Post by: redryder on April 30, 2005, 06:49:37 PM
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 4:37:46 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\mocih.exe
C:\WINNT\System32\dev32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\combo.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winnt\nvsvwc.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\sprmover.exe
C:\WINNT\System32\connmie.exe
C:\WINNT\System32\truettf.exe
C:\WINNT\System32\dxconf.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s (http://\"http://clearsurfing.net/srch.php?qq=%s\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {53B6BC76-7DF8-4B44-ABCF-773DB7994ADF} - C:\WINNT\System32\msnxa.dll
O2 - BHO: Name - {5E26824E-3685-4B70-A914-7F2410B77C0B} - C:\WINNT\System32\msnxa.dll
O2 - BHO: (no name) - {D7F3D96A-26C7-4658-88C3-A72E18719246} - C:\WINNT\openwin.dll
O2 - BHO: Name - {E954B5DC-0CE3-4343-B1B6-FB1B069C5851} - C:\WINNT\System32\msnxa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [winltmpv] c:\winnt\nvsvwc.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114014142184\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B23A1B2-93B6-4D26-8A8D-5A920143ADD5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE21173B-4981-4B8C-8B5C-2CE08D1D15A5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O18 - Filter: text/html - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O18 - Filter: text/plain - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\System32\mocih.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\System32\dev32.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
Post by: guestolo on April 30, 2005, 07:54:06 PM
please
==Download and save Remv3.zip
[attachment=189:attachment]
UNZIP the contents too desktop>>A new Remv3 folder will be placed on the desktop
We'll need this later
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet
==Download and save to Desktop
SpSeHjfix112.zip (http://\"http://www.derbilk.de/404.html\")
From that link
Unzip the contents, so you now have SpSeHjfix112.zip on your desktop
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Trace network connections
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Find and delete these files if found
Do the same for this service too
Provides three management service
Using Windows Explore, Find and delete these files if found,
C:\WINNT\System32\msnxa.dll <-file
C:\WINNT\System32\iecustom32.dll <-file
C:\WINNT\System32\mocih.exe <-file
C:\WINNT\System32\dev32.exe <-file
C:\WINNT\openwin.dll <-file
c:\winnt\nvsvwc.exe <-file
Navigate to this file and right click on it and rename it
C:\WINNT\System32\combo.exe <-this file
Rename it too combo.ex_
Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
In the new empty box type in or copy and paste the following in bold and hit OK
ACCRA
Do the same for this one
FreeBSD
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Do another scan with Hijackthis and put a check next to these entries:
Not all may be seen in safe mode, but take a look
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s (http://\"http://clearsurfing.net/srch.php?qq=%s\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Name - {53B6BC76-7DF8-4B44-ABCF-773DB7994ADF} - C:\WINNT\System32\msnxa.dll
O2 - BHO: Name - {5E26824E-3685-4B70-A914-7F2410B77C0B} - C:\WINNT\System32\msnxa.dll
O2 - BHO: (no name) - {D7F3D96A-26C7-4658-88C3-A72E18719246} - C:\WINNT\openwin.dll
O2 - BHO: Name - {E954B5DC-0CE3-4343-B1B6-FB1B069C5851} - C:\WINNT\System32\msnxa.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [winltmpv] c:\winnt\nvsvwc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://*.63.219.181.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B23A1B2-93B6-4D26-8A8D-5A920143ADD5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE21173B-4981-4B8C-8B5C-2CE08D1D15A5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O18 - Filter: text/html - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O18 - Filter: text/plain - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\System32\mocih.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\System32\dev32.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, save the log, we'll need this later
By default it is saved to C:\Log.txt
==Run SpSeHjfix112.zip.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again
Run
SpSeHjfix109.exe again
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page
Go to START>>RUN>>type in cmd
Hit OK
At the prompt type in
ipconfig /flushdns
Hit Enter
type
exit
Enter
Post back the logs from SpSeHjfix and a new Hijackthis log
Also post the log from Remv3.bat
C:\Log.txt
Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
C:\WINNT\System32\combo.ex_<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
NOTE:If you have trouble connecting to Internet after
This is important
With all browser windows closed
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
If you don't need to enter a DNS server address with your ISP
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
Restart your computer again
Post by: redryder on May 01, 2005, 11:06:00 AM
I had a few issues with the recovery procedure..
"Trace Network Connections" was stopped, yet I could not delete ACCRA and FreeBSD - said program was in use." I checked them off in Hijackthis and deleted, then repeated the "Delete an NT Service" instructions. Seemed to work.
