Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Very Slow, Possible Virus/s


  • Please log in to reply
29 replies to this topic

#1 DeniseB

DeniseB

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 19 June 2006 - 09:44 AM

Hi guys. Right here goes ... system has been VERY slow for few weeks now, nothing in particular that I can think that I downloaded about the same time. It's gradually been getting slower and acting oddly and CPU Usage is permanently at 100%. I only have limited knowledge but can generally sort things out by searching sites like yours and following logical, step by step instructions (there's a big hint there ...)

I originally had Windows Fiewall, EZ Antivirus and Ad-Aware installed and neither of them were finding anything untoward other than the occasional tracking cookie which we despatched. When I found your site I read one of your HJT trainee's posts saying that you could run more than one AV and Spyware packages so in desperation installed AVG free version, Ewido full version, Spyware Doctor, Spybot and Zone Alarm Firewall ... better safe than sorry I thought! Today the system came to a standstill so I removed EZ and Ewido and it's still slow but workable. That's the background ... here's what I've done today:

Deleted temp, temp internet and recycle bin files
Scanned with EZ (before deleting) - all clear
Scanned with AVG - all clear
Scanned with Ad-Aware - all clear
Scanned with Spybot - all clear
Scanned with Stinger - all clear
Scanned with Spyware Doctor - identified 129 problems but I have to buy the full package to eradicate them. (I'm very suspicious of this - is the package just better of is it a con to get me to buy it?) I've attached the report for your info
Scanned with HJT - can't make head nor tail of it really but report attached

I've got XP SP-2 installed but keep seeing that this update is dodgy - is it worth keeping?

I have Windows Updates on Automatic but some don't update and I often get a message that Windows Installer is not installed properly. MS Word documents also keep telling me that they aren't registered?? What joy!

Also, can I run more than one AV and Spyware software package at the same time?

Your help would be really appreciated and may prevent either me or the PC leaving the study via the window!

Cheers.

D.






Logfile of HijackThis v1.99.1
Scan saved at 15:05:47, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dumprep.exe
C:\Documents and Settings\Administrator\Desktop\nsli 2.exe
C:\Documents and Settings\Administrator\Desktop\nsli 2.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {AE232F0D-0AD0-9A7D-F631-EDC65CA5132A} - pizda.dll (file missing)
R3 - URLSearchHook: (no name) - {B8BD8D70-BEF8-1295-27D5-BB7071F037CE} - lpt.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS0_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124982664906
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {76FACBCF-8EF8-11D4-8A2C-005004425934} (CDToolCtrl Class) - http://www.aol.co.uk/try/web_reg/aolcdt171.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37870.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...549/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{C04CCDA3-FB7D-4845-AB05-3623D2C5CB61}: NameServer = 85.255.116.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Spyware Doctor Activity Report
Generated on 19/06/2006 13:02:31 Spyware Doctor Homepage PC Tools Homepage Technical Support


Scans (basic information only):

Scan Results:
scan start: 19/06/2006 13:03:41
scan stop: 19/06/2006 13:24:14
scanned items: 70745
found items: 129
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Spyware Doctor scan

