Hi-Jack This Log. Help Required

[Puppet-Master]

This HJT Log is in connection with my thread
'Computer Randomly Restarts, BSoD!'

Logfile of HijackThis v1.99.1
Scan saved at 17:24:15, on 29/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Windows Live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: RuneScape - the massive online adventure game by Jagex Ltd
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1149889644406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149889632406
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F43184-3198-4CF5-83BF-FA9828596146}: NameServer = 83.146.21.6 212.158.248.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

[Deckard]

Hello Puppet-Master, thank you for your patience. I don't think this is a malware issue, but let's scan your machine to be sure. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.


Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.


Download AVG Anti-Spyware
Ewido has been rebranded as AVG Anti-Spyware. Please uninstall Ewido, then download, install, and update AVG Anti-Spyware.

1. Load AVG Anti-Spyware and then click the Shield tab at the top
   • Click on the word active to change it to inactive.
2. Click the Update tab at the top:
   • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
   • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
3. Click the Scanner tab at the top and then the Settings sub-tab:
   • Under How to act?, click Recommended actions and select Quarantine.
   • Under Reports, select Automatically generate report after every scan
4. Close AVG Anti-Spyware. Do not run a scan with it yet.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
  Click OK.
• Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Run AVG Anti-Spyware

• Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
• AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
• Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
• Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded, click on NEXT.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database: extended
  • Scan Options: Scan Archives and Scan Mail Bases
• Click OK
• Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
• Now under select a target to scan, select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run all the way.
• Once the scan is complete it will display if your system has been infected.
• Click on the Save as Text button and save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.


With Your Next Post...
Please paste the following with your next reply (in this order please):

1. AVG Anti-Spyware scan report,
2. Kaspersky scan report,
3. a new HiJackThis log taken after Kaspersky finishes.

[Puppet-Master]

Hello,
I have done the things that you said I should do in the previous post.
But after I ran 'AVG Anti-Malware' I quarantined 3 malicious programs.
One of them was needed to enable the Privacy Service on my McAfee '06 security center, But the malicious program that was needed to enable privacy service was part of WinAntiVirus.
I'm not sure what to do about this.
I re-installed McAfee security center '06 but it still needed the program to activate privacy service. So I took it off the Quarantine list, as it was blocking use of the internet aswell

Could you possibly help me with this before we move on to fixing the main problem? It kind of worries me knowing that my security center could be corrupt...

[Puppet-Master]

Here is the AVG Anti-Spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:01:11 01/11/2006

+ Scan result:



HKU\S-1-5-21-2539399117-3171231388-1625462144-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} -> Adware.SpyBlocs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{73910013-50A7-4717-97D6-F2504B358FDD}\RP124\A0057159.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{73910013-50A7-4717-97D6-F2504B358FDD}\RP124\A0057282.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SpOrder.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).


::Report end

[Puppet-Master]

Here is the Kaspersky scan log:

Wednesday, November 01, 2006 6:19:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/11/2006
Kaspersky Anti-Virus database records: 237208



Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 48250
Number of viruses found 3
Number of infected objects 26 / 0
Number of suspicious objects 0
Duration of the scan process 00:45:28

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Emre Emir\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Emre Emir\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Temp\~DF8108.tmp Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Temp\~DF52F3.tmp Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\History\History.IE5\MSHist012006110120061102\index.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Emre Emir\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___scary movie 4 spanish [telecine] [www estrenosdivx com].avi Object is locked skipped

C:\Documents and Settings\Emre Emir\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\history.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\cert8.db Object is locked skipped

C:\Documents and Settings\Emre Emir\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\key3.db Object is locked skipped

C:\Documents and Settings\Emre Emir\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\parent.lock Object is locked skipped

C:\Documents and Settings\Emre Emir\Application Data\Mozilla\Firefox\Profiles\tfda54g1.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0021410.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0021410.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0021410.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0021410.exe.bac_a01860 RarSFX: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0021410.exe.bac_a01860 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0022411.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0022411.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0022411.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0022411.exe.bac_a01860 RarSFX: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0022411.exe.bac_a01860 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023461.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023461.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023461.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023461.exe.bac_a01860 RarSFX: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023461.exe.bac_a01860 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023472.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023472.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023472.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023472.exe.bac_a01860 RarSFX: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023472.exe.bac_a01860 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860 RarSFX: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023477.EXE.bac_a01860 Infected: Backdoor.Win32.Agent.abc skipped

C:\System Volume Information\_restore{73910013-50A7-4717-97D6-F2504B358FDD}\RP145\change.log Object is locked skipped

Scan process completed.

