Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled


  • This topic is locked This topic is locked
11 replies to this topic

#1 Swiss Alun

Swiss Alun

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 19 October 2006 - 01:40 PM

Last week I picked up a virus, although I managed to clean the two affected files the virus left a pop up message on the desktop. This was eventually cleared but now I cannot access the task manager, it seems I have been dissabled by the administrator. I believe I'm still infected? Any ideas?
Thanks
Swiss Alun

See Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 21:32:00, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\kernels8.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ZyXEL Communications Corporation\ZyXEL G-220F Utility\ZyXEL_G-220F_GUI.exe
C:\Program Files\Cablecom Assistant\bin\mpbtn.exe
C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {391CB6A1-1EC8-26C3-796F-018E0ED280F4} - C:\WINDOWS\system32\kucsfng.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CABLEC~1\SMARTB~1\DExec.exe 180000 C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AutoEJCD_0ACE2011] C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE /VID=0ACE /PID=2011
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oafkbgl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oafkbgl.dll,oznpymd
O4 - HKLM\..\Run: [269f57bd.exe] C:\WINDOWS\system32\269f57bd.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [269f57bd.exe] C:\Documents and Settings\Alun\Local Settings\Application Data\269f57bd.exe
O4 - Global Startup: cablecom assistant.lnk = C:\Program Files\Cablecom Assistant\bin\matcli.exe
O4 - Global Startup: ZyXEL G-220F Utility GUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...871/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 19 October 2006 - 05:15 PM

Hello,

I still see some malware related entries in your log, so we'll have to make sure afterwards that your system is really clean.

Let's fix your taskmanager first and perform next step:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {391CB6A1-1EC8-26C3-796F-018E0ED280F4} - C:\WINDOWS\system32\kucsfng.dll
O4 - HKLM\..\Run: [oafkbgl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oafkbgl.dll,oznpymd
O4 - HKLM\..\Run: [269f57bd.exe] C:\WINDOWS\system32\269f57bd.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [269f57bd.exe] C:\Documents and Settings\Alun\Local Settings\Application Data\269f57bd.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from AVG Anti-Spyware.
You may need several replies to post the logs.

Edit: Can you tell me what next program is?

O4 - HKLM\..\Run: [AutoEJCD_0ACE2011] C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE /VID=0ACE /PID=2011

Because I see it's starting up with Windows all the time... It's something auto installing, so not sure if it needs to "autoinstall" everytime after reboot..

Edited by miekiemoes, 19 October 2006 - 05:20 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Swiss Alun

Swiss Alun
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 21 October 2006 - 10:54 AM

Please find the attached logs as requested. One more to follow. Thanks for your help.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:30:44 21/10/2006

+ Scan result:



C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.
C:\Documents and Settings\Alun\Cookies\alun@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@homestore.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@www.etracker[1].txt -> TrackingCookie.Etracker : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@ehg-firstchoice.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@ehg-tiscover.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@ehg-zoomerang.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@oewabox[2].txt -> TrackingCookie.Oewabox : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Alun\Cookies\alun@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Alun\Local Settings\Temp\Cookies\alun@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#4 Swiss Alun

Swiss Alun
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 21 October 2006 - 11:03 AM

Here's the second log:
Alun - 06-10-21 17:38:04.12 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Alun\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-21 to 2006-10-21 ))))))))))))))))))))))))))))))))))


