Numerous Nasties

[Seamoose]

Hi - sorry life (well a party actually!) got in the way of the great Malware hunt but I'm back complete with hangover and have just done the Jotti thing...

Here is a cut n paste of the results:

Service load:  0%        100%  
 
File:  scmgrcpl50.cpl  
Status:  OK  
MD5  eeac213ab63aa86d0c46893199735e72  
Packers detected:  -
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

Also at the bottom of the page, after the disclaimers, there was the following - I found it hard to tell if it refers to my computer or what:

Last file scanned at least one scanner reported something about: a8o1v.exe, detected by:

Scanner  Malware name  
AntiVir  X  
ArcaVir  Trojan.Kolweb.G  
Avast  X  
AVG Antivirus  Generic.DUM  
BitDefender  X  
ClamAV  X  
Dr.Web  Trojan.Click.767  
F-Prot Antivirus  X  
Fortinet  X  
Kaspersky Anti-Virus  Trojan.Win32.Kolweb.g  
NOD32  Win32/Kolweb.G  
Norman Virus Control  W32/Kolweb.G  
UNA  X  
VBA32  Trojan.Win32.Kolweb.g  

Thanks again!

[guestolo]

Can you navigate to this file
C:\WINDOWS\SYSTEM32\scmgrcpl50.cpl

Right click on it and left click properties
If a version tab, open it
Do you know what it's related too?

I take it there's no more popups?

[Seamoose]

The file in question seems to have something to do with - in fact directly opens - a "caere scan manager", which I presume must have something to do with our scanner, which I personally have never used ( my other half would have more of an idea about it ) - but it seems innocuous?

So far today have not had any pop up action. Haven't used the computer much though and it usually happens quite randomly, sometimes hours after booting up so *fingers crossed* eh?

Anything else I should do you think?

Would it be possible for you to advise me what I should regularly do - what software I should run, etc to avoid this from happening again? I am a little confused as to which programs to keep and use.

Thanks again.

[guestolo]

For final cleanup

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

What to keep
I would opt to keep the following
Spybot and AdAware
Check for updates every couple of weeks and run scans when there is an update
Additionally in Spybot, click on the Immunize button>>OK>>Click Immunize at the top green cross
Do this after every update

Ewido is optional, I would keep it however, in about a week in will turn into a limited version
But it's still a great scanner

Definitely hold onto AVG, keep it updated
Definitely hold onto SpywareBlaster and check for updates every couple of weeks

You can delete Aproposfix and WPFind
Additionally, hold onto hijackthis for awhile, after a couple weeks if everything is still running fine
Go into your add/remove programs and remove Hijackthis
and then delete the whole folder where hijackthis is located
C:\HJT <-this folder

[Seamoose]

Great

Thanks again for your help.

I haven't had any pop ups so far today so all is looking good, also i don't seem to be getting wierd dodgy adresses showing up in the IE history files anymore.

I have a couple more quick questions. I am happy to get rid of NoAdware if you think it is no good - but it seems to 'catch' a lot every day - mostly 'tracking cookies'. Why is this, and is this not a threat?

Also, NoAdware still picks up something called VX2/LinkReplacer which it labels as 'severe' and about which it states 'VX2 is a variant of the netpal/transponder spyware that is responsible for browser hijacking and pop-up ads.'

Do you have any comments about this?

Thanks again, hopefully we shall be done very soon now. You deserve a medal!

[guestolo]

Sorry, I'm not a big believer in NoAdware, let me know where it is finding the traces
Show me a log!
Then we can go from there

Take a look at this link
Although they're not on the bogus list any more
Interesting reading about them
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Still, if you have a log to show me from them, let me see it please

[Seamoose]

Actually after reading the comments about NoAdware at Spyware Warrior it would seem that the version I have installed (Version 2 - newer versions cost actual money to activate) WAS actually on the shonky list so I guess the results can safely be ignored and the software uninstalled. This is the log file and I must say it looks a laughable as it doesn't even name the nasties it claimed to have found and killed, including the VX2/LinkReplacer which I am starting to believe was made up entirely by the NoAdware people as I can't find that exact variant of  VX2 anywhere (except for a couple of dodgy looking commercial sites) on the web, i.e. lots of VX2 variants, none of which seem to be called LinkReplacer.