[Puppet-Master]

And here is my HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 18:26:03, on 01/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\mps\mscifapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ares\Ares.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Windows Live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\EMREEM~1\LOCALS~1\Temp\2006111171355_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: RuneScape - the massive online adventure game by Jagex Ltd
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1149889644406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149889632406
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F43184-3198-4CF5-83BF-FA9828596146}: NameServer = 83.146.21.6 212.158.248.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

[Deckard]

WinAntiVirus is a rogue/suspect anti-spyware product and is known to pop up ads to your Desktop. I can't find any links between it and McAfee, though. Might you have a link? My suggestion is to uninstall it using the Add/Remove programs control panel.

Nothing else turned up, so let's try another online scan.


P2P Software
I see you have P2P software (i.e. Ares) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.


Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.

1. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
2. Enter your e-mail address, country, and state and click Scan Now.
3. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
4. Begin the scan by selecting My Computer. Note:
   • Please turn off the real time scanner of any existing antivirus program while performing the online scan.
   • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
   • Click on See report then click Save report.
   • It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

Post the results from Panda along with a new HijackThis log after it finishes.

[Puppet-Master]

So about the McAfee - WinAntiVirus thing

How should I go around solving this mess?
Should I un-install McAfee, then go into safe mode and remove WinAntiVirus via AVG Anti-Spyware ?

Or should I just continue to quaratine the WinAntiVirus files

Also, in the Kaspersky scan, It mentioned Trojan.Downloaders and Virtumonde, These are some results that I take into example of this:

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar/dotrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.br skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar/dotdr.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped

C:\Documents and Settings\Emre Emir\.housecall\Quarantine\A0023486.exe.bac_a01860/data.rar Infected: Trojan-Downloader.Win32.Adload.ap skipped

Does this mean that Kaspersky has found Trojans and Virtumonde on my computer?

[Deckard]

I find it hard to believe it came with McAfee. Did you buy it retail?

Those items you listed are in a quarantine and are harmless. However, you don't appear to have TrendMicro installed, so you can safely delete C:\Documents and Settings\Emre Emir\.housecall\Quarantine, which will take care of them.

Do this also:

Download SmitfraudFix
Please download SmitfraudFix (by S!Ri).

1. Extract the content (a folder named SmitfraudFix) to your Desktop.
2. Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
3. Select option #1 - Search by typing 1 and pressing "Enter".
4. A text file will appear which lists infected files (if present). This file will be saved as C:\rapport.txt.

Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Run that Panda scan for me if you haven't already. Post the contents of C:\rapport.txt, the results from Panda, and a new HijackThis log after you've finished. We'll get to the bottom of WinAntiVirus and get it off your system.

[Puppet-Master]

Ok, I think WinFixer was merely trying to Hi-jack McAfee. So I quarantined all of the WinFixer files and re-installed McAfee.
But now I am experiencing a new problem, my McAfee VirusScan isnt 100% up to date and needs to be updated; but whenever I try to download updates manually, the site I am re-directed to (http://uk.mcafee.com/apps/mpsh8/en-g...stempopup=true)
the web-page is just blank white with nothing on it.
What do you think could be happening?

Also, I will post the Panda Report, the SmitFraud .txt file, and a new HJT log
in the next 3 posts.

