Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pain in the neck adware


  • This topic is locked This topic is locked
15 replies to this topic

#1 PJolliffe

PJolliffe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 20 August 2005 - 06:11 PM

Hi,

I have spent the last several hours, attempting to clean the adware/spyware/trojans etc of my better halfs PC. I think I am almost there, but keep getting warnings from mcafee about "halurl.exe" and "mdhkbdsl.exe" trying to access the internet.

Below is an output from hijackthis.

Any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 00:05:53, on 21/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mdhkbdsl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Comcmapp\halurl.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.suziekaboom.demon.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.suziekaboom.demon.co.uk
R3 - Default URLSearchHook is missing
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B078F7-8617-4BAC-8A4E-6ABD909A1D25}: NameServer = 192.168.2.1
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe


Thanks in advance

- Paul

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 23 August 2005 - 10:08 AM

Welcome PJolliffe to Bleeping Computer.

Can you have these two files checked?
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\System32\mdhkbdsl.exe
  • Click on the submit button
  • Please post the results in your next reply.
Do the same for this file:
  • C:\Program Files\Comcmapp\halurl.exe



Posted Image
Life is what happens while you're making other plans

#3 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 23 August 2005 - 01:26 PM

Thanks for that, but I think I have managed to clean the infected PC, by a combination of information found on this site and vast amounts on brute force, almost resulting in the pc going through the window.

I disabled everything I could from starting up, still no good, at it worst point the machine would reboot before coming up, even safe mode wasn't working. Hijack this only showed minor problems every now and then so I couldn't figure out what was going on. The other strange thing that only occured to me once I had fixed everything was that even though iexplore had popups disabled (I ended up installing SP2) stuff was still popping up.

Anyway back to what I did, I managed to boot it in safe mode, logged on and searched the registry for "halurl.exe", it found it after a long while in the startupreg key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg.

Low and behold there was loads of stuff, I checked it against a PC that was fine and realised that there should be only a couple of entries. I manually deleted every entry. I then moved whatever program it refered to out of where ever it was on disk into a direct c:\crap.

I then looked at the date and times on the file to work out when the origional infection started, which it appeared to be 15:11 on the 20/8th with the appearence of a file bk.exe file. I then moved everything out of c:\windows\system32 that was created after than time into the c:\crap dir and rebooted...

Fantastic, all was ok....

I have since used the site you gave me to work out what was what, interestingly the halurl.exe program has a "internet explorer" icon embedded into... Well after spending about 20 mins uploading the various programs here is what was on the PC:

cxnacm.exe - Trojan.small.A19.A3
kxg4pk.exe - Trojan.small.A19.A6
bk.exe - Adware.surfside
dist001.exe - Trojan.Downloader.Agent.Qg
dfjksds.dll - Downloader.Generic.CVI
sav2.exe - Possible Win32 virus
drnoa.dll - Trojan.Downloader.Qoologic.Ac
qgabu.dat - Trojan.Small.A19.A6
lanbruns.exe - W32/Agent.1-tr
lanbrup.exe - Win32:Adan-112
set3.tmp - Win32:Adan-112
txfsrdpa.exe - Probable Win32

So after 3 days of pain all appears fine, no weird popups, no strange processes running or new entries in the registry.

The thing that has annoyed me the most so far is that I have shelled out for Macafee and all it did was tell me something was trying to access the internet, even after several full scans.

Thanks

- Paul

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 23 August 2005 - 01:53 PM

Hi Paul, thanks for the feedback.

What you found there are very nasty infections. They play hide and seek.

Would you mind running Panda online scan. In the end, please save the report and post me that.


