Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Won't Go Away


  • Please log in to reply
15 replies to this topic

#1 lori a

lori a

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 02 January 2006 - 03:22 AM

Boy, am I having trouble! Everytime I try to clean up the bad stuff on my computer, it reappears with a subsequent Adaware or Spybot scan. To top it off, I've been trying to reinstall my privacy service from McAfee, but it always crashes. In the meantime, my McAfee virus service keeps sending me endless popups telling me components of my active shield are missing, which I think may have to do with the malware, no? This machine is only a few months old, and I can't believe I'm having problems with it already.

Anyway, here's my HJT log from a few minutes ago. I'd appreciate any help you can give me - thanks!

Logfile of HijackThis v1.99.1
Scan saved at 12:04:30 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/103p/html/gtdownlr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 January 2006 - 08:51 AM

Hi lori a,

Sorry for the delay, we've really been swamped lately. If you still need help, please start out by posting a new log in this thread. Please describe what you may have done to fix the problem and what is happening with your system now (since you posted your last log).

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 11 January 2006 - 06:29 PM

Hi there,

I knew you guys were really busy and I didn't want to bug you. I figured you'd get around to me when you had time.

To be honest, my problems are exactly as they were on January 2. I've done nothing further to fix the problem, so the HJT log you see above is still the one I generate now.

Thanks for getting back to me!

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 January 2006 - 11:28 PM

Well, you really should have posted a log, things change in the log without there being some change in behavior. And there is no sign of Virtumonde in your last log. Any way, let's do this:

Download and install the trial version of Ewido Security Suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch Ewido by double-clicking the desktop icon.
- You may get a message that the database could not be found. This is normal-- click the OK button.
- The program will now go to the main screen.
- On the left hand side of the main screen click update.
- Click on Start update.
- The update will start and a progress bar will show the updates being installed.
Once the updates are installed close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Reboot your computer into Safe Mode.
  • Open Ewido and click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Reboot back into normal mode and perform an onlinescan with Panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together a fresh HijackThis log

Not sure what's going on with McAfee, could be malware related or not. I should know more after I see the logs I'm asking you to post.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 15 January 2006 - 11:00 PM

Hi Papakid,

I've been down with the flu, but just managed to follow the steps you asked for above. The scans did find virtumonde, but it doesn't look like Ewido was able to remove it.

Edwido Report:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:02:30 PM, 1/15/2006
+ Report-Checksum: F4E3F593

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
C:\Documents and Settings\Eric\Cookies\eric@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@maxis.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@highbeam.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\8NTCJ8EF\WinFixer2005ScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\Z994ZQD2\WinFixerScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@sento.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Lori\Cookies\lori@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll -> Spyware.MyWay : Cleaned with backup


::Report End

Panda Report:



Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eric\Cookies\eric@ciudad.com[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Eric\Cookies\eric@go[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Eric\Cookies\eric@stats1.reliablestats[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Eric\Cookies\eric@winfixer[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Eric\Cookies\eric@yadro[1].txt
Potentially unwanted tool:Application/WinAntivirus Not disinfected C:\Documents and Settings\Eric\Local Settings\Temp\FNI.UWA5P\setup.exe
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@ath.belnk[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@belnk[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@dist.belnk[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@stats1.reliablestats[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@winfixer[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Lori\Cookies\lori@go[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lori\Cookies\lori@stats1.reliablestats[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lori\Cookies\lori@zedo[2].txt
Hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:58 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/103p/html/gtdownlr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

Thanks for your help! You guys are saints.

Lori

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 15 January 2006 - 11:49 PM

Sorry to hear you've been ill. Hope you're much better now! Let's see if we can get your PC all better. This may not work for you but I want to try it anyway then we'll try some other alternatives if we have to.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Please download ATF Cleaner by Atribune. Don't use it just yet.

Boot into safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run ewido again like you did before and make a log for me to look at.

Reboot back into normal mode, scan again with HijackThis and post that log also.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 17 January 2006 - 04:03 AM

Hi Papakid,

Boy, things just don't get any better :thumbsup:

Internet access is getting more difficult. After my initial launch using IE (which brings me to a cached google page) it takes me literally 10 minutes to get started (I know, I've timed it). To make it even more annoying, every 30 seconds exactly I get the same weird McAfee Virus Scan error message that reads "Some components of ActiveShield are either missing or might not have been installed properly" In order for me to get to this website, I have to click through that message literally 20 times. But enough of that...

