My PC is sick and I only installed win XP yesterday!

[forrealneil]

Hello,

I would greatly appreciate it if someone could help me fix my problem.
I installed what I thought to be a reliable OS yeasterday and things were fine all day.  I made sure I had McAfee antispyware and firewall on before I connected to the net and visted no "questionable" sites apart from a dodgy tech site before I stumbled across this one (where I think i picked up spyware).  I think the problem started when I left my PC on yesterday evening.  I have now used spyware blaster to protect against active x scripts, probably too late.  I have a program called MSNChecker on my pc that I got my firewall to block

When I checked my C drive just now there were 8 strange exe files, which I deleted.
McAfee has found no viruses but I doubt that.


Logfile of HijackThis v1.99.1
Scan saved at 09:45:28, on 17/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\System32\msupdate33e.exe
C:\WINDOWS\System32\updatem.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfConsole.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msnchecker.exe
C:\Apps\hijackthis.exe
C:\WINDOWS\System32\msnchecker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Intec Services Drivers] msupdate33e.exe
O4 - HKLM\..\Run: [windows update microsoft] updatem.exe
O4 - HKLM\..\Run: [MSN Checker] msnchecker.exe
O4 - HKLM\..\RunServices: [Intec Services Drivers] msupdate33e.exe
O4 - HKLM\..\RunServices: [windows update microsoft] updatem.exe
O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSN Checker] msnchecker.exe
O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[forrealneil]

STOP!!! dont read though that whole log yet!!

i am sorry if im too late.  I have since realised that my virus definitions were not up to date, only my spyware ones.  mcafee found some trojans that I was able to delete in safe mode.  The PC now seems to be behaving (at normal speed).  I will delete the odd programs from my trashcan (which mcafee didnt mention but I am sure it would be a fatal mistake to run one of them)

My only remaining question is:

Would it be a good idea to reinstall windows as i have only just done so and it would be relatively painless to do so, or can I assume that no damage has been done by the trojans now they are deleted?

I'm not normally one of those people who reinstall windows all the time.  Last time was 2002 and Im sure it needed doing.

[guestolo]

Woah, hold on, you and I are in a tough spot
Your willing to reformat again, you just did yesterday
But can we make sure your computer is clean

Sure I can do that
I tried installing windows 2000
on a computer
Access the Internet with no updates and got infected in 2 minutes <<--EDIT, this was just a test, not recommended

If you decide to reinstall
NO. 1 TURN ON THE FIREWALL
NO. 2 GO GET ALL the latest Hight priority updates and SP's
NO. 3 A better firewall than the one Windows supplies are almost required
NO. 4 An enabled Anti-Virus software is a must, if you don't have your own, i can supply you with links to free ones that can help to keep you protected
NO. 5 Download and install SpywareBlaster and keep it updated
>>>There's more, but if you decide to venture in this please post back
If not please protect yourself

[forrealneil]

Sorry about the delay.
Thanks for your help.  People like you are what keeps the internet great.

I now have up to date McAfee and ill be sure to get the latest XP updates (i have 1 XP hotfix in my add/remove progs already and 3AM ill be prompted for more).

I am already a registered McAfee user.  I just messed up and didnt realise the virus scanner was not updated with the rest of the security package. Now my PC is clean.

My main question is, is it likely that my PC has now been seriously damaged and will not be as reliable in the future.  i assume that it is hard to say, but an experts advice would be appreciated.

Now a week later (and back at work after time off) I am lees inclined to re-format, but I would do it if I thought it would guarentee a more stable system in future.

What are your thoughts - would you reformat in this situation?

PS - ill click your link about stopping malware as i'm infuriaeted by the wole malware thing right now.

PS.  I donated a bit to your good cause
Seller Reputation: ( Verified Buyers seems a bit wierd.  
Is everyone really that tight that only 8 others have donated via paypal?

[guestolo]

Don't worry about donations, that is voluntary

What are your thoughts - would you reformat in this situation?

Would you do the below first, it won't take that long
I'm not big on asking someone to reformat a system unless absolutely needed
With that said, it is still up to the owner of the system to make that final decision, if he/she feels so inclined
Sometimes when a computer has a rootkit infection, the computer may be vulnerable, but also most times
just removing the bad files and reg. entries is good enough once exposed
At this time, there is no evidence this has rootkit like potential

Can you do the following please, let's see if we can get you clean and keep your system uncompromised

Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, the boxes and then download all updates
After update is complete
Close Spybot for now as we will need it later

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido Anti-malware 3.5

Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please  save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
    Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all may be found, but tick what you see from below

O4 - HKLM\..\Run: [Intec Services Drivers] msupdate33e.exe
O4 - HKLM\..\Run: [windows update microsoft] updatem.exe
O4 - HKLM\..\Run: [MSN Checker] msnchecker.exe
O4 - HKLM\..\RunServices: [Intec Services Drivers] msupdate33e.exe
O4 - HKLM\..\RunServices: [windows update microsoft] updatem.exe
O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe

O4 - HKCU\..\Run: [MSN Checker] msnchecker.exe
O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX ALL selected promblems in RED
RESTART your computer  back to Normal mode

Post back a fresh hijackthis log and the whole report you saved earlier from Ewido's

Addtionally, can you open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list too desktop and then copy and paste back here the whole contents