WhenI ran SpSeHjfix109 the first time, it immediately restarted my computer (as it should). After startup, I went to run SpSeHjfix109 again (as instructed) and it appeared to lock up.. My cursor would occasionally turn to an hour glass so I thought it was working.. After 5 minutes of this, I walked away and let it run.. An hour or so later it was still doing the same thing. Aborted and rebooted to find my desktop still hijacked with black screen: "WARNING..."
I decided to call it quits for the evening... I will try the whole procedure again tonight after work.... Can you think of anything I may be doing wrong?
Thanks again,
Paul
Post by: guestolo on May 01, 2005, 12:36:41 PM
Quote
I decided to call it quits for the evening... I will try the whole procedure again tonight after work.... Can you think of anything I may be doing wrong?
Can you make sure your running SpSeHjfix112
I know I said run SpSeHjfix109 again, but ensure you have version 112
Remember to be in safe mode when trying the fixes
Make sure you stop and disable the services
Trace network connections
Provides three management service
I will have to see some logs after to be more assistance
Please go back and read everything I posted, I'm quite sure you missed some important steps
You must do everything I posted, not just bits and pieces
Eg... I know you haven't download Remv3.zip and unzipped it yet
So, I guess, basically, go back and do everything I asked
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: redryder on May 01, 2005, 05:48:23 PM
Thanks again for the quick reply...
Quote
Eg... I know you haven't download Remv3.zip and unzipped it yet
I actually did download and unzip the file... I don't know if I was in a view mode or what, but there was no hotlink to Remv3.zip when I originally looked (of course, it's plain as day now). I did a search and found it attached to another post of yours...
Believe me, I followed your instructions to a "T" until running into the couple of snags mentioned in my previous post.
I'll make sure I'm running SpSeHjfix112 on my next attempt...
Can't do anything till I get off from work!!!
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> I'll post my results tonight or early tomorrow A.M.
Thanks again for all the help..
Paul
Post by: guestolo on May 01, 2005, 07:11:21 PM
Could you delete your copy of Remv3 and download the one I have uploaded for you
You may have an old version that may not find all bad files
Post by: redryder on May 02, 2005, 12:41:07 AM
I read your last post after performing the whole procedure. I'm sure the version of REMV3 is the same.. I went ahead and downloaded the one from this thread and installed it - after the fact. All the files were replaced with ones of equal size. The reason I could not download it the 1st time was because I was not in the "full version" of the forum.. I guess attachments don't show up unless you're in the "full version".
Enough on that.. This time everything went fairly smooth. A lot of the files in Hijack this were gone from yesterdays cleanup attempt. I seem to have regained control of my Internet Explorer (no pop-ups, no redirects, homepage is once again yahoo, etc). But my desktop is still hijacked.. A nasty black "Warning!! You're in danger!" message still appears. I right clicked on the desktop, went to properties and the address URL was //c:\\WINNT\\WEB\desktop.html. I proceeded to delete this file and refresh the desktop and now I have a plain white desktop (with the same URL address). I do not get the usual desktop configuration window when right clicking and going to properties (ie Wallpaper, screensaver, etc). However, I do see my original desktop picture for a short while when booting up... Dont know if this info helps out or not..