[Puppet-Master]

Panda Scan Report


Incident Status Location

Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Statcounter Not disinfected C:\FOUND.011\FILE0007.CHK

[Puppet-Master]

Rapport.txt from SmitFraudFix

SmitFraudFix v2.118

Scan done at 14:03:33.06, 03/11/2006
Run from C:\Documents and Settings\Emre Emir\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Emre Emir


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Emre Emir\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EMREEM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Puppet-Master]

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 14:08:29, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Windows Live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: RuneScape - the massive online adventure game by Jagex Ltd
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1149889644406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149889632406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F43184-3198-4CF5-83BF-FA9828596146}: NameServer = 83.146.21.6 212.158.248.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

[Deckard]

That blank page is supposed to redirect you to http://uk.mcafee.com/apps/mpsh8/en-g...stempopup=true

Let me know if that works for you. The page is encoded in VBScript instead of Javascript. If you're using Firefox, that's probably why it's not working.

[Puppet-Master]

Ok, Thanks for the help there :)

I managed to get the updates running automatically, and now McAfee is running fine

[Deckard]

Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm and then click OK.

Reset System Restore

• Go to Start>Run, type SYSDM.CPL and press Enter.
• Select the System Restore tab.
• Check "Turn off System Restore on all drives" and click Apply.
• Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

• WMF exploit: KB912919
• VML exploit: KB925486

Enable Windows Auto Update:

• Go to Start>Run, type WUAUCPL.CPL and press Enter.
• Make sure "Keep my computer up to date" is checked.
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Update Java
You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

1. Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
2. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop.
7. Close any programs you may have running -- especially your web browser(s).
8. Go to Start→Control Panel double-click on Add/Remove Programs.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Remove or Change/Remove button.
11. Repeat as many times as necessary to remove each version of Java.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
14. After the reboot, go back into the Control Panel and double-click the Java icon.
15. Under Temporary Internet Files, click the Delete Files button.
16. There are three options in the window to clear the cache - Leave ALL three checked:
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
17. Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache.
18. Click OK to leave the Java Control Panel.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

• AOL Active Virus Shield (powered by Kaspersky Antivirus)
• BitDefender
• Avira PersonalEdition Classic
• Avast!
• AVG

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

• Sygate Personal Firewall
• ZoneAlarm
• Tiny Personal Firewall
• Sunbelt Kerio Personal Firewall
• Outpost Firewall PRO

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

• Spyware Guard
• Spybot Search & Destroy
• AdAware
• WinPatrol - with tutorial

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

• Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
• Miranda-IM - another Instant Messenger client with multiple IM capabilities.
• Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

[Puppet-Master]

Hey, Thanks for all the help
Before this thread Is closed, I have a few more questions.

I tried to download 'MVPS HOSTS' as it was reccomended in the link to 'how did I get infected in the first place' But I wasn't prompted with a 'Run' option, all I had was a CMD.Exe box that said 'Press any button to continue...'
Is there any way I could possible get MVPS Hosts, and not get a CMD Box?

Also, Do you know any good free programs to Anonymize me while I'm browsing to Hi-jackers?

[Deckard]

I'm not sure I understood either question, but I'll try to answer. If you downloaded the MVPS HOSTS archive, you should have a hosts.zip file. If you extract that to it's own directory, there should be a 'mvps.bat' file. If you double-click that, all you see is 'Press any button to continue...' ? Did you extract the entire archive? You need at least the 'mvps.bat' file and the 'HOSTS' file in the same directory as each other.

Finally, there really is no way to anonymize yourself any more than just keeping cookies from being saved on your computer. If you use Firefox, you can set it to ask you when cookies are being set and then allow or deny, which is what I do. You might be able to do the same for Internet Explorer, but I don't use it enough to know if that is the case.

[Puppet-Master]

Hey, thanks for all the help

I have one other problem now

A PUP called 'PrcViewer' was found on my McAfee scan today

Here is what was found in my McAfee scan

C:\WINDOWS\system32\Process.exe
C:\Documents and Settings\(My windows xp username)\Desktop\SmitfraudFix.zip
C:\Documents and Settings\(My windows xp username)\Desktop\SmitfraudFix\Process.exe

Could I possibly get any help on removing this program?
I read on a thread on the BleepingComputers.com forums that it was a malicious program and could be removed via Windows Registry.

[Deckard]

You can delete SmitfraudFix (all three files). It's a false positive in this case. Process.exe is one of those utilities that can be used for good or bad -- in this case it was used for good. But you don't need to keep it lying around your system anymore.