2006-10-21 17:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-12 23:17 94,208 --------- C:\WINDOWS\system32\mclsp.dll
2006-10-12 23:17 90,112 --------- C:\WINDOWS\system32\mcrtl32.dll
2006-10-12 23:17 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2006-10-12 23:17 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-12 22:59 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-12 21:56 0 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-10-12 21:55 3,072 --a------ C:\WINDOWS\uninstDsk.exe
2006-10-12 21:54 93,696 --a------ C:\WINDOWS\system32\oafkbgl.dll
2006-10-12 21:54 72,704 --a------ C:\WINDOWS\system32\kucsfng.dll
2006-10-12 21:54 107,008 --a------ C:\Documents and Settings\Alun\kbiitvpi.exe
2006-10-11 21:34 65,536 -ra------ C:\WINDOWS\system32\PSCLE124.dll
2006-10-11 21:34 55,808 -ra------ C:\WINDOWS\system32\CNDCE124.dll
2006-10-11 21:34 53,248 -ra------ C:\WINDOWS\system32\CNDNDlg.exe
2006-10-11 21:34 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-11 21:34 128,512 -ra------ C:\WINDOWS\system32\CNDUE124.dll
2006-10-11 21:32 304,128 --a------ C:\WINDOWS\IsUninst.exe
2006-10-01 17:24 24,816 --a------ C:\WINDOWS\system32\mdimon.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-21 17:13 -------- d-------- C:\Program Files\Grisoft
2006-10-19 19:16 -------- d-------- C:\Program Files\Java
2006-10-19 19:16 -------- d-------- C:\Program Files\Google
2006-10-19 19:16 -------- d-------- C:\Documents and Settings\Alun\Application Data\Google
2006-10-14 14:06 -------- d-------- C:\Documents and Settings\Alun\Application Data\McAfee
2006-10-14 12:49 -------- d-------- C:\Program Files\Lavasoft
2006-10-14 12:49 -------- d-------- C:\Documents and Settings\Alun\Application Data\Lavasoft
2006-10-14 12:36 -------- d-------- C:\Program Files\Network Associates
2006-10-14 11:56 -------- d-------- C:\Program Files\Internet Explorer
2006-10-13 07:04 -------- d---s---- C:\Documents and Settings\Alun\Application Data\Microsoft
2006-10-12 23:27 -------- d-------- C:\Program Files\MSN
2006-10-12 23:17 -------- d-------- C:\Program Files\McAfee.com
2006-10-12 22:57 -------- d-------- C:\Documents and Settings\Alun\Application Data\McAfee.com Personal Firewall
2006-10-11 21:33 -------- d-------- C:\Program Files\Canon
2006-10-11 21:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 17:23 -------- d-------- C:\Program Files\Microsoft Office
2006-10-01 17:23 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-10-01 17:23 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-01 17:22 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-01 17:22 -------- d-------- C:\Program Files\Common Files\System
2006-10-01 17:22 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-10-01 17:22 -------- d-------- C:\Program Files\Common Files
2006-09-27 19:44 -------- d-------- C:\Documents and Settings\Alun\Application Data\Macromedia
2006-09-16 18:10 -------- d-------- C:\Program Files\The Rosetta Stone
2006-09-16 18:08 -------- d-------- C:\Program Files\QuickTime
2006-09-16 17:34 -------- d-------- C:\Program Files\MotoGP2
2006-09-16 17:34 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-16 17:34 -------- d-------- C:\Program Files\Common Files\DirectX
2006-09-13 07:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-01 13:25 -------- d-------- C:\Program Files\Windows Media Player
2006-09-01 13:21 -------- d-------- C:\Program Files\Outlook Express
2006-09-01 10:55 -------- d-------- C:\Documents and Settings\Alun\Application Data\Motive
2006-09-01 10:54 -------- d-------- C:\Documents and Settings\Alun\Application Data\Leadertech
2006-09-01 09:21 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-01 09:21 -------- d-------- C:\Documents and Settings\Alun\Application Data\AdobeUM
2006-09-01 09:21 -------- d-------- C:\Documents and Settings\Alun\Application Data\Adobe
2006-09-01 08:28 -------- d-------- C:\Program Files\ZyXEL Communications Corporation
2006-09-01 08:27 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-01 08:27 -------- d-------- C:\Program Files\AutoInstall
2006-09-01 08:04 -------- d-------- C:\Program Files\Common Files\Motive
2006-09-01 08:04 -------- d-------- C:\Program Files\Cablecom Assistant
2006-09-01 08:03 -------- d-------- C:\Program Files\Motive
2006-08-25 17:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 04:59 -------- d-------- C:\Program Files\Sonic
2006-08-24 04:59 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-08-24 04:58 -------- d-------- C:\Program Files\Roxio
2006-08-24 04:58 -------- d-------- C:\Program Files\Common Files\TiVo Shared
2006-08-24 04:57 -------- d-------- C:\Program Files\McAfee
2006-08-24 04:55 -------- d-------- C:\Program Files\Microsoft Works
2006-08-24 04:55 -------- d-------- C:\Program Files\Adobe
2006-08-24 04:54 -------- d-------- C:\Program Files\InterActual
2006-08-24 04:54 -------- d-------- C:\Program Files\Dell
2006-08-24 04:54 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-08-24 04:54 -------- d-------- C:\Program Files\ATI Technologies
2006-08-24 04:53 -------- d-------- C:\Program Files\Intel
2006-08-24 04:51 -------- d-------- C:\Program Files\Sigmatel
2006-08-24 04:49 -------- d-------- C:\Program Files\Messenger
2006-08-24 04:48 -------- d-------- C:\Program Files\Common Files\Java
2006-08-24 04:48 -------- d-------- C:\Documents and Settings\Alun\Application Data\Sun
2006-08-21 14:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 15:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\CABLEC~1\\SMARTB~1\\DExec.exe 180000 C:\\PROGRA~1\\CABLEC~1\\SMARTB~1\\MotiveSB.exe"
"AutoEJCD_0ACE2011"="C:\\Program Files\\AutoInstall\\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\\AutoEJCD.EXE /VID=0ACE /PID=2011"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,\
00,00,02,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061021-170616-872
O4 - HKCU\..\Run: [269f57bd.exe] C:\Documents and Settings\Alun\Local Settings\Application Data\269f57bd.exe
backup-20061021-170616-235
O4 - HKLM\..\Run: [269f57bd.exe] C:\WINDOWS\system32\269f57bd.exe
backup-20061021-170616-997
O2 - BHO: (no name) - {391CB6A1-1EC8-26C3-796F-018E0ED280F4} - C:\WINDOWS\system32\kucsfng.dll
backup-20061021-170616-777
O4 - HKLM\..\Run: [oafkbgl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oafkbgl.dll,oznpymd

