|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
1200+ fellow developers rate and compare features of the top IDEs, like Visual Studio, Eclipse, RAD, Delphi and others, across 13 categories. Enjoy this FREE Download of the IDE User Satisfaction Study by Evans Data Corporation. Download Now!
|
|
#1
October 13th, 2004, 04:35 PM
|
|||
|
|||
|
Popups and Possible Virus- HJT Log
I accidentally agreed to download a program from a popup on a website and now I have been getting popup ads although I have a Google Popup Blocker. I've run ad-aware and spy bot but I am not sure what to get rid of.
Also my virus scan says that I have a backdoor virus but I am unable to delete or quarantine. Please help. Thanks. Logfile of HijackThis v1.97.7 Scan saved at 5:31:05 PM, on 10/13/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows SyncroAd\SyncroAd.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\System32\ibxztmim.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Windows SyncroAd\WinSync.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\Web_Rebates\WebRebates0.exe c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\MSN Messenger\msnmsgr.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Documents and Settings\MATT\Desktop\Unused\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/ O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [vanqxa] C:\WINDOWS\System32\ibxztmim.exe O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MATT\LOCALS~1\Temp\djtopr1150.exe" O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=48c347740e8f5c90be38175e52b8a764f9088180cf867b07efef0da67587cbcfe07d5eda93b070b3e1f5f4b23f7ec81a88 639e10093bff8917f19d0c3b2daa1576:9088c9d39de8432b43b6edf749c9050f O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
|
|
#2
October 14th, 2004, 06:41 PM
|
|||
|
|||
|
Hi matty2004,
Let's do an onlne virus scan from at least two of these sites: Trend Micro Housecall http://housecall.trendmicro.com/ Panda Active Scan www.pandasoftware.com/activescan/activescan Bitdefender http://www.bitdefender.com/scan/licence.php Please copy and paste the report logs into your next post. Then.... Please update HijackThis, you are using an outdated version: Open HijackThis, click Config > Misc Tools > Check for Update online Or download a copy of version 1.98.2 at: http://www.majorgeeks.com/download3155.html Post a fresh log with this new version. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
October 15th, 2004, 05:30 PM
|
|||
|
|||
|
1/2 of it
Bitdefender Report:
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>CmnIds.vbs: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/arrow_right.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/btn_signup_52x20.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/more_info.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom_red.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top_red.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/transpix.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/watermark_mys_150x130.gif: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>oemcfg.vbs: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>OEMIds.vbs: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert.htm: password protected C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert_old.htm: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>matt@atdmt[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>matt@atdmt[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc2.zip=>matt@atdmt[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc3.zip=>matt@atdmt[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc3.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>matt@bfast[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>matt@bfast[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>matt@qksrv[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>matt@qksrv[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>matt@qksrv[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>matt@doubleclick[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>matt@doubleclick[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick2.zip=>matt@doubleclick[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick3.zip=>matt@doubleclick[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick3.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
|
|
#4
October 15th, 2004, 05:31 PM
|
|||
|
|||
|
the other 1/2
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GAINGator.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GAINGator1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GAINGator2.zip=>About GAIN.lnk: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GAINGator2.zip=>GAIN Website.URL: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GAINGator2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy.zip=>matt@linksynergy[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy1.zip=>matt@linksynergy[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy2.zip=>matt@linksynergy[1].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy3.zip=>matt@linksynergy[2].txt: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy3.zip=>sbRecovery.ini: password protected C:\Documents and Settings\MATT\Local Settings\Temp\conscorr.exe: infected with Trojan.Downloader.Stubby.C C:\Documents and Settings\MATT\Local Settings\Temp\jkill.exe: infected with Application.ProcKill.Jk C:\Documents and Settings\MATT\Local Settings\Temp\ln_reco.exe=>(ASPack 2.12): infected with Trojan.Downloader.Agent.AF C:\Documents and Settings\MATT\Local Settings\Temp\THI1634.tmp\polall1l.exe=>(Upx): infected with Trojan.Downloader.Agent.AE C:\Documents and Settings\MATT\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe: infected with Application.Adware.PowerReg.3.0 C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>agntcons.vbs: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>agntlang.vbs: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>comctl.lpk: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>config.ini: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>pbar.vbs: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>UnInsStr.vbs: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>uninst.vbs: password protected C:\Program Files\McAfee.com\Agent\Uninst\screm.ui=>uninstall.htm: password protected C:\Program Files\Windows SyncroAd\CComm.dll: infected with Adware.SyncroAD C:\Program Files\Windows SyncroAd\SyncroAd.exe=>(Upx): infected with Adware.SyncroAD C:\Program Files\Windows SyncroAd\WinSync.exe: infected with Adware.SyncroAD C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0006629.exe=>(Petite 2.2): infected with Trojan.Downloader.Dyfuca.CR C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0006631.exe: infected with Trojan.Downloader.Stubby.C C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0006632.exe: infected with Adware.180Solutions.5.11 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0006633.exe=>(Petite 2.2): infected with Trojan.Downloader.Dyfuca.DA C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0006634.exe=>(Petite 2.2): infected with Trojan.Downloader.Dyfuca.CR C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP115\A0006697.exe: infected with Adware.Rebates C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP115\A0006698.exe: infected with Adware.Rebates C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP115\A0006699.exe: infected with Adware.Rebates C:\temp\lc.exe=>(ASPack 2.12): infected with Trojan.Downloader.Agent.AF C:\temp\msbbhook.dll: infected with Adware.1088 C:\temp\optimize.exe=>(Petite 2.2): infected with Trojan.Downloader.Dyfuca.DA C:\temp\WebRebates_CDT_InstallSilent.exe: infected with Adware.Rebates C:\WINDOWS\2_0_1browserhelper2.dll: infected with Trojan.Clicker.Delf.R C:\WINDOWS\Downloaded Program Files\SyncroAdX.dll: infected with Adware.Wupd C:\WINDOWS\SYSTEM32\ibxztmim.exe=>(Upx): infected with Trojan.Downloader.Agent.AE Activescan Report: Incident Status Location Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\MATT\Local Settings\Temp\THI1634.tmp\localNrd.cab[polall1l.exe] Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\MATT\Local Settings\Temp\THI1634.tmp\polall1l.exe Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\SYSTEM32\ibxztmim.exe
|
|
#5
October 15th, 2004, 05:35 PM
|
|||
|
|||
|
New HJT Log
Thanks Tom. I updated HJT and here is my new log:
Logfile of HijackThis v1.98.2 Scan saved at 6:34:05 PM, on 10/15/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\Program Files\Windows SyncroAd\SyncroAd.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Windows SyncroAd\WinSync.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Documents and Settings\MATT\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R3 - Default URLSearchHook is missing O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\MATT\LOCALS~1\Temp\cetec.reg O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=48c347740e8f5c90be38175e52b8a764f9088180cf867b07efef0da67587cbcfe07d5eda93b070b3e1f5f4b23f7ec81a88 639e10093bff8917f19d0c3b2daa1576:9088c9d39de8432b43b6edf749c9050f O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
|
|
#6
October 15th, 2004, 06:44 PM
|
|||
|
|||
|
Download Ad-Aware SE Personal Edition from:
http://www.lavasoft.de/support/download/ Run Adaware, click the "Check for Updates now" link. Install the latest reference file Do not scan just yet.... Next.... Let's start with booting into Safe Mode (reboot, tap F8 when first booting, select Safe Mode). Go to Start > Control Panel > Add/Remove programs and remove: Windows SyncroAd WebRebates Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck the Hide Protected Operating System Files (recommended) option. Click Yes to confirm. Click OK. Delete the following files: C:\WINDOWS\SYSTEM32\ibxztmim.exe C:\WINDOWS\Downloaded Program Files\SyncroAdX.dll C:\WINDOWS\2_0_1browserhelper2.dll Delete the following folders: C:\Program Files\Windows SyncroAd\ Next.... Open My Computer, browse to C:\documents and settings\User Name(repeat for all users)\local settings\temp folder and delete all files and folders in it. Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it. Open Internet Explorer click Tools > Internet Options > General. Check "delete all offline content", click "Delete Files" then Click OK. Empty your Recycle Bin. Next.... Perform a "Full system scan" with Adaware. Remove all checked items. Reboot normally and post a fresh HijackThis log. Tom
|
|
#7
October 15th, 2004, 08:25 PM
|
|||
|
|||
|
Thanks Tom.
Logfile of HijackThis v1.98.2 Scan saved at 9:24:00 PM, on 10/15/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\MATT\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
|
|
#8
October 16th, 2004, 04:58 PM
|
|||
|
|||
|
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.
Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R3 - Default URLSearchHook is missing O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm These are resource hogs that can be safely deleted: O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it... O4 - Startup: PowerReg Scheduler V3.exe Next.... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck the Hide Protected Operating System Files (recommended) option. Click Yes to confirm. Click OK. Delete the following file: PowerReg Scheduler V3.exe Delete the following folder: C:\Program Files\Web_Rebates\ Reboot normally. Next.... In light of the recent infections, let's purge system restore. Disable System Restore XP: 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 this will delete all existing restore points. Click Yes to do this. 6 Click OK. Reboot 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 Click OK. 6 Create a new Restore Point: Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close. The date and time will automatically be added. Post a final log for review. Tom
|
|
#9
October 17th, 2004, 12:28 PM
|
|||
|
|||
|
Thanks for the help. New log: Logfile of HijackThis v1.98.2 Scan saved at 1:26:40 PM, on 10/17/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\MATT\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