Posted Image
Life is what happens while you're making other plans

#5 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 24 August 2005 - 02:16 PM

I have ran the panda scan and the output is as follows:


Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\SUZIE\APPLICATION DATA\Sskknwrd.dll
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\SUZIE\FAVORITES\Finances & Business
Spyware:spyware/betterinet No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jollyp\Local Settings\Temp\iB.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jollyp\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\Jollyp\Local Settings\Temp\wrapperouter.exe
Adware:Adware/QoolShown No disinfected C:\Documents and Settings\Suzie\Desktop\backups\backup-20050822-205659-316-dukp.exe

I have restarted the machine in safe mode and removed the offending files. I noted when running another hijack this that the following Adware program was being added to the registry:

Adware:Adware/QoolShown No disinfected C:\windows\system32\kxg4pk.exe

The program no longer exists but the entry seems to keep getting added, I have found and entry in the registry as follows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

I also had a problem with macafee reporting trojans found in "system volume information", I have disabled/removed the restore points and this now seems ok.

Macafee is report everything is ok, but panda scan found those listed above, why is it so difficult to get a reliable answer from any of the virus checkers... sorry rant over.

One thing that does puzzle me is the user (my better half) reckons she didn't do anything, they just started up? None of the other PC's I have at home have got injected (3 other XP boxes), so how did they get in and spread so fast?

Thanks again for the help.

- Paul

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 24 August 2005 - 05:07 PM

Some malware can 'come in' just because you 'fly by' a site.

Some come in with mail, programs (emoticons).

Some come in saying they are removers of malware (spysheriff).

Just so I understand you correctly. The Panda log is for my info, you deleted the leftovers, but one came back?

Let's get things started on the remaining infection.

---

Download Find_Q.zip to your desktop.
Extract the files inside to C:\ that will create a folder find q , open it and run the batch file find q.bat
It must be extracted to c:\ or it might not function correctly.

***
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
***

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

***

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
***

Reboot back to Normal Mode!

Please post me the results.

Edited by g2i2r4, 24 August 2005 - 05:07 PM.



Posted Image
Life is what happens while you're making other plans

#7 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 25 August 2005 - 12:49 PM

Output from track qoo:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAgentExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- gsntygxf
{3401a625-ad07-4f47-abdc-b5df0996aafe}
C:\WINDOWS\System32\drnoa.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022}

c:\progra~1\mcafee.com\vso\mcvsshl.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {FED7043D-346A-414D-ACD7-550D052499A7}
C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
==============================
C:\Documents and Settings\Suzie\Start Menu\Programs\Startup

desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

#8 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 25 August 2005 - 12:50 PM

and winpfind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex 20/08/2005 15:29:34 340 C:\WINDOWS\arohn.dll
UPX! 10/05/2002 14:29:48 79360 C:\WINDOWS\vcxrvqoda.exe

Checking %System% folder...
UPX! 17/09/2001 13:20:02 9216 C:\WINDOWS\SYSTEM32\cpuinf32.dll
PEC2 23/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 15/05/2004 16:10:42 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 19/06/2004 18:28:44 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 15/12/2001 03:46:54 91136 C:\WINDOWS\SYSTEM32\oincieo.exe
Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
25/08/2005 18:07:28 S 2048 C:\WINDOWS\bootstat.dat
21/08/2005 09:17:12 H 24 C:\WINDOWS\p1Y3K
20/08/2005 22:59:00 S 64 C:\WINDOWS\CSC\00000001
20/08/2005 16:14:24 S 64 C:\WINDOWS\CSC\00000002
20/08/2005 23:30:56 H 0 C:\WINDOWS\inf\oem6.inf
20/08/2005 23:32:10 H 0 C:\WINDOWS\inf\oem7.inf
21/08/2005 11:41:18 RHS 305145 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
21/08/2005 11:44:16 RHS 68327 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
30/06/2005 09:06:34 S 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
30/06/2005 14:21:10 S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
25/08/2005 18:07:20 H 8192 C:\WINDOWS\system32\config\default.LOG
25/08/2005 18:07:44 H 1024 C:\WINDOWS\system32\config\SAM.LOG
25/08/2005 18:07:30 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
25/08/2005 18:07:46 H 73728 C:\WINDOWS\system32\config\software.LOG
25/08/2005 18:07:46 H 864256 C:\WINDOWS\system32\config\system.LOG
20/08/2005 19:55:52 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\f636ef83-df5d-44fc-8720-4068034d5a7f
20/08/2005 19:55:52 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
20/08/2005 23:00:36 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6fa0324d-938f-4248-82b7-a1d69375e96d
20/08/2005 23:00:36 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
25/08/2005 18:06:18 H 6 C:\WINDOWS\Tasks\SA.DAT
24/08/2005 22:27:46 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
24/08/2005 22:27:46 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
24/08/2005 22:27:46 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CAKFQGE1\desktop.ini
24/08/2005 22:27:46 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CCL0NACA\desktop.ini
24/08/2005 22:27:46 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\FQHJHOLZ\desktop.ini
24/08/2005 22:27:46 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S4T6PW9X\desktop.ini