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DAVE-Alun).job

Completion time: 06-10-21 17:38:33.67
C:\ComboFix.txt ... 06-10-21 17:38

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 21 October 2006 - 03:31 PM

Hello,

Delete next files:

C:\WINDOWS\warnhp.html
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\uninstDsk.exe
C:\WINDOWS\system32\oafkbgl.dll
C:\WINDOWS\system32\kucsfng.dll
C:\Documents and Settings\Alun\kbiitvpi.exe

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Hit ok below > apply in previous window.

Then post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Swiss Alun

Swiss Alun
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 22 October 2006 - 06:33 AM

Please find the latest log file. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 13:23:05, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\ZyXEL Communications Corporation\ZyXEL G-220F Utility\ZyXEL_G-220F_GUI.exe
C:\Program Files\Cablecom Assistant\bin\cablecom_assistant.exe
C:\Program Files\Cablecom Assistant\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CABLEC~1\SMARTB~1\DExec.exe 180000 C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AutoEJCD_0ACE2011] C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE /VID=0ACE /PID=2011
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: cablecom assistant.lnk = C:\Program Files\Cablecom Assistant\bin\matcli.exe
O4 - Global Startup: ZyXEL G-220F Utility GUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...871/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 22 October 2006 - 11:33 AM

Looking good.. only one important thing to perform.;

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
Let me know in your next reply how things are running now..;
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Swiss Alun

Swiss Alun
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 24 October 2006 - 02:25 PM

Hello
Thanks for your help in getting me out of this situation. Everything looks good, although something seems to working in the background, the cursor "egg timer" keeps oscillating. Perhaps I'm becoming a little paranoid?
Once again thanks for your patience and help, hopefully no more problems.
Cheers
Swiss Alun

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 24 October 2006 - 02:40 PM

Hi,

About the cursor, this could be caused by a legit program running in the background as well.
By the way, I asked you a question previously about this entry:

4 - HKLM\..\Run: [AutoEJCD_0ACE2011] C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2011\AutoEJCD.EXE /VID=0ACE /PID=2011

Do you know what this program is? Because it is running in the background as well. And do you know for what it is needed? Because that could be the reason why your hour glass is "running" every time.

As a final check, I want you to run next also..

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Swiss Alun

Swiss Alun
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 27 October 2006 - 01:43 PM

Hello miekiemoes,

I'm not sure what that entry is, anyway I can find out?

I have attached the log as requested,

10/27/06 20:22:18 [Info]: BlackLight Engine 1.0.47 initialized
10/27/06 20:22:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/27/06 20:22:18 [Note]: 7019 4
10/27/06 20:22:18 [Note]: 7005 0
10/27/06 20:22:24 [Note]: 7006 0
10/27/06 20:22:24 [Note]: 7011 3496
10/27/06 20:22:25 [Note]: 7026 0
10/27/06 20:22:25 [Note]: 7026 0
10/27/06 20:22:31 [Note]: FSRAW library version 1.7.1020
10/27/06 20:29:21 [Note]: 7007 0


Again thanks for your patience,
Swiss Alun

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 27 October 2006 - 02:10 PM

Hi,

I guess it's something related with this:
http://zd1211.ath.cx/ and looks ok..

So if you don't really recognise it as useful to startup with windows and running all the time, just disable it at startup. To do this, go to start > run and type: msconfig and hit enter.
Then select the tab: startup and uncheck the AutoEJCD.EXE entry in it.

Then reboot your computer.
after reboot, you'll get a message that something has been modified in your system configuration. Just check the box: "do not display this message again" there.

Your Blacklight log looks ok.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
How to use SpywareBlaster

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:45 PM

Posted 30 October 2006 - 11:57 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users