Infection Name Location Risk
Tracking Cookie(s) C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt Low
Starware C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr0DFB\bin\dlls\jokester.dll Low
IEPlugin C:\WINDOWS\Downloaded Program Files\default.inf High
Search Toolbar C:\WINDOWS\rdt.ini Elevated
Trojan.Qhosts C:\WINDOWS\system32\DRIVERS\zpmodemnt.sys High
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E} Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32 Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32##ThreadingModel Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\ProgID Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\ProgID## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Programmable Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Programmable## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\TypeLib Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\TypeLib## Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\VersionIndependentProgID Low
Starware HKCR\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\VersionIndependentProgID## Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF} Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}## Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\ProxyStubClsid Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\ProxyStubClsid## Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\ProxyStubClsid32 Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\ProxyStubClsid32## Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\TypeLib Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\TypeLib## Low
Starware HKCR\Interface\{0AC7B413-C45B-4654-BADE-26061575A2AF}\TypeLib##Version Low
Starware HKCR\Jokester.Prank Low
Starware HKCR\Jokester.Prank## Low
Starware HKCR\Jokester.Prank.1 Low
Starware HKCR\Jokester.Prank.1## Low
Starware HKCR\Jokester.Prank.1\CLSID Low
Starware HKCR\Jokester.Prank.1\CLSID## Low
Starware HKCR\Jokester.Prank\CLSID Low
Starware HKCR\Jokester.Prank\CLSID## Low
Starware HKCR\Jokester.Prank\CurVer Low
Starware HKCR\Jokester.Prank\CurVer## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8} Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0 Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\0 Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\0## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\0\win32 Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\0\win32## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\FLAGS Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\FLAGS## Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\HELPDIR Low
Starware HKCR\TypeLib\{C94D0190-978F-46C8-B48B-339362176ED8}\1.0\HELPDIR## Low
Search Toolbar HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser##{08BEC6AA-49FC-4379-3587-4B21E286C19E} Elevated
Search Toolbar HKCU\Software\SearchToolbar Elevated
Search Toolbar HKCU\Software\SearchToolbar## Elevated
Search Toolbar HKCU\Software\SearchToolbar##Update Elevated
Search Toolbar HKCU\Software\SearchToolbar\History Elevated
Search Toolbar HKCU\Software\SearchToolbar\History## Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all## Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all\History Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all\History## Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all\History##currys Elevated
Search Toolbar HKCU\Software\SearchToolbar\History\all\History##doncaster airport Elevated
Search Toolbar HKCU\Software\SearchToolbar\Popups Elevated
Search Toolbar HKCU\Software\SearchToolbar\Popups## Elevated
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E} Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32 Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\InprocServer32##ThreadingModel Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\ProgID Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\ProgID## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Programmable Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\Programmable## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\TypeLib Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\TypeLib## Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\VersionIndependentProgID Low
Starware HKLM\Software\Classes\CLSID\{85A616EE-142C-4D52-9F45-C469964E109E}\VersionIndependentProgID## Low
Holystic HKLM\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/System32/preload.ocx Elevated
Holystic HKLM\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/System32/preload.ocx## Elevated
Holystic HKLM\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/System32/preload.ocx##.Owner Elevated
Holystic HKLM\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/System32/preload.ocx##{03C543A1-C090-418F-A1D0-FB96380D601D} Elevated
Holystic HKLM\software\microsoft\windows\currentversion\shareddlls##C:\WINDOWS\System32\preload.ocx Elevated
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls## High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##23plhps High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##32refaselif High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##gib_ogol High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##golmedi High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##llun High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##mgcppp High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##putesprpgd High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##repiwoh High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##tesvaf High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##xedocne High
Search Toolbar HKLM\SOFTWARE\SearchToolbar Elevated
Search Toolbar HKLM\SOFTWARE\SearchToolbar## Elevated
Search Toolbar HKLM\SOFTWARE\SearchToolbar\Toolbar Elevated
Search Toolbar HKLM\SOFTWARE\SearchToolbar\Toolbar## Elevated
Search Toolbar HKLM\SOFTWARE\SearchToolbar\Toolbar##OptdateTest Elevated
Search Toolbar HKLM\SOFTWARE\SearchToolbar\Toolbar##Version Elevated
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT## High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT##DisplayName High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT##ErrorControl High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT##ImagePath High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT##Start High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT##Type High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Enum High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Enum## High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Enum##0 High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Enum##Count High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Enum##NextInstance High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Security High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Security## High
Trojan.Qhosts HKLM\SYSTEM\CurrentControlSet\Services\ZPMODEMSYSNTDRVNT\Security##Security High
UKVideo HKU\.DEFAULT\Software\Netscape\Netscape Navigator\User Trusted External Applications##c:\program files\dialers\ukvideo2\ukvideo2.exe Medium
SexCam HKU\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers##TYPE37 Medium
SexCam HKU\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers##TYPE37 Medium


Other Sections:








Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice



sigs



Click to go back

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 19 June 2006 - 01:37 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )

At the end of the fix, you may need to restart your computer again.


Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.




Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

Edited by MFDnSC, 21 June 2006 - 08:41 AM.

"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 19 June 2006 - 02:41 PM

Hi. thanks for getting back to me so promptly ... but not good news ... this is the result of the FixWareout session. I can't understand this as I'm currently connected to the internet so don't know why it couldn't find a connection?

Thanks.

D.

This batch will remove WareOut and UnSpyPC from your system.

Use at your own risk.

Press any key to continue . . .
Downloading BFU - Brute Force Uninstaller
Written by Merijn - http://www.merijn.org/

File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or a FTP server.
Copyright © 2004, Noel Danjou <webmaster@noeld.com>.

Server: castlecops.com
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: A connection with the server could not be established

Archive: bfu.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip,
and cannot find bfu.zip.zip, period.

Attempting download from alternate URL

File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or a FTP server.
Copyright © 2004, Noel Danjou <webmaster@noeld.com>.

Server: www.merijn.org
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: A connection with the server could not be established

Archive: bfu.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip,
and cannot find bfu.zip.zip, period.
BFU.exe was not present, unpacked or in proper location

Please make sure you have a working internet connection or
download bfu.zip (Brute Force Uninstaller) manualy and extract the file BFU.exe
to the fixwareout\sub folder then restart the batch, fixit.bat.
From this address please http://www.merijn.org/files/
Press any key to continue . . .

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 19 June 2006 - 02:55 PM

DL http://www.merijn.org/files/bfu.zip


Extract bfu.exe to the C:\fixwareout folder
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 19 June 2006 - 05:20 PM

Hi. Finally managed to complete the above. Message that script was registered to run on reboot. Rebooted. Message displayed End of Programme OSA9.EXE not responding End Now, which I did. System restarted and I got a message "Windows can't find C:\Documents. Make sure you typed name correctly and then try again. To search for a file click Start button and click Search. OK" Then normal screen appeared. This didn't take longer than usual. I didn't get any further prompts and HJT didn't start. However I have run it and attached the new log for your info. Just to make sure I hadn't stuffed up the first time, I carried out this exercise a second time with exactly the same result.

Only other things to report are that Spybot advised of two changes:

Category = System Startup
Change = Value deleted
Entry = Kernel Fault Check
Old data = %sytemroot%\system32\dumprep 0-K

Category = Winlogon
Change = Value changed
Entry = System
Old data = csegh.exe

I also got a message from Spybot's Resident saying that it had denied the Winlogon change. Means nothing to me but I've included it in case it's relevant.

I've also received a message to say that Virtual Memory minimum is too low and it's increasing the size of VM Paging file. This is the second time today I've received this message.

Until I hear from you, I'll download the trial version of Spysweeper and be getting on with that.

Many thanks.

D.

Logfile of HijackThis v1.99.1
Scan saved at 22:55:10, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - {AE232F0D-0AD0-9A7D-F631-EDC65CA5132A} - pizda.dll (file missing)
R3 - URLSearchHook: (no name) - {B8BD8D70-BEF8-1295-27D5-BB7071F037CE} - lpt.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS0_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124982664906
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {76FACBCF-8EF8-11D4-8A2C-005004425934} (CDToolCtrl Class) - http://www.aol.co.uk/try/web_reg/aolcdt171.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37870.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...549/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 19 June 2006 - 05:32 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {AE232F0D-0AD0-9A7D-F631-EDC65CA5132A} - pizda.dll (file missing)

R3 - URLSearchHook: (no name) - {B8BD8D70-BEF8-1295-27D5-BB7071F037CE} - lpt.dll (file missing)

O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)


O17 - HKLM\System\CCS\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86

O17 - HKLM\System\CS1\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86

O17 - HKLM\System\CS2\Services\Tcpip\..\{85358760-6FD1-4F69-BCD2-014A6AD5C443}: NameServer = 85.255.116.86


START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot


Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 20 June 2006 - 09:18 AM

Hi. Couldn't install SpySweeper yesterday and tried again with no luck. During installation get message that installation damaged - please reinstall. Thought it was due to Spybot but still got same message after uninstalling it.