Also, From can you download Find.zip
UNZIP the contents to your desktop so you now have Find.bat extracted
Double click on Find.bat
A text file will open, copy and paste the whole contents back here please

[forrealneil]

Mmm, ive heard of rootkit problems.  i hope you dont see anything that suggests such a problem exists.  I can see a ref to msnchecker on that find.bat report, which I suppose is bad.  See here:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:00000308
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"MSN Checker"="msnchecker.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:bf,21,ad,8b,c8,e7,17,96,09,45,e4,3e,6f,4f,25,ba,66,33,37,37,65,\
  35,32,39,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,57,84,a0,f1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:cd,f9,a2,b5,3e,2d,c2,b2,85

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:03,92,db,1a,5e,ce

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:55,99,53,5a,3f,64,04,36,18,36,7e,bf,4a,43,04,bb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:0c,c5,18,f9,e5,32,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,a5,61,7c,05,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,35,4c,fe,89,56,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,0d,eb,85,05,4f,c2,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
  5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
  5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MSN Checker"="msnchecker.exe"




The Hijack this one is here:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:11, on 24/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Apps\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Intec Services Drivers] msupdate33e.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140644876062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140644856312
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by15fd.bay15.Email Removed.msn.com/activex/HMAtchmt.ocx\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




The ewido one is here ( i like this one)

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         10:51:53, 24/02/2006
 + Report-Checksum:      9B26FC0D

 + Scan result:

   No infected objects found.


::Report End



So it looks like McAfee didnt remove every last trace of the msnchecker and updateem.



I await your reply with baited breath!

Thanks mate.

[guestolo]

Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from Windows Registry Editor Version 5.00 and down in the code box

 

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"MSN Checker"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"MSN Checker"=-

Double click on fix.reg and allow to add/merge to the registry

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\RunServices: [Intec Services Drivers] msupdate33e.exe


After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer

Back in Windows
Can you do me a favor please

Download:  Registry Search Tool from this link, it's a very small download
http://billsway.com/vbspage/
You will have to scroll down to see it

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

msnchecker.exe

Wait for the results and post them back here
Do the same for these ones
MSN Checker
msupdate33e.exe

If there are no results, just let me know please
P.S. Rootkits are hidden, the entries in find.bat weren't
We would need to use a different tool to see if you have hidden entries

[forrealneil]

OK - not too good.

The reg search tool found the following result.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msupdate33e.exe" 25/02/2006 18:51:09

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1343024091-1547161642-839522115-1003\Software\Microsoft\OLE]
"Intec Services Drivers"="msupdate33e.exe"


The 2 MSN checker files were not found.  I wouldnt mind knowing what the registry editing that we did was, just out of interest.

Is this file going to cause a problem do you think?

I would also like to know how this file is re-entering itself onto the registry.  Presumably there is another nasty file 'hidden' somewhere else (rootkit?).  Im starting to get a bit dissapointed!

[guestolo]

The 2 MSN checker files were not found. I wouldnt mind knowing what the registry editing that we did was, just out of interest.

We removed some registry entries and altered a couple back to Windows defaults
They were probably changed by the bad guy

I would also like to know how this file is re-entering itself onto the registry.

I don't think it's reentering, we just have to remove a leftover

Can you do the following please, delete fix.reg on your desktop

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[HKEY_USERS\S-1-5-21-1343024091-1547161642-839522115-1003\Software\Microsoft\OLE]
"Intec Services Drivers"=-

Double click on fix.reg and allow to add/merge to the registry

Reboot the computer
We can check for rootkits if you would like
Please download Rootkit Revealer (link is at the very bottom of the page)

    * Unzip it to your desktop.
    * Double-click rootkitrevealer.exe
    * Click the Scan button (bottom right)
    * It may take a while to scan (don't do anything while it's running)
    * When it's done, go up to File > Save. Choose to save it to your desktop.
    * Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[forrealneil]

Reg search didnt find it this time.  I think youve done it.

I will check for rootkits in a bit.

i'll keep you posted.

[forrealneil]

I did a search using rootkit revealer and it didnt find anything.  I assume that I didnt need to run it in safe mode.

Well, my man, I think youve saved the day.  Please let me know if im getting prematurely excited.

Thanks very much

Neil.

[guestolo]

Sorry for the delay

*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

Go to START>>RUN>>In the open field
Type in

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

                 [indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install  SpywareBlaster 3.5.1 by JavaCool[/url]  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
                   
*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Make sure your Firewall is enabled and running

*Check for updates with your anti-spyware programs and run a scan on a regular basis
In addition, Open Spybot 1.4
Click on Immunize>>OK>>Immunize at the top green cross
Please immunize after every update

*Keep up to date on Windows updates
This is one of the most important steps in keeping your system secure
Service pack 2 for Windows has been out for some time
I know you recently reinstalled your OS, but make sure to update
NOTE: Now that we have your computer clean of malware, I would take this oppurtunity to update and keep updated
In some cases, virtual drive software such as VirtualCloneDrive (CloneCD)
Especially older versions will interfere with the install, I suggest that you uninstall it beforehand
After you have SP2 installed you can reinstall with the latest version
Take a look at this link please
http://www.microsoft.com/windowsxp/sp2/default.mspx
Take note of the link on that page >>>    What to know before you download and install

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />