Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zhelatin.bu - Adirka.exe - Nuwar.p


  • This topic is locked This topic is locked
43 replies to this topic

#1 yourmanjoe

yourmanjoe

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 03 April 2007 - 11:01 AM

Ever since I re-booted as requested by the McAfee automated update, I have issues with internet connectivity if the firewall is on, computer suddenly 'bleeps out' and re-boots (sometimes twice in a row), AND this malware >adirka.exe< keeps coming up as trying to connect to the internet.

I have done a malware scan with AVG, a registry clean with Registry Mechanic, a complete scan with McAfee and nothing seems to get better. I was advised to run Hijack and post my log file.

I had paid for tech support from McAfee for a technician to go directly into my machine. So far they have done all kinds of checks, tests, modifications and I still have the same problem. Up to this moment they had suggested that I contact my ISP. When I contacted my ISP they said McAfee should fix my problem. Gheez, this is getting so frustrating!

AVG had found zhelatin.bu and quarantined, but I think it morphed and still affecting my system. AVG also found and quarantined Nuwar.p just prior to this HijackThis log file. . . don't know how that ever came into the situation.

As far as I can tell, this is a very new variant on the Zhelatin.a (ab, au, o,t,u,v) versions of this virus and I don't think the McAfee service is even set up to find it, let alone fix it.

I have found a little info on the zhelatin.b here: http://www.viruslist.com/en/viruses/...virusid=150219

If you click on the a, au, etc. links you can see how it works, but the methods don't exactly apply to this bu version to fix it.

AVG also recently found Nuwar.p which is said it cleaned and quarantined.

My issues STILL: 1: Computer is sending mass e-mails through the back-side
2: I have to disable McAfee firewall in order for IE or Outlook to connect
3: Consistently have McAfee pop-up warning of adirka.exe connecting to internet
4: Computer may bleep out and re-boot at any given moment. Primarily if McAfee firewall is on and keep trying to block adirka.exe
I have XP Home edition, Vers 2002, Service Pack 1

McAfee Security Center v 7.2; build 7.2.147


Here is my most recent HijackThis log after "attempts to repair" by McAfee technicians.

Logfile of HijackThis v1.99.1
Scan saved at 2:19:42 PM, on 4/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\windows\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\System32\mgabg.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\program files\mirra\mirra.service.exe
c:\program files\mcafee\msc\mcuimgr.exe
c:\program files\mcafee\msc\mcshell.exe
\?\C:\windows\system32\WBEM\WMIADAP.EXE
C:\windows\system32\adirka.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://store.adobe.com/WebObjects/WE...platformCode=W

IN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program

Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program

Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -

c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} -

C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {53A39248-798B-4E97-9295-D327D12D7096} -

C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storere

dir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: DigiChat Applet -

http://chat.onemodelplace.com/DigiCh.../Client_IE.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

https://components.viewpoint.com/ado...3.cab?url=http

://www.studio960pd.com/Pages/WEB%20GALLERYS/3dgallery/web/ThumbnailFrame.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/...le.com/drakken

/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating

System Class) -

http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory

Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer

Diagnostics) -

http://h50203.www5.hp.com/HPISWeb/Cu...WebManager.CAB
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician

Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX

control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/is...93/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} -

C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe

Version Cue\service\VersionCue.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online,

Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program

Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program

Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. -

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program

Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MBackMonitor - McAfee - C:\Program

Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program

Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program

files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. -

C:\windows\System32\mgabg.exe
O23 - Service: MirraSync Service (Mirra.Service) - Seagate Technology -

c:\program files\mirra\mirra.service.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. -

C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. -

C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program

Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: OlCamSrv - OLYMPUS IMAGING CORP. - C:\Program Files\Common

Files\OLYMPUS\Service\OlCamSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Qdmsrveogar - PCTEL, INC. - (no file)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program

Files\SiteAdvisor\6028\SAService.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:53 AM

Posted 06 April 2007 - 05:32 PM

Hello and welcome to BC.

Yes, you have do have a nasty infection which probably arrived with an email.
  • Please download ComboFix

    Note: It is important that it is saved directly to your desktop.

    Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done you can delete this folder - QooBox.
Please post back the combofix.txt and a fresh HijackThis log, but make sure that the word wrap is turned off(un-ticked) in the Format menu of the Wordpad.

#3 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 07 April 2007 - 04:07 PM

Ran Combo fix, it re-booted computer and seemed to finish, but I never found the file "ComboFix.txt" only found "ComboFix-quarantined-files.txt"

results here:
00-10-27 17:23	  50688	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\BSZIP.DLL.vir 
07-03-23 09:28	  55296	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\wincom32.sys.vir 
07-03-26 11:16	  7342	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\dd.exe.vir 
07-03-28 17:54	  46592	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\zlbw.dll.vir 
07-03-29 15:26	  17180	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\via.exe.vir 
07-04-03 10:55	  72831	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\adirka.exe.vir 


Folder PATH listing
Volume serial number is 71FAE346 E453:D0C1
C:\QOOBOX
\---Quarantine
	+---Registry_backups
	\---WINDOWS
		\---system32
				adirka.exe.vir
				BSZIP.DLL.vir
				dd.exe.vir
				via.exe.vir
				wincom32.sys.vir
				zlbw.dll.vir


Computer still acting up and I will re-run HiJack log next

#4 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 07 April 2007 - 04:11 PM

My new HiJackThis Log File

Logfile of HijackThis v1.99.1
Scan saved at 2:07:30 PM, on 4/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\System32\mgabg.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\windows\System32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\windows\system32\svchost.exe
c:\program files\mirra\mirra.service.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\windows\system32\cmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
C:\windows\System32\spool\DRIVERS\W32X86\2\PS3iDMNL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?page...systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {53A39248-798B-4E97-9295-D327D12D7096} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: DigiChat Applet - http://chat.onemodelplace.com/DigiChat/Dig...s/Client_IE.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...bnailFrame.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...993/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\windows\System32\mgabg.exe
O23 - Service: MirraSync Service (Mirra.Service) - Seagate Technology - c:\program files\mirra\mirra.service.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: OlCamSrv - OLYMPUS IMAGING CORP. - C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Qdmsrveogar - PCTEL, INC. - (no file)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:53 AM

Posted 07 April 2007 - 07:01 PM

Hi,

Do you know what this service is:

O23 - Service: Qdmsrveogar - PCTEL, INC. - (no file)

=======================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it. Do not scan with it yet.

=======================================

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Posted Image
  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

========================================

Reboot your computer in Safe Mode using the F8 method below.
a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

=======================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

========================================

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
=========================================

Reboot in Normal Mode.

=========================================

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report and save it to your desktop.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

==========================================

Please post back the results from AVG Anti-Spyware and Panda online scans, and a fresh HijackThis log.

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:53 AM

Posted 08 April 2007 - 01:02 PM

Also do this scan.

Please download Dr.Web CureIt to the desktop.


Disconnect this PC from the internet and close all open programs.

It's crucial that you follow this next step exactly as instructed: Do not multi-task while the scan is running...only DrWeb can be active
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.


#7 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 08 April 2007 - 10:39 PM

Here is AVG report. It was originally all garbled with underscores, but I fixed it in word.

Will do Panda next.

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------



+ Created at: 9:17:21 PM 3/27/2007



+ Scan result:







C:\Documents and Settings\Joe\Local Settings\Temp\Temporary Internet Files\Content.IE5\C5YJS96B\mm[2].js -> Adware.Chitika : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6HWPER4N\via[1].exe -> Downloader.Tibs.kc : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP913\A0227152.exe -> Downloader.Tibs.kc : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP915\A0230137.exe -> Downloader.Tibs.kc : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6HWPER4N\sc[1].exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UFS3UHAF\via[3].exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP915\A0230148.exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP917\A0233389.exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP917\A0234404.exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP917\A0234405.exe -> Worm.Zhelatin.bu : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6HWPER4N\via[5].exe -> Worm.Zhelatin.bv : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP918\A0235466.exe -> Worm.Zhelatin.bv : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP918\A0235467.exe -> Worm.Zhelatin.bv : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP918\A0239441.exe -> Worm.Zhelatin.bv : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP918\A0239442.exe -> Worm.Zhelatin.bv : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8Z8HAJE1\via[2].exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MPG5GTOT\via[3].exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP918\A0240442.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP919\A0240466.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP919\A0240469.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP924\A0242561.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP924\A0242562.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).

