Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - Trojan Driving Me Crazy


  • This topic is locked This topic is locked
15 replies to this topic

#1 astra

astra

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 03 November 2005 - 09:35 PM

Guys, I need help. I've been trying to straighten this thing out for days, and I'm about to give up and restore the system! Had several trojans/viruses. Nothing caught them at first, but mcafee started seeing them & taking care of some of them. Think I had one that invited friends. Anyway - used mcafee, trend micro, trojan hunter, etc to get most of them. Then used sypbot & adware to clean up more. At least I can now get on the internet (qhosts?). However, internet explorer is still giving me a fit. Start it up & it looks ok at first. Go somewhere that has more complex processing (like EBAY or when I need to use it to connect to work) and it stops everything (not just IE) for a few minutes and finally responds. Click again and everything stops again (can't switch to another application or get the task manager up until it clears). Don't know if I still have a trojan, or if some of the registry is messed up from the ones I had. I really need this to work. I have to use this for work sometimes and my company REQUIRES internet explorer and their site is one that freezes up.

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:50 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee.com\Agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: mdfpro - C:\WINDOWS\SYSTEM32\mdfpro.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 03 November 2005 - 11:04 PM

Welcome to BC forum.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Scan with Hijack This and put a checkmark next to the following entries:
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)

If you did not set these 06 entries, you should also put a checkmark next to them:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

Close all windows and browsers and click "fix checked"

Next, download CleanUp 4.0 . Install and run it. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.
Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

When Spy Sweeper has updated, reboot to safe mode.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Open Spy Sweeper and click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found. Save the log.

Exit Spy Sweeper.

Reboot to normal mode and post the results from Spy Sweeper along with a new Hijack This log.

#3 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 04 November 2005 - 08:04 PM

Thanks for your help.

Everything seemed to go well and spy sweeper found a ton of things. After the reboot, I tried IE and it is working great now. Maybe we are close to cleaning this up.

Here is the spy sweeper log:

********
7:18 PM: | Start of Session, Friday, November 04, 2005 |
7:18 PM: Spy Sweeper started
7:18 PM: Sweep initiated using definitions version 567
7:18 PM: Starting Memory Sweep
7:19 PM: Memory Sweep Complete, Elapsed Time: 00:00:50
7:19 PM: Starting Registry Sweep
7:19 PM: Found Adware: altnet
7:19 PM: HKCR\appid\adm.exe\ (1 subtraces) (ID = 103448)
7:19 PM: HKCR\appid\altnet signing module.exe\ (1 subtraces) (ID = 103449)
7:19 PM: HKLM\software\classes\appid\adm.exe\ (1 subtraces) (ID = 103488)
7:19 PM: HKLM\software\classes\appid\altnet signing module.exe\ (1 subtraces) (ID = 103489)
7:19 PM: Found Adware: keenvalue/perfectnav
7:19 PM: HKLM\software\perfectnav\ (1 subtraces) (ID = 129516)
7:19 PM: Found Adware: tibs dialer
7:19 PM: HKCR\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143694)
7:19 PM: HKLM\software\classes\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143720)
7:19 PM: Found Adware: mshp.dll hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 117488)
7:19 PM: Found Adware: cws_ns3 hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 123391)
7:19 PM: Found Adware: prosearching hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search bar (ID = 134069)
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\search\ || searchassistant (ID = 134070)
7:19 PM: Found Adware: virtumonde
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\sysupd\ (6 subtraces) (ID = 145667)
7:19 PM: Found Adware: winactive
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\winactive\ (4 subtraces) (ID = 147148)
7:19 PM: Found Adware: netword agent
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\netword agent\ (7 subtraces) (ID = 135989)
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\ (8 subtraces) (ID = 890019)
7:19 PM: Registry Sweep Complete, Elapsed Time:00:00:21
7:19 PM: Starting Cookie Sweep
7:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:19 PM: Starting File Sweep
7:20 PM: c:\program files\netword (ID = -2147480536)
7:20 PM: Found Adware: clipgenie
7:20 PM: c:\program files\clipgenie (238 subtraces) (ID = -2147481243)
7:20 PM: Found Adware: gain-supported software
7:20 PM: c:\program files\dashbar (2 subtraces) (ID = -2147480944)
7:26 PM: Found Trojan Horse: trojan-phisher-egold
7:26 PM: mdfpro.dll (ID = 94)
7:26 PM: Found Trojan Horse: trojan-downloader-pr-corp
7:26 PM: birdihuy32.dll (ID = 182012)
7:27 PM: Found Adware: cydoor peer-to-peer dependency
7:27 PM: cd_clint.dll (ID = 57300)
7:31 PM: bikpreview.wmv (ID = 53028)
7:31 PM: pv_bikini.html (ID = 53084)
7:31 PM: casinopreview.wmv (ID = 53029)
7:31 PM: celebpreview.wmv (ID = 53030)
7:31 PM: pv_celebs.html (ID = 53086)
7:31 PM: extpreview.wmv (ID = 53042)
7:32 PM: pv_extreme.html (ID = 53087)
7:32 PM: files.html (ID = 53055)
7:32 PM: grvpreview.wmv (ID = 53061)
7:32 PM: pv_groovy.html (ID = 53088)
7:32 PM: pv_weird.html (ID = 53089)
7:32 PM: wrdpreview.wmv (ID = 53093)
7:32 PM: main.html (ID = 53069)
7:32 PM: main_bottom.html (ID = 53070)
7:32 PM: main_mid.html (ID = 53071)
7:32 PM: main_top.html (ID = 53072)
7:32 PM: aboutheader.html (ID = 53027)
7:32 PM: header.html (ID = 53083)
7:32 PM: helpbody.html (ID = 53065)
7:32 PM: helpheader.html (ID = 53066)
7:32 PM: previewheader.htm (ID = 53083)
7:32 PM: supportbody.html (ID = 53091)
7:32 PM: f1_2b_categories.html (ID = 53045)
7:32 PM: fpo_player_body.html (ID = 53058)
7:32 PM: fpo_player_nav.html (ID = 53059)
7:32 PM: fpo_player_top.html (ID = 53057)
7:32 PM: no_files.html (ID = 53076)
7:32 PM: player.html (ID = 53078)
7:32 PM: playerslices.htm (ID = 53080)
7:32 PM: player_top.html (ID = 53079)
7:32 PM: scroller.swf (ID = 53090)
7:34 PM: mainpage_lownav_newbase.html (ID = 53074)
7:34 PM: mainpage_nav_newbase.html (ID = 53075)
7:35 PM: pv_casino.html (ID = 53085)
7:35 PM: content.js (ID = 53041)
7:35 PM: preview.html (ID = 53082)
7:35 PM: channelstyles.css (ID = 53037)
7:35 PM: about.html (ID = 53026)
7:35 PM: channels.js (ID = 53036)
7:35 PM: guistyles.css (ID = 53037)
7:35 PM: help.html (ID = 53064)
7:35 PM: launch.html (ID = 53068)
7:35 PM: f1_1.html (ID = 53043)
7:35 PM: f1_2a.html (ID = 53044)
7:35 PM: f1_3.html (ID = 53046)
7:35 PM: f2.html (ID = 53047)
7:35 PM: f3_1.html (ID = 53048)
7:35 PM: f3_2a_player.html (ID = 53085)
7:35 PM: f3_2b.html (ID = 53050)
7:35 PM: f3_3.html (ID = 53051)
7:35 PM: f3_4a_files.html (ID = 53052)
7:35 PM: f3_4b.html (ID = 53053)
7:35 PM: f3_5.html (ID = 53054)
7:35 PM: filestyles.css (ID = 53056)
7:35 PM: playerstyles.css (ID = 53037)
7:37 PM: File Sweep Complete, Elapsed Time: 00:17:33
7:37 PM: Full Sweep has completed. Elapsed time 00:18:54
7:37 PM: Traces Found: 362
7:49 PM: Removal process initiated
7:49 PM: Quarantining All Traces: trojan-downloader-pr-corp
7:49 PM: Quarantining All Traces: virtumonde
7:49 PM: Quarantining All Traces: gain-supported software
7:49 PM: Quarantining All Traces: tibs dialer
7:49 PM: Quarantining All Traces: trojan-phisher-egold
7:49 PM: trojan-phisher-egold is in use. It will be removed on reboot.
7:49 PM: mdfpro.dll is in use. It will be removed on reboot.
7:49 PM: Quarantining All Traces: altnet
7:49 PM: Quarantining All Traces: clipgenie
7:49 PM: Quarantining All Traces: cws_ns3 hijacker
7:50 PM: Quarantining All Traces: cydoor peer-to-peer dependency
7:50 PM: Quarantining All Traces: keenvalue/perfectnav
7:50 PM: Quarantining All Traces: mshp.dll hijacker
7:50 PM: Quarantining All Traces: netword agent
7:50 PM: Quarantining All Traces: prosearching hijacker
7:50 PM: Quarantining All Traces: winactive
7:51 PM: Removal process completed. Elapsed time 00:01:42
********
7:12 PM: | Start of Session, Friday, November 04, 2005 |
7:12 PM: Spy Sweeper started
7:12 PM: Your spyware definitions have been updated.


Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:55:04 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: mdfpro - mdfpro.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - f:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 04 November 2005 - 10:49 PM

That certainly looks better. There is still one item that needs to go.

Scan with Hijack This and put a checkmark next to the following entry:
O20 - Winlogon Notify: mdfpro - mdfpro.dll (file missing)

Close all windows and browsers and click "fix checked"

Run Spy Sweeper one more time, restart your computer, and post the report from Spy Sweeper and another Hijack This log.

#5 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 05 November 2005 - 01:26 AM

Much better.

Spy Sweeper log:

********
12:36 AM: | Start of Session, Saturday, November 05, 2005 |
12:36 AM: Spy Sweeper started
12:36 AM: Sweep initiated using definitions version 567
12:36 AM: Starting Memory Sweep
12:38 AM: Memory Sweep Complete, Elapsed Time: 00:02:08
12:38 AM: Starting Registry Sweep
12:38 AM: Registry Sweep Complete, Elapsed Time:00:00:18
12:38 AM: Starting Cookie Sweep
12:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:38 AM: Starting File Sweep
1:17 AM: File Sweep Complete, Elapsed Time: 00:38:23
1:17 AM: Full Sweep has completed. Elapsed time 00:40:53
1:17 AM: Traces Found: 0
********
7:18 PM: | Start of Session, Friday, November 04, 2005 |
7:18 PM: Spy Sweeper started
7:18 PM: Sweep initiated using definitions version 567
7:18 PM: Starting Memory Sweep
7:19 PM: Memory Sweep Complete, Elapsed Time: 00:00:50
7:19 PM: Starting Registry Sweep
7:19 PM: Found Adware: altnet
7:19 PM: HKCR\appid\adm.exe\ (1 subtraces) (ID = 103448)
7:19 PM: HKCR\appid\altnet signing module.exe\ (1 subtraces) (ID = 103449)
7:19 PM: HKLM\software\classes\appid\adm.exe\ (1 subtraces) (ID = 103488)
7:19 PM: HKLM\software\classes\appid\altnet signing module.exe\ (1 subtraces) (ID = 103489)
7:19 PM: Found Adware: keenvalue/perfectnav
7:19 PM: HKLM\software\perfectnav\ (1 subtraces) (ID = 129516)
7:19 PM: Found Adware: tibs dialer
7:19 PM: HKCR\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143694)
7:19 PM: HKLM\software\classes\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143720)
7:19 PM: Found Adware: mshp.dll hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 117488)
7:19 PM: Found Adware: cws_ns3 hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 123391)
7:19 PM: Found Adware: prosearching hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search bar (ID = 134069)
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\search\ || searchassistant (ID = 134070)
7:19 PM: Found Adware: virtumonde
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\sysupd\ (6 subtraces) (ID = 145667)
7:19 PM: Found Adware: winactive
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\winactive\ (4 subtraces) (ID = 147148)
7:19 PM: Found Adware: netword agent
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\netword agent\ (7 subtraces) (ID = 135989)
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\ (8 subtraces) (ID = 890019)
7:19 PM: Registry Sweep Complete, Elapsed Time:00:00:21
7:19 PM: Starting Cookie Sweep
7:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:19 PM: Starting File Sweep
7:20 PM: c:\program files\netword (ID = -2147480536)
7:20 PM: Found Adware: clipgenie
7:20 PM: c:\program files\clipgenie (238 subtraces) (ID = -2147481243)
7:20 PM: Found Adware: gain-supported software
7:20 PM: c:\program files\dashbar (2 subtraces) (ID = -2147480944)
7:26 PM: Found Trojan Horse: trojan-phisher-egold