I followed your instructions - here are the scans you asked for:

Vundofix notepad:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------


Fixing Registry
--------------------------------------------------------------------------------------


Hijackthis scan after vundofix and ATF cleaner:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:53 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Directory 4 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/103p/html/gtdownlr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

Ewido scan after supposedly deleting bad stuff (which it can't):

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:23:23 AM, 1/17/2006
+ Report-Checksum: FEFB4ABD

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning


::Report End

Hijackthis after Ewido:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:33 AM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Directory 5 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/103p/html/gtdownlr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

I'm going to turn off this bleeping computer now and look forward to hearing from you on my working computer at my office.

Thanks again for your time!

Lori

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 17 January 2006 - 09:42 AM

OK, well, you've run an old version of VundoFix that you must have had before.

VundoFix V2.15 by Atri

The tool is now up to version V4.0 so I need you to delete your old copy and download the latest version. You may want to download it from your office machine and take to the infected one via CD or USB stick. Then run the above instructions again. If you use a CD, be sure to transfer the file to your desktop.

No need to post two HijackThis logs, just the one after all steps have been performed is fine.

You also need to unzip HijackThis so that your backups are secured. Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

You may need to reinstall McAfee or uninstall it temorarily and try something else. Could you tell me the exact name and versions of your McAfee products?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 21 January 2006 - 11:24 PM

Hi Papakid,

Sorry for the delay!

Here goes nothing:

Vundofix Notepad (actually, when I ran Vundofix, it said it didn't find anything)

VundoFix V4.0

Listing files found while scanning....


C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.tmp
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\ssqpo.dll
Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.tmp
C:\WINDOWS\system32\opqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\opqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Performing Repairs to the registry.
Done!
VundoFix V4.0

Listing files found while scanning....


VundoFix V4.0

Listing files found while scanning....


VundoFix V4.0

Listing files found while scanning....

Ewido scan after supposedly deleting bad stuff (which it can't):


--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:10:35 PM, 1/21/2006
+ Report-Checksum: 6CB90522

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
C:\Documents and Settings\Eric\Cookies\eric@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup


::Report End

Hijackthis after Ewido scan

Logfile of HijackThis v1.99.1
Scan saved at 8:13:05 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/103p/html/gtdownlr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lori\Desktop\Virus Tools\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

I'll post again in a minute with my McAfee information.

Thanks Papakid!

Lori

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 22 January 2006 - 09:59 PM

OK, Lori, you've got some indications of Vundo but it is hard to tell if they are leftovers or not. Are you still getting popups?

Don't worry that Ewido and other tools don't clear everything, we run them not only for cleaning but for the information in the logs--to verify what has been cleaned and to see what else needs to be dealt with. In ewido's log you have some registry entries that aren't getting cleaned that don't usually show up in logs anyway. There are some other unusual things about your logs, part of it due to you attempting to clean up this on your own, I think. I can undersand that but it often masks the problem and solution so any more details you can give me about what you had done previous to posting your logs is always helpful

You should also follow the steps I give you exactly and in order. It looks like you have run VundoFix four times. Is that correct and can you confirm? I see by one log that you have at least three user accounts. Did you perhaps run it logged in to each account?

Let's try this:

Please download NTrights.zip.

Save it to your desktop, unzip and in the NTrights folder double-click the Debug.bat file to run it and follow any prompts it asks.

Reboot then run Debug.bat again. There will be a log telling you whether or not it was successful. Please post that here. This may also help with the McAfee problem and if McAfee protests about running Debug.bat allow it.

Then run VundoFix again according to the previous instructions. You may want to download a fresh copy again. Vundo is a tough infection and Atribune, the author of the tool, is constantly updating and improving it--so there may be an improved version by the time I write this.

Then update and run Ewido in safe mode again. If you see these entries in the log follow the next step:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning


Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

MSEvents
ssqpo.dll


- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the debug, VundoFix and Ewido log.