C:\System Volume Information\restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP924\A0247607.exe -> Worm.Zhelatin.bw : Cleaned with backup (quarantined).





::Report end

#8 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 08 April 2007 - 11:40 PM

re: Panda.

I was running the Panda and it found/fixed 2 viruses and 4 hacker tools

A pop-up came from Panda for a "buy now" special. When I closed the pop-up the scan aborted and I have re-started, but I am afraid the files cleaned log will not show what had previously been lost. The Panda is running again right now and I'll let you know.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:53 AM

Posted 09 April 2007 - 09:39 AM

Please run DrWeb too and post both logs. Thanks. :thumbsup:

#10 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 April 2007 - 09:59 AM

Panda Log >>>


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\TSF\nircmd.cfexe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe\My Documents\smitRem.exe[smitRem/Process.exe]
Virus:Trj/Alanchum.UF Disinfected C:\QooBox\Quarantine\WINDOWS\system32\dd.exe.vir
Virus:Trj/Alanchum.UA Disinfected C:\WINDOWS\LastGood\System32\sc.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\aydhomxr.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\bqmhfums.exe
Virus:Trj/Gagar.DM Disinfected C:\WINDOWS\system32\btvtvlnr.exe
Virus:Trj/Downloader.NKO Disinfected C:\WINDOWS\system32\ivbxpwuq.exe
Virus:Trj/Gagar.DB Disinfected C:\WINDOWS\system32\mwugadwp.exe
Virus:Trj/Alanchum.UF Disinfected C:\WINDOWS\system32\sc.exe.tmp

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:53 AM

Posted 09 April 2007 - 02:04 PM

Hi,


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Joe\Desktop\SmitfraudFix.zip
    C:\Documents and Settings\Joe\Desktop\smitRem.exe
    C:\Documents and Settings\Joe\My Documents\smitRem.exe
    C:\WINDOWS\system32\aydhomxr.exe
    C:\WINDOWS\system32\bqmhfums.exe
    C:\WINDOWS\system32\btvtvlnr.exe
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


=============

Please post back the OTMoveIt log, the Dr.Web report DrWeb.csv that I asked for earlier and a fresh HijackThis log.

#12 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 April 2007 - 06:30 PM

HiJackThis after Dr. Webb and re-boot (Note: My McAfee Privacy Service doesn't work now, but I can deal with that later), will move on to your next instructions now



Logfile of HijackThis v1.99.1
Scan saved at 4:11:41 PM, on 4/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\windows\System32\mgabg.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
c:\program files\mirra\mirra.service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?page...systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {53A39248-798B-4E97-9295-D327D12D7096} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: DigiChat Applet - http://chat.onemodelplace.com/DigiChat/Dig...s/Client_IE.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...bnailFrame.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...993/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\windows\System32\mgabg.exe
O23 - Service: MirraSync Service (Mirra.Service) - Seagate Technology - c:\program files\mirra\mirra.service.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: OlCamSrv - OLYMPUS IMAGING CORP. - C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Qdmsrveogar - PCTEL, INC. - (no file)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

#13 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 April 2007 - 06:34 PM

Move-it Results

C:\Documents and Settings\Joe\Desktop\SmitfraudFix.zip moved successfully.
C:\Documents and Settings\Joe\Desktop\smitRem.exe moved successfully.
C:\Documents and Settings\Joe\My Documents\smitRem.exe moved successfully.
File/Folder C:\WINDOWS\system32\aydhomxr.exe not found.
File/Folder C:\WINDOWS\system32\bqmhfums.exe not found.
File/Folder C:\WINDOWS\system32\btvtvlnr.exe not found.

Created on 04/09/2007 16:30:29

#14 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 April 2007 - 06:52 PM

Actually, my McAfee is really acting up at this point, the auto "Fix" won't complete due to "error"

However, the Firewall must be working as I could not get Internet unless "disable Firewall" (as original problem) only thing I don't know is if my McAfee is not reporting background sent e-mails (haven't seen a McAfee warning, but now unsure of what is or isn't working with McAfee)

Not goinf to re-install McAfee until you tell me.