7:26 PM: mdfpro.dll (ID = 94)
7:26 PM: Found Trojan Horse: trojan-downloader-pr-corp
7:26 PM: birdihuy32.dll (ID = 182012)
7:27 PM: Found Adware: cydoor peer-to-peer dependency
7:27 PM: cd_clint.dll (ID = 57300)
7:31 PM: bikpreview.wmv (ID = 53028)
7:31 PM: pv_bikini.html (ID = 53084)
7:31 PM: casinopreview.wmv (ID = 53029)
7:31 PM: celebpreview.wmv (ID = 53030)
7:31 PM: pv_celebs.html (ID = 53086)
7:31 PM: extpreview.wmv (ID = 53042)
7:32 PM: pv_extreme.html (ID = 53087)
7:32 PM: files.html (ID = 53055)
7:32 PM: grvpreview.wmv (ID = 53061)
7:32 PM: pv_groovy.html (ID = 53088)
7:32 PM: pv_weird.html (ID = 53089)
7:32 PM: wrdpreview.wmv (ID = 53093)
7:32 PM: main.html (ID = 53069)
7:32 PM: main_bottom.html (ID = 53070)
7:32 PM: main_mid.html (ID = 53071)
7:32 PM: main_top.html (ID = 53072)
7:32 PM: aboutheader.html (ID = 53027)
7:32 PM: header.html (ID = 53083)
7:32 PM: helpbody.html (ID = 53065)
7:32 PM: helpheader.html (ID = 53066)
7:32 PM: previewheader.htm (ID = 53083)
7:32 PM: supportbody.html (ID = 53091)
7:32 PM: f1_2b_categories.html (ID = 53045)
7:32 PM: fpo_player_body.html (ID = 53058)
7:32 PM: fpo_player_nav.html (ID = 53059)
7:32 PM: fpo_player_top.html (ID = 53057)
7:32 PM: no_files.html (ID = 53076)
7:32 PM: player.html (ID = 53078)
7:32 PM: playerslices.htm (ID = 53080)
7:32 PM: player_top.html (ID = 53079)
7:32 PM: scroller.swf (ID = 53090)
7:34 PM: mainpage_lownav_newbase.html (ID = 53074)
7:34 PM: mainpage_nav_newbase.html (ID = 53075)
7:35 PM: pv_casino.html (ID = 53085)
7:35 PM: content.js (ID = 53041)
7:35 PM: preview.html (ID = 53082)
7:35 PM: channelstyles.css (ID = 53037)
7:35 PM: about.html (ID = 53026)
7:35 PM: channels.js (ID = 53036)
7:35 PM: guistyles.css (ID = 53037)
7:35 PM: help.html (ID = 53064)
7:35 PM: launch.html (ID = 53068)
7:35 PM: f1_1.html (ID = 53043)
7:35 PM: f1_2a.html (ID = 53044)
7:35 PM: f1_3.html (ID = 53046)
7:35 PM: f2.html (ID = 53047)
7:35 PM: f3_1.html (ID = 53048)
7:35 PM: f3_2a_player.html (ID = 53085)
7:35 PM: f3_2b.html (ID = 53050)
7:35 PM: f3_3.html (ID = 53051)
7:35 PM: f3_4a_files.html (ID = 53052)
7:35 PM: f3_4b.html (ID = 53053)
7:35 PM: f3_5.html (ID = 53054)
7:35 PM: filestyles.css (ID = 53056)
7:35 PM: playerstyles.css (ID = 53037)
7:37 PM: File Sweep Complete, Elapsed Time: 00:17:33
7:37 PM: Full Sweep has completed. Elapsed time 00:18:54
7:37 PM: Traces Found: 362
7:49 PM: Removal process initiated
7:49 PM: Quarantining All Traces: trojan-downloader-pr-corp
7:49 PM: Quarantining All Traces: virtumonde
7:49 PM: Quarantining All Traces: gain-supported software
7:49 PM: Quarantining All Traces: tibs dialer
7:49 PM: Quarantining All Traces: trojan-phisher-egold
7:49 PM: trojan-phisher-egold is in use. It will be removed on reboot.
7:49 PM: mdfpro.dll is in use. It will be removed on reboot.
7:49 PM: Quarantining All Traces: altnet
7:49 PM: Quarantining All Traces: clipgenie
7:49 PM: Quarantining All Traces: cws_ns3 hijacker
7:50 PM: Quarantining All Traces: cydoor peer-to-peer dependency
7:50 PM: Quarantining All Traces: keenvalue/perfectnav
7:50 PM: Quarantining All Traces: mshp.dll hijacker
7:50 PM: Quarantining All Traces: netword agent
7:50 PM: Quarantining All Traces: prosearching hijacker
7:50 PM: Quarantining All Traces: winactive
7:51 PM: Removal process completed. Elapsed time 00:01:42
12:36 AM: Processing Startup Alerts
12:36 AM: Allowed Startup entry: SpybotSD TeaTimer
12:36 AM: | End of Session, Saturday, November 05, 2005 |
********
7:12 PM: | Start of Session, Friday, November 04, 2005 |
7:12 PM: Spy Sweeper started
7:12 PM: Your spyware definitions have been updated.


Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:52 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
F:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - f:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 05 November 2005 - 10:19 AM

Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/housecall/start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Then please run the Panda scan here:
Active Scan Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.
Have it delete anything it finds and post the scan report along with a new Hijack This log.

Finally, please run the WindowSecurity trojan scan here:
http://www.windowsecurity.com/trojanscan/
Remove any trojans found, and restart your computer.

Then, post another Hijack This log and let me know if you have difficulty with any of the scans.

#7 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 05 November 2005 - 06:14 PM

No problems running everything (some just took forever). Here are the logs and thanks for your help.

Danny

First the panda active scan log:


Incident Status Location

Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Virus:Bck/Haxdoor.EQ Disinfected C:\WINDOWS\SYSTEM32\25102005.exe
Virus:Trj/Downloader.FWN Disinfected C:\WINDOWS\SYSTEM32\black.exe
Dialer:Dialer.DMZ No disinfected C:\WINDOWS\SYSTEM32\dial23.exe
Virus:Trj/Goldun.CI Disinfected C:\WINDOWS\SYSTEM32\divx5.dll
Virus:Rootkit/Nodvir Disinfected C:\WINDOWS\SYSTEM32\nodantivir.sys
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\z12.exe



Now the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:10:25 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - f:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 06 November 2005 - 02:30 PM

You need to navigate to the following folders and delete the files I show in bold.
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\dial23.exe
C:\WINDOWS\SYSTEM32\z12.exe

Scan with Hijack This and put a checkmark in the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)

Close all windows and browsers and click "fix checked".