Also Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Then navigate to the following file and tell me if it is there or not--don't do anything to it, I just want to know if it's present:

C:\WINDOWS\system32\ssqpo.dll

And what happened to the McAfee info? :thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#11 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 29 January 2006 - 02:45 AM

Hi Papakid,

I've been so busy at work that I haven't been able to deal with this machine much this week. Thanks for being patient with me.

I think the reason why you saw four VundoFix scans was because I kept pressing the button, thinking that there was a mistake that it hadn't found anything (it's just a coincidence that I have four users on this machine). I have been following your instructions in exactly and in order, except for that vundofix thing.

I've been trying to download NTrights.zip, but my machine thinks the zip file is "invalid or corrupted". I even looked for another place on bleeping computer to try the download and I get the same error message. I haven't had trouble downloading any of the other tools you've given me. Is there a trick to opening this folder? Is there another place I can get the zip file to try? Is it the fact that I'm on XP?

I'm not getting popups anymore, but McAfee is completely disabled now. When this whole thing started, I emailed them first and they told me to unistall all four of my applications (VirusScan, Personal Firewall Plus, Privacy Service, and Spamkiller) and reinstall but when I try to, the process errors out toward the end with the simple instruction to reboot and try again. I've rebooted and tried again at least 20 times and the same thing happens.

The one thing I have managed to do is change my default browser from IE to Firefox. I'm using Firefox right now as I write this. IE scares me!


Lori

Edited by lori a, 29 January 2006 - 02:48 AM.


#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 29 January 2006 - 01:43 PM

OK, let's just try doing this part for now.
---------------------------
Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

MSEvents
ssqpo.dll


- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply..

Also Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Then navigate to the following file and tell me if it is there or not--don't do anything to it, I just want to know if it's present:

C:\WINDOWS\system32\ssqpo.dll
------------------------------
Be sure to unzip regsearch. If you need some help with how to extract files you can refer to this tutorial:
http://www.bleepingcomputer.com/tutorials/extract-zip-files-in-windows-me-xp-2003/

I'll try to answer some of your questions and concerns a little later. :thumbsup: I have some PC troubles of my own at the moment. :flowers:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#13 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 29 January 2006 - 08:28 PM

Hi Papakid,

Boy are you quick! I only posted late last night.

Well, here goes nothing:

Regsearch log:

REGEDIT4

; Registry Search by Bobbi Flekman 2005
; Version: 1.0.2.4

; Results at 1/29/2006 5:12:16 PM for strings:
; 'msevents'
; 'ssqpo.dll '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}]
@="ItemsEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A785BC31-475F-11d2-9E08-0008C7A08EBA}]
@="IFilteredTxnLineItemsEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]
@="MSEvents Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer]
@="MSEvents.MSEvents.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]
@="MSEvents Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID]

; End Of The Log...


After I ran Regsearch, I did find C:\WINDOWS\system32\ssqpo.dll, labeled as an application extension last modified 9/16/05. The date of my initial infection perhaps?

Sorry to hear you've got PC problems now, too. Get back to me when it's convenient - I'm not in a big hurry.

Thanks for all your help,
Lori

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:24 AM

Posted 05 February 2006 - 08:59 PM

Hi. I am going to help finish your cleaning your log because papakid has some computer problems.

If you reboot into safe mode can you delete C:\WINDOWS\system32\ssqpo.dll?

ALso fix these entries with HijackThis:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

Last but not least, download the attached reg file and save it your desktop. Double-click the fix.reg file and allow it to merge the data.

Then do an ewido scan and tell me if your still getting the errors associated with this:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents

Attached Files

  • Attached File  fix.reg   56bytes   4 downloads


#15 lori a

lori a
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 06 February 2006 - 01:28 AM

Hi Grinler,

Thanks for stepping in. Sorry to hear that Papakid's problems persist :thumbsup:

I followed your instructions and here's the results from my ewido scan:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:19:31 PM, 2/5/2006
+ Report-Checksum: AB60D9BF

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
:mozilla.8:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5y4cuk2x.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\y9yqp6cu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End

Looks like those MSevents errors are still there. I'm not getting popups anymore, so maybe they don't matter?

thanks for your time!

Lori




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users