Maybe the following logs will:
_____________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 10:28:22 PM, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114014142184\")
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
_________________________________________
C:\log.txt states:
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 9873-4FF9
Directory of C:\WINNT\system32
04/30/2005 06:14 PM 19,456 hdzjv.dll
1 File(s) 19,456 bytes
0 Dir(s) 110,273,032,192 bytes free
msi.dll
Finished
_______________________________________________________
SpSeHjfix.txt states:
(4/30/05 7:57:07 PM) SPSeHjFix started v1.1.2
(4/30/05 7:57:07 PM) OS: WinXP (5.1.2600)
(4/30/05 7:57:07 PM) Language: english
(4/30/05 7:57:07 PM) Win-Path: C:\WINNT
(4/30/05 7:57:07 PM) System-Path: C:\WINNT\System32
(4/30/05 7:57:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:57:17 PM) Disinfection started
(4/30/05 7:57:17 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:57:17 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:57:17 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\openwin.dll
(4/30/05 7:57:17 PM) Searchassistant Uninstaller - Keys Deleted
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/30/05 7:57:17 PM) Stealth-String not found
(4/30/05 7:57:17 PM) File added to delete: c:\winnt\openwin.dll
(4/30/05 7:57:17 PM) Reboot
(4/30/05 7:59:01 PM) SPSeHjFix started v1.1.2
(4/30/05 7:59:01 PM) OS: WinXP (5.1.2600)
(4/30/05 7:59:01 PM) Language: english
(4/30/05 7:59:01 PM) Win-Path: C:\WINNT
(4/30/05 7:59:01 PM) System-Path: C:\WINNT\System32
(4/30/05 7:59:01 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:59:43 PM) Disinfection started
(4/30/05 7:59:43 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:59:43 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) Bad IE-pages: (none)
(4/30/05 7:59:43 PM) Stealth-String not found
(4/30/05 7:59:43 PM) Not infected->END
(5/1/05 9:37:07 PM) SPSeHjFix started v1.1.2
(5/1/05 9:37:07 PM) OS: WinXP (5.1.2600)
(5/1/05 9:37:07 PM) Language: english
(5/1/05 9:37:07 PM) Win-Path: C:\WINNT
(5/1/05 9:37:07 PM) System-Path: C:\WINNT\System32
(5/1/05 9:37:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:37:08 PM) Disinfection started
(5/1/05 9:37:08 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:37:08 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) Bad IE-pages: (none)
(5/1/05 9:37:08 PM) Stealth-String not found
(5/1/05 9:37:08 PM) Not infected->END
(5/1/05 9:44:24 PM) SPSeHjFix started v1.1.2
(5/1/05 9:44:24 PM) OS: WinXP (5.1.2600)
(5/1/05 9:44:24 PM) Language: english
(5/1/05 9:44:24 PM) Win-Path: C:\WINNT
(5/1/05 9:44:24 PM) System-Path: C:\WINNT\System32
(5/1/05 9:44:24 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:44:34 PM) Disinfection started
(5/1/05 9:44:34 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:44:34 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) Bad IE-pages: (none)
(5/1/05 9:44:34 PM) Stealth-String not found
(5/1/05 9:44:34 PM) Not infected->END
________________________________________________________________
I think I'm close... Any ideas on the desktop?
Muchos Gracias,
Paul
Post by: guestolo on May 02, 2005, 01:14:04 AM
I'll post some fixes tomorrow Red
I'm just on my way to bed
So it won't be till I get off work
In the meantime, can you do the following for me please
Download and UNZIP to a folder findall.zip
So you now have Get.bat and Get2.bat in the same folder
Double click on Get.bat and Get2.bat, they will both produce logs
Can you open the text files produced and post them back here
Export.txt and Export2.txt
Also, go ahead and delete this file
C:\WINNT\system32\hdzjv.dll <-file
Also, can you look for any of these files and let me know if they exist
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
And these folders
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
If you have Security IGuard
Virtual Maid
Search Maid
in your Add/Remove programs go ahead and Remove them
Post by: redryder on May 02, 2005, 08:09:44 AM
Thanks again,
Paul
Post by: redryder on May 02, 2005, 10:30:38 PM
The export and export2 files follow:
_________________________________________
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"LoadedBefore"="1"
"ThemeActive"="1"
"LastUserLangID"="1033"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00
"ColorName"="NormalColor"
"SizeName"="NormalSize"
_____________________________________________________________
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
__________________________________________________________
Thanks,
Paul
Post by: guestolo on May 03, 2005, 12:23:37 AM
fixdesktop.zip, so you now have fixdesktop.reg unzipped to a folder
[attachment=197:attachment]
=Download the RKFiles.zip
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
You may want to print this out or save too a Notepad file
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart into SAFE MODE
With windows set to show Hidden files and folders
First Double click on fixdesktop.reg and allow to merge to the registry
Next
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Restart back to Normal mode
Do the following if you can
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked
Post the log produced by rkfiles.bat and a new Hijackthis log
Post by: redryder on May 03, 2005, 08:46:18 AM
Thanks again for all the help. I'll post one last Hijackthis log and the results from rkfiles.bat (with any luck, it will be the last one!!!).
Logfile of HijackThis v1.99.1
Scan saved at 5:13:01 AM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114014142184\")
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
----------------------------------------------------------------------
C:\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\cidaconf.exe: UPX!
C:\WINNT\system32\combo.ex_.exe: UPX!
C:\WINNT\system32\downf102.exe: UPX!
C:\WINNT\system32\downf46.exe: UPX!
C:\WINNT\system32\sccfull.exe: UPX!
C:\WINNT\system32\spoolsrv32.exe: UPX!
C:\WINNT\system32\txfdb32.dll: UPX!
