TheTechGuide Forum
General Category => Tech Clinic => Topic started by: redcrowley on November 02, 2006, 12:38:27 PM
-
Hello,
I was using Avira free antivirus until I started detcting some unremovable viruses. At that point I switched to McAfee, which has not worked either. Now my computer is randomly shutting down if I disable the firewall, and always shuts down following an antivirus scan.
Here is my hijackthis log file:
Logfile of HijackThis v1.99.1
Scan saved at 12:24:46 PM, on 11/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\RUSS\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\Documents and Settings\Russ\Desktop\DL Programs\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 217.129.106.168 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\russ\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Russ\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Neverwinter Nights Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\System32\s1940.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104460389187 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104460389187\")
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab (http://\"http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - AppInit_DLLs: gkn974yw42jx375.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\RUSS\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
Any Suggestions?
-
Just some info I left out. One of my svchost.exe processes is sometimes affected and takes up my CPU.
A couple more new symptoms:
IE is freezing up regularly
My Mcafee Firewall, and Real Time Scan Protection are randomly disabling
-
I was using Avira free antivirus until I started detcting some unremovable viruses. At that point I switched to McAfee,
That's too bad, Avira is a good free AV, somethings however, no AV's can remove without special tools
DON'T run more than one AV's realtime protections on your computer
This will cause system instabilities
Can you do the following please
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please
Also, Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
-
I cannot seem to post the logfile from combofix. Is it possible it's too large?
-
Russ - 06-11-02 22:27:43.06 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Russ\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-02 to 2006-11-02 ))))))))))))))))))))))))))))))))))
2006-11-02 13:47 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-01 16:53 117 --a------ C:\WINDOWS\system32\imii.bat
2006-10-22 21:51 84,744 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2006-10-22 21:50 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-22 21:50 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2006-10-22 21:50 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-22 21:50 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-22 11:36 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2006-10-22 11:35 37,832 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2006-10-22 11:35 33,928 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2006-10-22 11:35 31,752 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2006-10-22 11:35 162,504 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2006-10-22 11:34 104,536 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
-
Trying to post it piece by piece
-
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-02 13:47 -------- d-------- C:\Program Files\Internet Explorer
2006-11-01 16:54 -------- d-------- C:\Program Files\McAfee
2006-10-30 11:03 -------- d-------- C:\Program Files\Yahoo!
2006-10-30 11:03 -------- d-------- C:\Program Files\Common Files\Scanner
2006-10-26 23:58 -------- d-------- C:\Program Files\Common Files
2006-10-25 12:29 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-25 12:29 -------- d-------- C:\Program Files\Common Files\Real
2006-10-24 07:07 -------- d-------- C:\Documents and Settings\Russ\Application Data\SiteAdvisor
2006-10-23 12:36 -------- d-------- C:\Program Files\SiteAdvisor
2006-10-23 09:01 -------- d-------- C:\Program Files\GameSpy Arcade
2006-10-22 23:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-22 23:12 -------- d-------- C:\Program Files\Common Files\Motive
-
I keep getting internal server errors, and the amount of characters I am trying to put in keeps getting smaller.
-
Should I post it as an attachment?
-
Go ahead and post the combofix log as an attachment
Also, in a reply, post the uninstall list from Hijackthis
-
Her'e the combofix, I am starting hijackthis and will post that next.
-
Here's the hijackthis uninstall list:
(Main Game) Lightside - Legend Ragnarok Online
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
BioWare Premium Module: Neverwinter Nights(tm) Kingmaker
BitTorrent 3.4.2
bubbles Screen Saver
Celestia 1.3.2
Dev-C++ 5 beta 9 release (4.9.9.2)
DivX
DivX Player
EQ2MAP Updater 1.0.6
EverQuest II: Kingdom of Sky
eXtreme
Freeciv 2.0.1
GameSpy Arcade
Google Gmail Notifier
HijackThis 1.99.1
IGN Download Manager 2.1.1
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_06
KalOnlineEng
KnightOnline
Liberty BASIC v4.01
LimeWire 4.9.30
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft MSDN Express Library 2005 Beta - English
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005 Express Edition Beta 2 (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition Beta 2
mIRC
Mozilla Firefox (1.5.0.6)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser and SDK
Nero - Burning Rom
Neverwinter Nights
Norton Spyware Scan provided by Yahoo!