[TYPE:COOKIE]

[ACTION:DELETED]

[VALUE:itc]

[TYPE:COOKIE]

[ACTION:DELETED]

[VALUE:com]

[TYPE:COOKIE]

[ACTION:DELETED]

[VALUE:statcounter]

[TYPE:COOKIE]

[ACTION:DELETED]

[VALUE:server.iad.liveperson]

[TYPE:COOKIE]

[ACTION:DELETED]

[VALUE:0]

I guess if this is no problem then we are done?

I don't seem to get any pop-ups anymore YAY! So I must thank you again - you rock Guestolo!

[guestolo]

It appears to be finding cookies, that's about it
Nothing major, just keep SpywareBlaster updated
There was a recent update on the 13th, day after you installed it

Open SpywareBlaster>>Click on the Update button
Allow to update, once loaded click the "Enable protection on all unprotected items"

I forgot about an entry in your hijackthis log
You appear to of had a program installed
Possibly by the name of "PurgeIE"

You may of uninstalled it or it may be corrupt
If this is true

Do a "System scan only" with Hijackthis and put a check next to these entries:

O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
Go to START>>RUN>>In the open field copy and paste the below command in bold then hit OK

sc delete PurgeIEservice

Can you post one last Hijackthis log please, if it's clean I'll lock this topic and let you have a good Xmas

[Seamoose]

Good-o, here's the...

Logfile of HijackThis v1.99.1
Scan saved at 3:14:46 PM, on 18/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by16fd.bay16.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134441134249
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe


I just did a CCleaner registery issue fix and it gave me a few of these:

The COM component AVG.AvgAmInternalPluginConfigGui references an invalid CLSID. These are often left behind after uninstalling software.

or very similar. As I have only just installed AVG would these be best ignored or should I blast 'em?

Thanks again http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

My best bet is too ignore it, I haven't actually used CCleaner
But seeing as you just installed AVG, that entry looks legit

Your log looks good
Optionally,
You don't need this running on startup
realsched.exe

To disable tkbell.exe in the new version (1) Start RealOne Player (2) Tools - Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

Additionally, with all other windows closed
run a scan only with hijackthis and fix these entries

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Reboot afterwards

I'll lock this topic if you have no other problems
Let me know please

You are on dialup aren't you, or are you on DSL?
The firewall supplied with XP without the latest service pack is not that great
If you would like a better free firewall, let me know please

[Seamoose]

DSL I believe, broadband anyway.

Yeah if the firewall I have is no good then I would definately like a better one, are there free options?

Cheers  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

[guestolo]

Yup, there's definitely free options
I use Sygate's, but unfortunately Symantec's bought it out
So it won't have no online support or updates
You can still install it I believe, I haven't uninstalled my version yet

Many other users use ZoneAlarm
Heard it may be somewhat of a resource hog however
But it's a good one

Another free version that went bye bye was Kerio's
It was very good and recommended
The great thing is that Sunbelt has come to the rescue and will be supporting it again
I'm going to add it back to the links soon
Take a look at this link
http://www.kerio.com/kpf_download.html

Or you may want to try Outpost

Here's a link to the others
http://www.thetechguide.com/forum/index.php?showtopic=15894


I'm going to leave the decision to you, all have a free version
I would opt to try Kerio Personal Firewall
I may remove Sygate's and try it myself soon
But if you do install it can you let me know what you think please
I'll leave this topic open until you post back

No matter what you decide on, once you have your Firewall installed and ready to go
Please disable the Windows XP firewall
You don't want more than one software firewall running on your computer
Just like an AV, more than one firewallcan cause conflicts and decrease performance