Here is the newest log after the "Move-it" and re-boot

Logfile of HijackThis v1.99.1
Scan saved at 4:45:03 PM, on 4/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\System32\mgabg.exe
C:\windows\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
c:\program files\mirra\mirra.service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?page...systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {53A39248-798B-4E97-9295-D327D12D7096} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: DigiChat Applet - http://chat.onemodelplace.com/DigiChat/Dig...s/Client_IE.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...bnailFrame.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...993/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\windows\System32\mgabg.exe
O23 - Service: MirraSync Service (Mirra.Service) - Seagate Technology - c:\program files\mirra\mirra.service.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: OlCamSrv - OLYMPUS IMAGING CORP. - C:\Program Files\Common Files\OLYMPUS\Service\OlCamSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Qdmsrveogar - PCTEL, INC. - (no file)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

#15 yourmanjoe

yourmanjoe
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 April 2007 - 06:56 PM

sorry for missing this one, here is the Dr Web.CSV


mps.exe;c:\program files\mcafee\mps;Probably BACKDOOR.Trojan;Will be moved after reboot.;
smt[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\874BW9SZ;Trojan.Packed.74;Deleted.;
duo[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M7Y30NOX;Trojan.Packed.74;Deleted.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Moved.;
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Moved.;
mps.exe;C:\Program Files\McAfee\MPS;Probably BACKDOOR.Trojan;Will be moved after reboot.;
zlbw.dll.vir;C:\QooBox\Quarantine\WINDOWS\system32;Trojan.Proxy.1715;Deleted.;
A0001006.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP2;Trojan.Packed.68;Deleted.;
A0001007.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP2;Trojan.Packed.68;Deleted.;
A0001019.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP2;Probably BACKDOOR.Trojan;Moved.;
A0004015.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP2;Probably BACKDOOR.Trojan;Moved.;
A0006027.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP3;Probably BACKDOOR.Trojan;Moved.;
A0006028.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP3;Tool.Prockill;Moved.;
A0006029.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP3;Tool.Prockill;Moved.;
A0009030.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP4;Probably BACKDOOR.Trojan;Moved.;
A0009035.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP4;Trojan.Packed.66;Deleted.;
A0010013.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP4;Trojan.Packed.74;Deleted.;
A0011010.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP4;Trojan.Packed.74;Deleted.;
A0011011.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP4;Trojan.Packed.74;Deleted.;
A0012018.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP5;Probably BACKDOOR.Trojan;Moved.;
A0018020.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Probably BACKDOOR.Trojan;Moved.;
A0018027.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.66;Deleted.;
A0018029.dll;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Proxy.1715;Deleted.;
A0020733.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.75;Deleted.;
A0020748.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Probably BACKDOOR.Trojan;Moved.;
A0020751.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Tool.ShutDown.11;Moved.;
A0020752.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.61;Deleted.;
A0020753.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.61;Deleted.;
A0020754.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.53;Deleted.;
A0020755.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP8;Trojan.Packed.38;Deleted.;
A0020759.exe;C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP9;Probably DLOADER.Trojan;Moved.;
aydhomxr.exe;C:\WINDOWS\system32;Trojan.DownLoader.14309;Deleted.;
bqmhfums.exe;C:\WINDOWS\system32;Trojan.DownLoader.14309;Deleted.;
eraxcofz.exe;C:\WINDOWS\system32;Trojan.DownLoader.15764;Deleted.;
fqszsycj.exe;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
lytjqsnr.exe;C:\WINDOWS\system32;Win32.Dref;Deleted.;
orzncgnt.exe;C:\WINDOWS\system32;Trojan.DownLoader.15764;Deleted.;
pfhrgczo.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
rmujtrrl.exe;C:\WINDOWS\system32;Win32.Dref;Deleted.;
smt.exe;C:\WINDOWS\system32;Trojan.Packed.74;Deleted.;
tqjnmolb.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
xevqpxaq.exe;C:\WINDOWS\system32;Trojan.Packed.46;Deleted.;
xqvzckir.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
ystxonrw.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users