Checking for CPL files...
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/06/2005 03:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 08/04/2004 14:12:42 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/08/2004 20:39:44 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/08/2004 21:26:50 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
10/08/2004 20:39:44 HS 84 C:\Documents and Settings\Suzie\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/08/2004 21:26:50 HS 62 C:\Documents and Settings\Suzie\Application Data\desktop.ini
10/08/2004 21:31:40 0 C:\Documents and Settings\Suzie\Application Data\dm.ini
13/08/2004 10:36:22 39520 C:\Documents and Settings\Suzie\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 =
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gsntygxf
{3401a625-ad07-4f47-abdc-b5df0996aafe} = C:\WINDOWS\System32\drnoa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{FED7043D-346A-414D-ACD7-550D052499A7}
= C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McBrwHelper Class = c:\program files\mcafee.com\mps\mcbrhlpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EC8255F-E043-4cae-8B3B-B191550C2A22}
McAfee Privacy Service Popup Blocker = c:\program files\mcafee.com\mps\popupkiller.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MSKAgentExe C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 25/08/2005 18:15:39

#9 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 25 August 2005 - 12:53 PM

Nothing strange seems to have reappeared and no strange new entries in the registry, I have checked both those log files and nothing seems to amiss except:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gsntygxf
{3401a625-ad07-4f47-abdc-b5df0996aafe} = C:\WINDOWS\System32\drnoa.dll

The file was deleted sometime in the past, I think on the first panda scan. I take it I need to remove the entry from the registry?

Again, thanks for the help so far.

- Paul

#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 25 August 2005 - 05:37 PM

Good on you, you know what the problem is :thumbsup:

We will remove it, but use this regfile please.

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsntygxf]

[-HKEY_CLASSES_ROOT\CLSID\{3401a625-ad07-4f47-abdc-b5df0996aafe}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

***
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\vcxrvqoda.exe
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for this file:
    • C:\WINDOWS\arohn.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\drnoa.dll
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
How are things now?


Posted Image
Life is what happens while you're making other plans

#11 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 01 September 2005 - 03:19 AM

Sorry for the delay in getting back to you, but I've been ill with a bad head cold (wonder if I can get a copy of McAfee that works on humans?). All done and it is all cleaned and working as normal.

Thanks a lot for your help, the file vcxrvqode.exe contained was Adware.Betterinternet.A5 according to Jotti's scan site.

I have made a small donation to you for your help.

Again thanks.

- Paul

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 01 September 2005 - 06:22 AM

I hope your feeling beter now, nothing worse than a headcold.

Thank you very much for your donation. I will put it to good use! :thumbsup:

--------

One more thing to do to cleanup:

Run killbox, go to file menu and delete all dummy files.


Can you post me a fresh HijackThis log to check, just to be sure?


Posted Image
Life is what happens while you're making other plans

#13 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 02 September 2005 - 02:51 AM

Latest hijack this log:

ogfile of HijackThis v1.99.1
Scan saved at 08:47:55, on 02/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Suzie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suziekaboom.demon.co.uk/
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124614395484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B078F7-8617-4BAC-8A4E-6ABD909A1D25}: NameServer = 192.168.2.1
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe


Looks clear, again thanks for the help

- Paul

#14 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 02 September 2005 - 02:55 PM

Weldone Paul, the log looks clean to me too :thumbsup:

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?


Posted Image
Life is what happens while you're making other plans

#15 PJolliffe

PJolliffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 03 September 2005 - 04:23 AM

Yep, the machine is running fine now, no strange popups or weird activity going on. Thanks again for your help.

- Paul




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users