C:\WINNT\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\fdrest.exe: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: MSTVGS.ChannelLineupx!j6
C:\WINNT\msmconret.dll: UPX!
C:\WINNT\winsx.dll: UPX!
C:\WINNT\MEMORY.DMP: FSG!
C:\WINNT\mfunclo.exe: FSG!
Finished
bye
------------------------------------------------------------------------
Thanks again for all your efforts in helping me removing the malware. I'd like to make a donation for your services.. The paypal link goes to someone named Tangea. Is this the preferred account for making a donation?
Paul (redryder)
Post by: guestolo on May 03, 2005, 10:58:39 PM
Remove it
Print this out or save too a notepad file
Restart into safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Find and delete these files
C:\WINNT\system32\combo.ex_.exe
C:\WINNT\system32\spoolsrv32.exe <=notice the spelling
C:\WINNT\system32\txfdb32.dll
C:\WINNT\winsx.dll
C:\WINNT\fdrest.exe
You can remove the memory.dmp files in the Winnt folder too
Now, in safe mode, right click and empty spot on your desktop
Select NEW>>Folder
Call the new folder Backup
Can you left click and DRAG these next files into that folder
Don't copy and paste them, we want them there as backups, but not left where they can do damage
C:\WINNT\system32\cidaconf.exe
C:\WINNT\system32\downf102.exe
C:\WINNT\system32\downf46.exe
C:\WINNT\system32\sccfull.exe
C:\WINNT\msmconret.dll
C:\WINNT\mfunclo.exe
Now stay in safe mode and run rkfiles.bat again
Restart back into safe mode
Post back one more hijackthis log to ensure it's clean
also the new log from rkfiles.bat
Could you next
Go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to the files in the Backup folder on the desktop
Right click on each file individually and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results for each file
Post by: redryder on May 05, 2005, 12:49:31 PM
Heres the latest:
-Deleted the following files as requested:
C:\WINNT\system32\combo.ex_.exe
C:\WINNT\system32\spoolsrv32.exe <=notice the spelling
C:\WINNT\system32\txfdb32.dll
C:\WINNT\winsx.dll
C:\WINNT\fdrest.exe
-In safe mode I ran rkfiles.bat, here are the results:
C:\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
-hijackthis file also ran... results follow:
Logfile of HijackThis v1.99.1
Scan saved at 10:02:40 AM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114014142184\")
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
------------------------------------------------------------------------
-Results from Jottis follows:
-----------------------------------------------------------------
cidaconf.exe
-------------------
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
---------------------------------
downf46.exe
-----------------
AntiVir Found Worm/Bagz.J
Avast Found Win32:Bagz-F-UPX
AVG Antivirus Found I-Worm/Bagz.Q
BitDefender Found Win32.Bagz.H@mm
ClamAV Found nothing
Dr.Web Found Trojan.Pigmail
F-Prot Antivirus Found nothing
Fortinet Found W32/Mochi-tr
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagz.h
mks_vir Found Worm.Bagz.H
NOD32 Found Win32/Bagz.H
Norman Virus Control Found Bagz.H
VBA32 Found Email-Worm.Win32.Bagz.h
------------------------------------
downf102.exe
---------------------
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
--------------------------------------
mfunclo.exe
---------------------------
AntiVir Found TR/Drop.Small.VN
Avast Found nothing
AVG Antivirus Found Dropper.Small.17.A
BitDefender Found BehavesLike:Trojan.StartPage (probable variant)
ClamAV Found Trojan.Clicker.Agent-33
Dr.Web Found Trojan.MulDrop.1847
F-Prot Antivirus Found nothing
Fortinet Found W32/Daodrop.B-tr
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Small.vn
mks_vir Found Win32 (probable variant)
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Smalldrp.BZX
VBA32 Found Trojan-Dropper.Win32.Small.vn
----------------------------------------
msmconret.dll
----------------------
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found rojanDownloader.Win32.Agent.fc
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
------------------------------------
sccfull.exe
----------------------
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
-----------------------------------------------------
Looks like some of these files are infected.. I'll wait for your reply on how to deal with them....
Thanks again,
Paul (redryder)
Post by: guestolo on May 05, 2005, 11:29:13 PM
downf46.exe
msmconret.dll
mfunclo.exe
downf46.exe
downf102.exe
cidaconf.exe
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all
Why so far behind on Windows updates,
if your version is legit, and you need a hand on how I like to update to the latest
service pack, let me know
If not, please download the latest critical updates and service packs to keep your system secure