NVDVD
NVIDIA Drivers
PokerStars
PowerZip 7.05
QuickTime
RealPlayer
Rubies of Eventide 0.95
Solar Wars v1.40
Starport GE v1.0
StarQuest Online
StarSonata (remove only)
StumbleUpon Toolbar for IE
SudoCue
Sudoku
Universal Shield
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual Basic 2005 Express Edition Beta - English
WinAce Archiver
WinAce Archiver 2.0
WindowBlinds
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
World of Warcraft
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar for Internet Explorer
-
Can you do the following for me please
Create a .bat file for me
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as Baddll.bat
Save this file on the desktop
dir C:\WINDOWS\System32\*.dll.dll > BadDLL.txt
notepad BadDLL.txt
double click on Baddll.bat>>A text file will open, copy>>paste back here the contents please
Can you also RIGHT click on Hijackthis.exe and rename it too
Scanner.exe
Run a fresh scan and save logfile and post a fresh log please
-
Results from baddll:
Volume in drive C is DRV1_VOL1
Volume Serial Number is EDB5-0800
Directory of C:\WINDOWS\System32
Hijackthis log after renaming to scanner.exe:
ogfile of HijackThis v1.99.1
Scan saved at 12:05:49 AM, on 11/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\RUSS\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\Scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 217.129.106.168 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\russ\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Russ\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Neverwinter Nights Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\System32\s1940.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104460389187 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104460389187\")
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab (http://\"http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - AppInit_DLLs: gkn974yw42jx375.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\RUSS\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
-
Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
_ _ _ _
Can you do the following
Go to START>>RUN>>type in
services.msc
Hit OK'
In the new window, on the right hand side
Look for this service name
AntiVir Update Temp
Double click on it
In the startup type dropdown menu select Disabled
Apply it>>OK then close it
Download [color=\"#FF0000\"]ATF-Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
This program is for XP and Windows 2000 only
We'll need it later
Do a "System scan only" with Hijackthis and put a check next to these entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/...rch/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com\")
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - (no file)
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\russ\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) -
O20 - AppInit_DLLs: gkn974yw42jx375.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
With all browser windows closed, including this one
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Post a fresh hijackthis log afterwards
Also, can you do the following
supply a Host file list from Hijackthis
Open Hijackthis>>Open Misc tools section>>Open hosts file manager
Click the "Open in Notepad" button
Copy>>Paste back it's contents too please
-
I downloaded atf-cleaner and ran hijackthis as instructed. I received an error at that point. Here it is:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: gkn974yw42jx375.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll)
Error #5 - Invalid procedure call or argument
Please email me at [email protected] ([email protected]), reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
I continued from there, but have yet to restart my computer and run atf-cleaner until I show you this error.
-
Carry on please
-
Fresh highjackthis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 12:47:41 AM, on 11/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\HJT\Scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 217.129.106.168 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Russ\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Neverwinter Nights Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\System32\s1940.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104460389187 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104460389187\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab (http://\"http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
-
hijackthis host file:
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
217.129.106.168 L2testauthd.lineage2.com
-
Sorry for the delay, it doesn't appear that AntiVir removed properly
Can you do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
If you didn't intentionally add the next entry to your hosts file
Check it too
O1 - Hosts: 217.129.106.168 L2testauthd.lineage2.com
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
DO NOT let interference from McAfee's or Microsoft Anti-spyware when fixing the above
Post a fresh hijackthis log afterwards
Also, can you do the following
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to the file on your harddrive if you can find it
C:\WINDOWS\system32\imii.bat <-this file,
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Keep me informed how things are running
-
So far, the computer is running the same. Last night my scan was ended with a shutdown.
Thanks for your help.
New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:24:29 PM, on 11/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\Scanner.exe.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\System32\s1940.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Russ\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Neverwinter Nights Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:/Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\System32\s1940.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:/Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:/Program\") Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104460389187 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104460389187\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab (http://\"http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
-
And here are the scan results:
Service load: 0% 100% File: imii.bat Status: [color=\"#00bb00\"]OK[/color] (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 a54f42301e342c0e3f5e35bc3aaa4bed Packers detected: -Scanner results AntiVir Found nothingArcaVir Found nothingAvast Found nothingAVG Antivirus Found nothingBitDefender Found nothingClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingFortinet Found nothingKaspersky Anti-Virus Found nothingNOD32 Found nothingNorman Virus Control Found nothingVirusBuster Found nothingVBA32 Found nothing
-
Sorry about the formatting there. I copied and pasted from the website.
-
Could the computer be shutting down from overheating?
It's only been shutting down since the installation of McAfee's?
You can try uninstalling all of McAfee's and see if you still have shut down issues
Make sure to reboot the computer after all removal
Reinstall the free version of Avira and run a scan
-
I'll try that after I shutdown my firewall and see if I am still shutting down randomly. At the beggining of this thread I informed you of my random shutdowns when the firewall is not on. Those were caused by a remote procedure call. Which I believe is an effect of Poebot (I may be wrong there). I'll let you know how it goes.
-
ok, almost as soon as I shut down my firewall, these messages started popping up. These usually precede the RPC shutting me down.
McAfee has automatically blocked a buffer overflow.
Details
Detection:
File: C:\WINDOWS\system32\svchost.exe
More Info
Buffer overflows occur when suspect programs or processes try to store more data in a buffer (temporary data storage area) on your computer than its limit, corrupting or overwriting valid data in adjacent buffers.
If you do not recognize this activity, McAfee recommends that you continue to block it. If you recognize this activity, trust it in the future.
-
Computer shuts down when I disable firewall
Ah yes, you did say that
Can you do the following for me please
Download Stinger from McAfee's (http://\"http://download.nai.com/products/mcafee-avert/stng260.exe\")
Save it too desktop
Double click on Stinger.exe
# If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
# Click the Scan Now button to begin scanning the specified drives/directories.
When the scan is done
Click the File menu and select Save report to file
Save the report to your desktop
Reboot the computer
Post back that report please
-
Running that scan now. And thanks again for your help.
As an aside, I have been reading your thread with napster, and I can't believe you kept trying to help him. The man was an utter jerk. Kudos to you.
-
Stinger is searching my C drive (the only partition/drive I have) but it will take awhile due to the fact that it's 3/4 full of data. I will be heading to work soon, so if it doesn't complkete by then, I'll post the results around 11 pm EST.
-
I have tried 2 times to complete a run of stinger. It seems to be sgutting me down the same as when a Mcafee scan runs. But I have not been at the computer for either shutdown, so I am currently running stinger while I have time to watch and see exactly what happens.
Also worth noting:
When Mcafee (or Stinger) shuts me down, it leaves the computer running, but the monitor is no longer able to get a signal. I am assuming it shuts down windows entirely, and this is why. Also, after this happens, I cannot turn off the pc from the power button. I actually have to unplug it. Just thought that tidbit may be pertinent.
I'll let you know how this stinger scan goes when it completes.
-
ok, so Stinger is not completing, and it is causing a shutdown. It hung up on a file in the Microsoft MSDN Library folder, then shut off. I was unable to get the entire filename as it was long, and the time between stinger freezing up and the comp stopping working was short. I can tell you the filename ended in letters and nubers. I believe the last 2 were AX. Tried to write it down, but could not get it.
I am not sure if the file where it stopped working is pertinent, but I figured any info would help.
-
Are you able to run Stinger in safe mode>>WITHOUT networking?
-
I ran stinger in safe mode with no networking. It still hung up on the same file, but did not shut me down. This atleast gave me plenty of time to see the file and path it hung up on. And here it is:
C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN Express Library\FL_cpref_hxs_99151_ENU___.3643236F_FC70_11D3_A536_0090278A1
Don't know if it helps at all, but that's what I have figured out.
-
UPDATE:
I have deleted Microsoft Visual Studio 8, and it's folders from my drive. I have uninstalled the MSDN library. All can be reinstalled later. I just figured it may help the scan complete. At the moment, I am running the gaobot fix tool from symantec to see if it will clear one of my detected viruses (ie gaobot and poebot) then I am going to attempt to run stinger again, unless you say otherwise.
-
I was going to suggest something along those lines
I was going to ask you to exclude that folder from a McAfee antivirus scan
But your method should work
There definitely seems to be a conflict with the beta version of Microsoft MSDN Express Library 2005 Beta
and McAfee's
See if you can run both via safe mode
-
ok, the gaobot fix tool from Symantec found no detections(not run in safe mode). Now I am running stinger(also not in safe mode). Then I will rinse and repeat in safe mode for both.
-
Make sure McAfee is up to date
It's Virus scan should be good enough to run in safe mode
But to be on the safe side, run Stinger also
-
Neither the Symantec Gaobot tool, nor Stinger located anything when run in normal or safe mode. McAfee does not run in safe mode, so I am starting a scan right now in normal mode to see if it completes. I will post any details when it finishes.
