55028E9AC85A} - mcsys.dll (file missing)

close all your internet explorer browsers and click fix in Hijackthis.

Now locate the following file mcsys.dll and delete it.


Post a fresh Hijackthis log and let me know if that helps with removing mcafee.

PS. NOD32, good choice it's what i use :thumbsup:

#3 atta_mudassar

atta_mudassar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 July 2005 - 07:16 AM

McAfee was removed and was not loaded at startup, but i can see some entries of McAfee still listed in the log, what are these.
secondly, my main problem is still there, can u plz help me solving that?
here is the log file:


Logfile of HijackThis v1.99.1
Scan saved at 5:10:27 PM, on 7/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\igfxtray.exe
E:\WINDOWS\System32\hkcmd.exe
E:\Program Files\ClocX\ClocX.exe
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\PROGRA~1\Webshots\webshots.scr
E:\Program Files\Eset\nod32krn.exe
E:\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shootoutflorida.com/images/mail2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.55:808
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - E:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ClocX] E:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E30E69C8-86B2-4DA3-92AA-D899FF43A2AF}: NameServer = 203.82.48.3,203.82.48.4
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 20 July 2005 - 04:25 PM

Use Hijackthis to remove what remains in the log from mcafee, and then make sure you've delete the folder under Program Files.


Your log is clean, I don't see any malware in your log. Have you tried any online scans?

http://www.kaspersky.com/service?chapter=161739400


See if kaspersky is able to remove the virus, and is NOD32 finding anything when you scan with NOD32?

#5 atta_mudassar

atta_mudassar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 29 July 2005 - 12:50 AM

NOD32 scans and doesn't find any problem, however, it reports some files as locked and unaccessable. so i'll re-scan it in safe mode, may be it can get those files there.
regarding kaspersky online scan, the link u gave leads to a page where kaspersky online scan asks for a particular file to scan. unlike other online scans, it doesn't scan whole system or hard drive.
as i mentioned earlier, i've tried panda and pc-cillin online scan but they report everything to be fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users