Then run CleanUp and then reboot to Safe Mode and run Spy Sweeper again. Reboot to normal mode again. Post another Hijack This and the report from Spy Sweeper.

#9 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 November 2005 - 01:39 AM

No problems. I'll be short - it is late.

Spy Sweeper log:

********
11:19 PM: | Start of Session, Sunday, November 06, 2005 |
11:19 PM: Spy Sweeper started
11:19 PM: Sweep initiated using definitions version 567
11:19 PM: Starting Memory Sweep
11:20 PM: Memory Sweep Complete, Elapsed Time: 00:00:52
11:20 PM: Starting Registry Sweep
11:20 PM: Registry Sweep Complete, Elapsed Time:00:00:20
11:20 PM: Starting Cookie Sweep
11:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:20 PM: Starting File Sweep
11:38 PM: File Sweep Complete, Elapsed Time: 00:17:38
11:38 PM: Full Sweep has completed. Elapsed time 00:19:01
11:38 PM: Traces Found: 0
********
12:36 AM: | Start of Session, Saturday, November 05, 2005 |
12:36 AM: Spy Sweeper started
12:36 AM: Sweep initiated using definitions version 567
12:36 AM: Starting Memory Sweep
12:38 AM: Memory Sweep Complete, Elapsed Time: 00:02:08
12:38 AM: Starting Registry Sweep
12:38 AM: Registry Sweep Complete, Elapsed Time:00:00:18
12:38 AM: Starting Cookie Sweep
12:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:38 AM: Starting File Sweep
1:17 AM: File Sweep Complete, Elapsed Time: 00:38:23
1:17 AM: Full Sweep has completed. Elapsed time 00:40:53
1:17 AM: Traces Found: 0
********
7:18 PM: | Start of Session, Friday, November 04, 2005 |
7:18 PM: Spy Sweeper started
7:18 PM: Sweep initiated using definitions version 567
7:18 PM: Starting Memory Sweep
7:19 PM: Memory Sweep Complete, Elapsed Time: 00:00:50
7:19 PM: Starting Registry Sweep
7:19 PM: Found Adware: altnet
7:19 PM: HKCR\appid\adm.exe\ (1 subtraces) (ID = 103448)
7:19 PM: HKCR\appid\altnet signing module.exe\ (1 subtraces) (ID = 103449)
7:19 PM: HKLM\software\classes\appid\adm.exe\ (1 subtraces) (ID = 103488)
7:19 PM: HKLM\software\classes\appid\altnet signing module.exe\ (1 subtraces) (ID = 103489)
7:19 PM: Found Adware: keenvalue/perfectnav
7:19 PM: HKLM\software\perfectnav\ (1 subtraces) (ID = 129516)
7:19 PM: Found Adware: tibs dialer
7:19 PM: HKCR\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143694)
7:19 PM: HKLM\software\classes\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143720)
7:19 PM: Found Adware: mshp.dll hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 117488)
7:19 PM: Found Adware: cws_ns3 hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search page (ID = 123391)
7:19 PM: Found Adware: prosearching hijacker
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\main\ || search bar (ID = 134069)
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\internet explorer\search\ || searchassistant (ID = 134070)
7:19 PM: Found Adware: virtumonde
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\microsoft\sysupd\ (6 subtraces) (ID = 145667)
7:19 PM: Found Adware: winactive
7:19 PM: HKU\WRSS_Profile_S-1-5-21-3784785351-3988601449-27694197-1008\software\winactive\ (4 subtraces) (ID = 147148)
7:19 PM: Found Adware: netword agent
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\netword agent\ (7 subtraces) (ID = 135989)
7:19 PM: HKU\S-1-5-21-3784785351-3988601449-27694197-1007\software\netword\ (8 subtraces) (ID = 890019)
7:19 PM: Registry Sweep Complete, Elapsed Time:00:00:21
7:19 PM: Starting Cookie Sweep
7:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:19 PM: Starting File Sweep
7:20 PM: c:\program files\netword (ID = -2147480536)
7:20 PM: Found Adware: clipgenie
7:20 PM: c:\program files\clipgenie (238 subtraces) (ID = -2147481243)
7:20 PM: Found Adware: gain-supported software