-
I ram Mcafee unimpeeded in normal mode and found nothing. Which is weird since nothing has stated it removed the original viruses. So I took down my firewall to test, and BANG, I start getting buffer overflows caused by the svchost again. I am stumped.
-
Ok, let's see what can be done about this
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Service pack 2 has been out for quite some time
It includes needed security patches
You should consider updating
NOTE: Without patching your machine, quit disabling your Firewall or your asking for trouble
Before updating
Let's try a different virus scanner
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
And as a double check, this scanner won't take too long
Download and save too desktop
F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/exclude/blacklight/blbeta.exe\")
Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log
BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".
-
The full scan is running. Here are the results of the quick scan:
[font=\"Arial\"]mps.exe;c:\program files\mcafee\mps;Probably BACKDOOR.Trojan;;[/font][font=\"Arial\"]mcupdmgr.exe;c:\program files\mcafee\msc;Probably DLOADER.Trojan;;[/font]
Those are Mcafee files. False positives maybe? Or worse. I will post the full results shortly.
-
Here's the full report. I will run the other scanner tomorrow as I have workerd 60 hours in 4 days and am just too tired.
[font=\"Arial\"]mps.exe;c:\program files\mcafee\mps;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;[/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"]mcupdmgr.exe;c:\program files\mcafee\msc;Probably DLOADER.Trojan;Incurable.Will be moved after reboot.;[/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"]MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;;[/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"]mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;;[/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"][/font][font=\"Arial\"]A0074190.reg;C:\System Volume Information\_restore{D11FDFB9-38B1-415A-A262-DE76EF682745}\RP553;Trojan.StartPage.1505;Deleted.;[/font][font=\"Arial\"]A0074333.reg;C:\System Volume Information\_restore{D11FDFB9-38B1-415A-A262-DE76EF682745}\RP553;Trojan.StartPage.1505;Deleted.;[/font][font=\"Arial\"]A0075794.dll;C:\System Volume Information\_restore{D11FDFB9-38B1-415A-A262-DE76EF682745}\RP560;Adware.MegaSearch;;[/font][font=\"Arial\"][/font][font=\"Arial\"][size="2"]popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;;[/size][/font]
-
These 2 definetly look like false postives
mps.exe;c:\program files\mcafee\mps;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;[/size]mcupdmgr.exe;c:\program files\mcafee\msc;Probably DLOADER.Trojan;Incurable.Will be moved after reboot
The 2 files can be moved back to there original location
mps.exe>>Move it back to c:\program files\mcafee\mps folder
mcupdmgr.exe>>Move back to c:\program files\mcafee\msc folder
You can find the 2 files located in
C:\Documents and Settings\Russ\DoctorWeb\Quarantine <-this folder
If the blbeta.exe scan comes clean
I would suggest you consider updating to Service pack 2 for Windows
ReVisit Windows updates and get all latest HIGH PRIORITY updates
After installing SP2 and any other later high priorities, Run the Disk Defragment utility on your computer
Here's some tips for preinstalling SP2
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx\")
-
blbeta came back clean and I have swutched to SP2 as well, as downloading updates.
After that I tried shutting off my firewall to test the buffer overflows. So far, everything looks great.
-
That sounds better
If you moved the 2 quarantined files from Dr.Web to McAfee folder
You can go ahead and delete Dr.Web
Also delete STINGER and blbeta.exe
Chances are if you need any of the above tools again
They will be updated and need to be redownloaded anyways
I noticed in your uninstall list you had older versions of Sun Java installed
But you appear to have updated since then>>Good move
If the following are still in add/remove programs list
Select and remove them
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_06
If you didn't intentionally install either
Viewpoint Manager (Remove Only)
Viewpoint Media Player
PokerStars
Remove any of the above 3 too, they can be unintentionally installed from other programs
You may want to run ATF-Cleaner one more time, with the following instructions
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
I know you have/had Microsoft Antispyware installed (See note below)
But I would also add the following free scanners to your system
Optionally
Download and Install
Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Close out after it is updated, as we will need it later
Open Ad-Aware SE 1.06
Click START >>> NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Download and Install Spybot 1.4 from
HERE (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish any cleaning process
Can you come back here and post one last hijackthis log please
Hopefully, with the needed Windows updates, everything is running better
NOTE: Do you still have Microsoft AntiSpyware installed?
Or is the entry in hijackthis a leftover?