Deleted required files from HJT. All files were deleted from Temp folder other than:

closedbgout
enableirsocketitil
IEC5.temp
MSO2AF
MSO308
MSO3D9
MSO34B

These were all Read only files and when asked, wasn't sure whether to delete so left them, just in case.

V4.0 of Ewido installed but no Additional Options were displayed so couldn't uncheck them. Scan was Clear - report attached.

New HJT report attached also

As the system was so slow I've uninstalled Spybot and Spyware Doctor for now.

System still very slow and acting oddly, e.g., everytime I reboot MS Security Centre reports that my ZoneAlarm firewall and MS firewall have been deactivated but the ZA firewall appears to be OK. My Network Connections page shows Tiscali broadband disconnected even when I'm on IE! Programmes keep crashing and CPU still running at 100%. Printer wouldn't work earlier, presumably due to lack of memory? Worked after deleting Spyware Doctor and Spybot. Hope this helps.

Logfile of HijackThis v1.99.1
Scan saved at 14:46:33, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS0_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124982664906
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {76FACBCF-8EF8-11D4-8A2C-005004425934} (CDToolCtrl Class) - http://www.aol.co.uk/try/web_reg/aolcdt171.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37870.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...549/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:37:29 20/06/2006

+ Scan result:



Nothing found.



::Report end

Really appreciate your help. Thanks.

D.

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 20 June 2006 - 09:52 AM

Hope you have MS Firewall disabled - uninstall Ewido

You have both McAfee and AVG running - only one active AV per system!


How much memory on this system


Log is clean
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 20 June 2006 - 11:57 AM

Hi

Windows Firewall disabled, ZA running OK (although it keeps crashing). Gone through the ZA tutorial and everything's OK.

McAfee installed years ago and have tried to uninstall but keep getting message "Windows Installer could not be accessed. This can occur if you are running Windows in Safe Mode or if it's not installed correctly." I'd like to keep AVG - I've checked McAfee website and they don't do free downloads so would like to get rid of that one if possible. Any ideas?

1.80GHz HD and 256 RAM.

Thanks.

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 20 June 2006 - 12:20 PM

http://www.mcafeehelp.com/selectSupportTyp...lution=1024x768
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 20 June 2006 - 12:40 PM

Is the Virtual Memory paging file size relevant? That's 384 MB.

Sorting the above out now.

Thanks.

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 20 June 2006 - 12:47 PM

No and that is a decent size
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 20 June 2006 - 02:55 PM

Hi.

The link you sent for VSCleanup Tool cleaned some of the McAfee programme but from the HJT log it appears I still have some left. Windows Installer won't uninstall it from Control Panel Add/Remove folder.

I've been through all of my system and done some housekeeping but, although it's not as bad some of the time, it still hangs and CPU usage is still 100%. Any further ideas? I'll Defrag while I wait for your reply ...

Thanks.

#14 DeniseB

DeniseB
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:52 AM

Posted 20 June 2006 - 02:56 PM

Sorry forgot to attach the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 20:47:25, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS0_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124982664906
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {76FACBCF-8EF8-11D4-8A2C-005004425934} (CDToolCtrl Class) - http://www.aol.co.uk/try/web_reg/aolcdt171.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37870.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...549/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C04CCDA3-FB7D-4845-AB05-3623D2C5CB61}: NameServer = 85.255.116.86 85.255.112.157
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#15 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 20 June 2006 - 03:08 PM

Looks like wareout is back – run that fix again

You may want to print this or save it to notepad as we will go to safe mode.

Let’s see if we can get McAfee – Not confident!

Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE

O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU

O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...549/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C04CCDA3-FB7D-4845-AB05-3623D2C5CB61}: NameServer = 85.255.116.86 85.255.112.157

O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)

O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
=====================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

McAfee Privacy Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Repeat for:
McAfee.com McShield
McAfee SecurityCenter Update Manager
McAfee.com VirusScan Online Realtime Engine
McAfee Personal Firewall Service
===========================
DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\McAfee
C:\Program Files\McAfee.com

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users