Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Alert


  • This topic is locked This topic is locked
2 replies to this topic

#1 kiwanos

kiwanos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 30 May 2006 - 06:45 PM

I just got rid of this virus over the weekend and it is back again. I installed Mcafee virus and firewall but apparantely this is not enough can you please help me again I ran the other programs and here is my hijackthis file.
Logfile of HijackThis v1.99.1
Scan saved at 5:54:56 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 PM

Posted 31 May 2006 - 10:44 PM

Hello kiwanos,

I saw your other log with miekiemoes. She left you with a clean log. What happened? You have to be careful where you go on the internet, or no kind of protection will ever be enough.

I see you did a good thing too by upgrading to SP2. When you are clean again, I'm going to make some further suggestions for layered protection to reduce your chances of getting this again. :thumbsup:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet.

Please download, install, and update the free version of Ewido Anti-Malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you might get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Exit Ewido. DO NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. Only run this once, or you'll lose your desktop again!

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 PM

Posted 24 July 2010 - 07:05 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users