7:20 PM: c:\program files\dashbar (2 subtraces) (ID = -2147480944)
7:26 PM: Found Trojan Horse: trojan-phisher-egold
7:26 PM: mdfpro.dll (ID = 94)
7:26 PM: Found Trojan Horse: trojan-downloader-pr-corp
7:26 PM: birdihuy32.dll (ID = 182012)
7:27 PM: Found Adware: cydoor peer-to-peer dependency
7:27 PM: cd_clint.dll (ID = 57300)
7:31 PM: bikpreview.wmv (ID = 53028)
7:31 PM: pv_bikini.html (ID = 53084)
7:31 PM: casinopreview.wmv (ID = 53029)
7:31 PM: celebpreview.wmv (ID = 53030)
7:31 PM: pv_celebs.html (ID = 53086)
7:31 PM: extpreview.wmv (ID = 53042)
7:32 PM: pv_extreme.html (ID = 53087)
7:32 PM: files.html (ID = 53055)
7:32 PM: grvpreview.wmv (ID = 53061)
7:32 PM: pv_groovy.html (ID = 53088)
7:32 PM: pv_weird.html (ID = 53089)
7:32 PM: wrdpreview.wmv (ID = 53093)
7:32 PM: main.html (ID = 53069)
7:32 PM: main_bottom.html (ID = 53070)
7:32 PM: main_mid.html (ID = 53071)
7:32 PM: main_top.html (ID = 53072)
7:32 PM: aboutheader.html (ID = 53027)
7:32 PM: header.html (ID = 53083)
7:32 PM: helpbody.html (ID = 53065)
7:32 PM: helpheader.html (ID = 53066)
7:32 PM: previewheader.htm (ID = 53083)
7:32 PM: supportbody.html (ID = 53091)
7:32 PM: f1_2b_categories.html (ID = 53045)
7:32 PM: fpo_player_body.html (ID = 53058)
7:32 PM: fpo_player_nav.html (ID = 53059)
7:32 PM: fpo_player_top.html (ID = 53057)
7:32 PM: no_files.html (ID = 53076)
7:32 PM: player.html (ID = 53078)
7:32 PM: playerslices.htm (ID = 53080)
7:32 PM: player_top.html (ID = 53079)
7:32 PM: scroller.swf (ID = 53090)
7:34 PM: mainpage_lownav_newbase.html (ID = 53074)
7:34 PM: mainpage_nav_newbase.html (ID = 53075)
7:35 PM: pv_casino.html (ID = 53085)
7:35 PM: content.js (ID = 53041)
7:35 PM: preview.html (ID = 53082)
7:35 PM: channelstyles.css (ID = 53037)
7:35 PM: about.html (ID = 53026)
7:35 PM: channels.js (ID = 53036)
7:35 PM: guistyles.css (ID = 53037)
7:35 PM: help.html (ID = 53064)
7:35 PM: launch.html (ID = 53068)
7:35 PM: f1_1.html (ID = 53043)
7:35 PM: f1_2a.html (ID = 53044)
7:35 PM: f1_3.html (ID = 53046)
7:35 PM: f2.html (ID = 53047)
7:35 PM: f3_1.html (ID = 53048)
7:35 PM: f3_2a_player.html (ID = 53085)
7:35 PM: f3_2b.html (ID = 53050)
7:35 PM: f3_3.html (ID = 53051)
7:35 PM: f3_4a_files.html (ID = 53052)
7:35 PM: f3_4b.html (ID = 53053)
7:35 PM: f3_5.html (ID = 53054)
7:35 PM: filestyles.css (ID = 53056)
7:35 PM: playerstyles.css (ID = 53037)
7:37 PM: File Sweep Complete, Elapsed Time: 00:17:33
7:37 PM: Full Sweep has completed. Elapsed time 00:18:54
7:37 PM: Traces Found: 362
7:49 PM: Removal process initiated
7:49 PM: Quarantining All Traces: trojan-downloader-pr-corp
7:49 PM: Quarantining All Traces: virtumonde
7:49 PM: Quarantining All Traces: gain-supported software
7:49 PM: Quarantining All Traces: tibs dialer
7:49 PM: Quarantining All Traces: trojan-phisher-egold
7:49 PM: trojan-phisher-egold is in use. It will be removed on reboot.
7:49 PM: mdfpro.dll is in use. It will be removed on reboot.
7:49 PM: Quarantining All Traces: altnet
7:49 PM: Quarantining All Traces: clipgenie
7:49 PM: Quarantining All Traces: cws_ns3 hijacker
7:50 PM: Quarantining All Traces: cydoor peer-to-peer dependency
7:50 PM: Quarantining All Traces: keenvalue/perfectnav
7:50 PM: Quarantining All Traces: mshp.dll hijacker
7:50 PM: Quarantining All Traces: netword agent
7:50 PM: Quarantining All Traces: prosearching hijacker
7:50 PM: Quarantining All Traces: winactive
7:51 PM: Removal process completed. Elapsed time 00:01:42
12:36 AM: Processing Startup Alerts
12:36 AM: Allowed Startup entry: SpybotSD TeaTimer
12:36 AM: | End of Session, Saturday, November 05, 2005 |
********
7:12 PM: | Start of Session, Friday, November 04, 2005 |
7:12 PM: Spy Sweeper started
7:12 PM: Your spyware definitions have been updated.


Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:36:06 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://www.nwm02.duke-energy.com/iNotes6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - f:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 07 November 2005 - 11:35 AM

Scan with Hijack This and put a checkmark next to the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Netscape/Communicator/Home.htm
O2 - BHO: (no name) - {8211F5C1-2A12-E33C-8934-0DE177F4710B} - (no file)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://www.nwm02.duke-energy.com/iNotes6.cab

Close all windows and browsers and click fixed.

Then please run the Panda scan here:
Active Scan Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.
Have it delete anything it finds and post the scan report along with a new Hijack This log.

#11 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 November 2005 - 07:53 PM

Hi,

I'm about to do as instructed, but wanted to let you know that for now I'm not fixing this entry:

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://www.nwm02.duke-energy.com/iNotes6.cab

I need this entry for work (we use a web interface to lotus notes) and unless you are pretty sure it has been corrupted, I'd like to leave it in place. Let me know.

I'll do the rest and post the results.

Thanks,
Danny

#12 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 November 2005 - 09:47 PM

Here we go. Panda scan first:


Incident Status Location

Virus:Trj/WinName.C Disinfected C:\Program Files\Common Files\System\lsass.exe
Dialer:Dialer.DMZ No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000060.exe
Virus:Trj/Downloader.FYE Disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000061.exe
Virus:Trj/WinName.C Disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000151.exe
Virus:Trj/WinName.C Disinfected C:\WINDOWS\SYSTEM\ctfmon.exe



Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:42 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://www.nwm02.duke-energy.com/iNotes6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - f:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#13 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 07 November 2005 - 11:19 PM

No problem with the 016 entry you kept. How are things running now? Your log is clean, but want to be sure you don't have anything hidden running. Any symptoms of problems?

#14 astra

astra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 08 November 2005 - 07:27 PM

Everything is running great now. No problems in IE or mozilla. The whole system runs well.

You have no idea how much I appreciate this. I have decided to make a donation to the site.

I'll be referring folks to your site in the future.

Thanks again,
Danny

#15 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:04:06 AM

Posted 08 November 2005 - 09:22 PM

Terrific. Glad we could help, and we will certainly appreciate the donation.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :thumbsup:

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or Sygate.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: So how did I get infected in the first place?


Hopefully this should take care of your problems! Good luck. :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users