HijackThisLog - computer is slow

gbrooks · 03-04-2005, 04:06 PM

I used the HijackThis Analyzer to get this log (result.txt). A friend of mine played a bootleg cd

on my computer last weekend, and immediately, my comp had a fit and it hasn't been the same since. I hope you can help. Thank you.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 6:48:03 PM, on 3/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\MNMSRVC.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\CCFPML14.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\HP\REGISTER\REMIND32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 216.153.162.251
F1 - win.ini: run=hpfsched M:\SETUP.EXE
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD2\InCD.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE /nosplash
O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\gwwyiq.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [zxnpuuijrhbd] C:\WINDOWS\SYSTEM\HBHFQC.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [Fpx] C:\WINDOWS\SYSTEM\mnmsrvc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE /nosplash
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [a9v2RWMmS] CCFPML14.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [a9v2RWMmS] CCFPML14.EXE
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Hewlett Packard Pavilion Registration.lnk = C:\HP\register\Remind32.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsof.../TLIEFlash.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c11135...p/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www22.verizon.com/ForYourBus...ad/CfxIEAx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

End of HijackThis Analyzer Log.
===========================================================================================================================

tetonbob · 03-04-2005, 04:27 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

tetonbob · 03-04-2005, 05:44 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.

Go to My Computer->View->Folder Options->View tab and make sure that 'Show all files' is checked under the 'Hidden Files' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types'.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\SYSTEM\CCFPML14.EXE

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\gwwyiq.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [zxnpuuijrhbd] C:\WINDOWS\SYSTEM\HBHFQC.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKCU\..\Run: [a9v2RWMmS] CCFPML14.EXE
O4 - HKCU\..\RunServices: [a9v2RWMmS] CCFPML14.EXE
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microso...p/TLIEFlash.CAB

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\CCFPML14.EXE
C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\gwwyiq.exe
C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE
C:\WINDOWS\SYSTEM\HBHFQC.EXE
C:\WINDOWS\BXXS5.DLL

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Does this IP addy 216.153.162.251 belong to your ISP, or do you know Choice One Communications Inc ?

gbrooks · 03-11-2005, 04:34 PM

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:38:31 PM, on 3/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 216.153.162.251
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c11135...p/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www22.verizon.com/ForYourBus...ad/CfxIEAx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

End of HijackThis Analyzer Log.
============================================================

tetonbob · 03-11-2005, 04:44 PM

I am reviewing your reply with the guidance of our expert Analysts. I'll return ASAP with more info.

In the meantime, we need to know:

Does this IP addy 216.153.162.251 belong to your ISP, or do you know Choice One Communications Inc ?

tetonbob · 03-11-2005, 07:34 PM

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

gbrooks · 03-12-2005, 06:19 AM

My computer is working great now. Thank you v. much for your help.

tetonbob · 03-12-2005, 06:21 AM

Glad to help!

Happy computing!

03-04-2005, 04:06 PM	#1 (permalink)
gbrooks Registered User Join Date: Jan 2005 Posts: 29 OS: Win 98SE	HijackThisLog - computer is slow I used the HijackThis Analyzer to get this log (result.txt). A friend of mine played a bootleg cd on my computer last weekend, and immediately, my comp had a fit and it hasn't been the same since. I hope you can help. Thank you. =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0 O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 6:48:03 PM, on 3/4/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\MNMSRVC.EXE C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE C:\WINDOWS\SYSTEM\CCFPML14.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE C:\HP\REGISTER\REMIND32.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 216.153.162.251 F1 - win.ini: run=hpfsched M:\SETUP.EXE O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD2\InCD.exe O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE /nosplash O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\gwwyiq.exe O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [zxnpuuijrhbd] C:\WINDOWS\SYSTEM\HBHFQC.EXE O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start O4 - HKLM\..\RunServices: [Fpx] C:\WINDOWS\SYSTEM\mnmsrvc.exe O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE /nosplash O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [a9v2RWMmS] CCFPML14.EXE O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - HKCU\..\RunServices: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\RunServices: [a9v2RWMmS] CCFPML14.EXE O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE O4 - Startup: Hewlett Packard Pavilion Registration.lnk = C:\HP\register\Remind32.exe O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsof.../TLIEFlash.CAB O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c11135...p/RdxIE601.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www22.verizon.com/ForYourBus...ad/CfxIEAx.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab End of HijackThis Analyzer Log. ===========================================================================================================================

03-04-2005, 05:44 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,551 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it. Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later. Go to My Computer->View->Folder Options->View tab and make sure that 'Show all files' is checked under the 'Hidden Files' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types'. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\SYSTEM\CCFPML14.EXE Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\gwwyiq.exe O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [zxnpuuijrhbd] C:\WINDOWS\SYSTEM\HBHFQC.EXE O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun O4 - HKCU\..\Run: [a9v2RWMmS] CCFPML14.EXE O4 - HKCU\..\RunServices: [a9v2RWMmS] CCFPML14.EXE O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microso...p/TLIEFlash.CAB Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\SYSTEM\CCFPML14.EXE C:\WINDOWS\ALCHEM.exe C:\WINDOWS\gwwyiq.exe C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE C:\WINDOWS\SYSTEM\HBHFQC.EXE C:\WINDOWS\BXXS5.DLL Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Does this IP addy 216.153.162.251 belong to your ISP, or do you know Choice One Communications Inc ? Last edited by tetonbob : 03-04-2005 at 05:52 PM.

03-11-2005, 04:34 PM	#4 (permalink)
gbrooks Registered User Join Date: Jan 2005 Posts: 29 OS: Win 98SE	Result Hijack This log =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:38:31 PM, on 3/11/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 216.153.162.251 O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c11135...p/RdxIE601.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www22.verizon.com/ForYourBus...ad/CfxIEAx.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab End of HijackThis Analyzer Log. ============================================================

03-12-2005, 06:19 AM	#7 (permalink)
gbrooks Registered User Join Date: Jan 2005 Posts: 29 OS: Win 98SE	Computer slow My computer is working great now. Thank you v. much for your help.

03-04-2005, 04:27 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,551 OS: 2000 Pro; XP Pro; XP Home	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.

03-11-2005, 04:44 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,551 OS: 2000 Pro; XP Pro; XP Home	I am reviewing your reply with the guidance of our expert Analysts. I'll return ASAP with more info. In the meantime, we need to know: Does this IP addy 216.153.162.251 belong to your ISP, or do you know Choice One Communications Inc ?

03-11-2005, 07:34 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,551 OS: 2000 Pro; XP Pro; XP Home	Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go.

03-12-2005, 06:21 AM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,551 OS: 2000 Pro; XP Pro; XP Home	Glad to help! Happy computing!