Prevented from running - Anti spyware, security webpages/downloads, regedit etc!

nettle · 03-19-2005, 10:39 AM

Writing this from laptop due to problems below with home PC.

When my daughter was on MSN, found that she was apparently sending virus' to her contacts. Shut down MSN, but immediately after this, unable to run anti-virus software, Spyware Blaster (Ad-aware SE would run but hasn't fixed main problems), unable to connect to security websites - programs just flash open and then close.

Unable to see System Restore options tab, and being prevented from changing the settings when running gpedit.msc

Unable to run Regedit - flash's open then close. Have tried all these in safe modes, but still the same. Even command prompt page disappears.

Various .exe's come back into Startup list, even after being disabled and trying to start in Safe mode. Two of them are: svhost, farmmext, but also lots of others that are not listed on Startup file lists (e.g. csnss, awdzm, Rcj6krn.

Please can someone help. I'm not a PC expert by any means, just been searching around on the net on my Work PC to see what might work, but with no success.

Thanks.

**POADB** · 03-19-2005, 12:26 PM

Hi nettle and welcome to TSF.

We will need a HJT log from the infected computer. The programs we advize you to run are also to be downloaded and run on the infected computer.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

nettle · 03-19-2005, 02:13 PM

thanks for your quick response, but I'm afraid this ones not going to be that easy.

I am rebooting in "safe mode with networking" (XP Pro). When I try the two links you suggested IE is just immediately closed by this thing. I have tried to download SPybot - downloaded OK but then went to the folder to unzip and the window was closed down before I could get to it. Same thing happens when running Microsofts antispyware which I have loaded and also spywareblaster - I can see that Msoft antispyware has found some things when it flashes open but doesn't stay open for more than a split second. Ad-aware SE does update and run OK but doesn't seem to get rid of this!

Also, as i said previously the option to check "see hidden files" has disappeared. I read on another thread somewhere that this could be fixed from running regedit and resetting but bug wont let it regedit run. And also the menu for system restore has disappeared - when i run gpedit.msc to try to reset this the bug wont let me change those settings.

this thing seems to have a lot of things covered to keep itself hidden. Any other suggestions?

Thanks.

MicroBell · 03-19-2005, 08:43 PM

nettle:

I want to try something. Make a folder of C:\ called hostme.

Navigate to c:\windows\system32\drivers\etc\

Copy your hosts file to the hostme folder.

Once you have that backup hosts file in that folder..delete the one c:\windows\system32\drivers\etc\

Reboot.

Now see if you get to the links POADB posted. I want to see if this MSN virus is using just the hosts file...or the registry also. Let me know the outcome.

nettle · 03-20-2005, 01:30 AM

followed your instructions but same problem as before for both links - IE closes down before getting anywhere. Repeated the exercise of moving and deleting hosts and rebooting but without running IE and the Hosts file has been recreated in the usual place upon reboot. what next?

thanks

greyknight17 · 03-20-2005, 03:09 PM

Is it possible for you to get the downloads from another computer and copy it here? If so, do it now.

If that computer could burn CDs also, I want you to get the following program:

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

If that computer can't burn CDs, then just get the other programs and put it on a floppy (they will fit).

Give us the log when you are ready. Hopefully whatever is preventing these programs from running, won't do the same with HijackThis.

If it does, try this:

Open up HijackThis but don't run it yet. Hit ctrl+alt+del and then go to the processes tab. Now look for explorer.exe and click on it. Then click on End Process. Now run HijackThis scan. Save the log. Hit ctrl+alt+del and go to File->New Task and type in explorer and hit OK. Post that log here.

Come to think of it, if the above will work that way, you can probably run Ad-aware and Microsoft Antispyware that way also. Just open them first, but don't run it yet. Then end explorer.exe and run those programs.

nettle · 03-21-2005, 01:30 AM

thanks for your reply - unfortunately I just missed it last night with the time difference. just heading off to work so will download some stuff there onto disk and try your suggestions this pm (GMT).

By the way, I can't run Task Manager from ctrl-alt-del at present. just flashes open then closes like the other things. Since the problem the only thing that runs of a security nature is Ad-aware SE. Tried to update my anti-virus from disk but wouldn't let me uninstall old one first.

Anyway, get back to you later. thanks.

**POADB** · 03-21-2005, 02:40 AM

The infection you have is a real nasty. I've had it before. Unfortunately, I couldn't get rid of this and only made my problems worse. In the end I was forced to format has the computer refused to boot.

From what I can remember, everything security related is prevented. Websites and programs. I believe your host files get hijacked, but since you cant run IE, you cant test this.

It's important we get a virus scan done ASAP, and I dont believe the TDS-3 trojan finder will be affected by this virus.

G'luck.

nettle · 03-21-2005, 03:13 PM

am now trying the things suggested and will post what I get. all in safe mode. firstly have installed TDS, updated the database before running and then attempted to scan. An option popped up while/when about to scan and without thinking I said yes - scan seemed to start but then program shut. now wont run - program closes while doing initial memory scan.

Microsoft antispyware is running in the background and asking if I wish to allow TDS shell extension in c:\windows\system32\tds3shl.dll - should I allow or block?

nettle · 03-21-2005, 04:59 PM

no further luck with TDS3 but finally here is my Hijack results:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 23:19:22, on 21/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\mcsv.com
C:\a disk\h\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe
O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe
O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe
O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe
O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe
O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe
O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

End of KRC HijackThis Analyzer Log.
=================

Nice long list of host redirections and lots of other suspicious stuff? hope to hear from you soon with further instructions.

Thanks a lot.

CTSNKY · 03-21-2005, 09:32 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

You have the Peper infection. Download PeperUninstall. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix and save it to your Desktop. Run it and click Find and Fix (reboot if prompted).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\mcsv.com

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe
O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe
O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe
O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe
O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe
O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe
O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe
O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\csnss.exe
C:\WINDOWS\system32\mcsv.com
C:\WINDOWS\System32\oiidofkx.exe
C:\WINDOWS\System32\Rcj6KrN.exe

Run CleanUp! again.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

nettle · 03-22-2005, 12:23 AM

thanks for your response. hope I can now get further BUT, as i said previously the option to check "see hidden files" has disappeared. I read on another thread somewhere that this could be fixed from running regedit and resetting but bug wont let me run reged. And also the menu for system restore has disappeared - when i run gpedit.msc to try to reset back onto the menu the bug wont let me change those settings.

I was wondering whether I could work something from the safe mode dos prompt but the dos window shuts down too.

SO, what should I do next and in what order?? I still have the Hijack this open from the run before - should I do something with that first?

thanks.

nettle · 03-22-2005, 06:14 AM

after running the fixes in HJT then was able to run TDS. logs below.

*****still wondering what to do about lack of system restore optionality!***
****can you please advise? thanks.***********

11:29:59 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
11:29:59 [Init] Started 22-03-05 11:29:59 GMT Standard Time (UTC: 0), Internet Time @520.82
11:29:59 [Init] Loading TDS-3 Systems ...
11:29:59 [Init] Token successfully adjusted.
11:29:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
11:30:00 [Init] • Plugins : OK. Loaded 13
11:30:00 [Init] • Exec Protection : Not Installed
11:30:00 [Init] WARNING: Your Radius.TD3 database needs to be updated!
11:30:00 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
11:30:00 [Init] Licensed users can use the Update facility from the TDS menu
11:30:00 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
11:30:07 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
11:30:07 [Init] • Systems Initialised [50030 references - 25116 primaries/12719 traces/12195 variants/other]
11:30:08 [Init] Radius Systems loaded. <Databases updated 21-03-2005>
11:30:08 [Init] TDS-3 Ready. <Administrator@192.168.0.3, 127.0.0.1 - United Kingdom>
11:30:08 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu!
11:30:08 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
11:30:08 [TDS] Good morning Administrator.
11:30:13 [Mutex Memory Scan] Started...
11:30:14 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:30:14 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
11:31:37 [CRC32] Started - verifying 29 files ...
11:31:49 [CRC32] Test finished.
11:32:39 [Memory Scan] Memory scan started, please wait a moment ...
11:32:42 [Memory Scan] Memory scan complete.
11:32:42 [Mutex Memory Scan] Started...
11:32:43 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:32:43 [Trace Scan] Started...
11:32:49 [Trace Scan] Finished.
11:32:49 [ServiceScan] Scanning for services and drivers ...
11:32:52 [ServiceScan] Scanned 305 services and drivers.
11:32:52 [File Scan] Scanning in A:\ ...
11:32:53 [File Scan] Scanned 0 files: 12 alarms in 1.09375 seconds (Avg 1. files/sec)
11:32:53 [File Scan] Scanning in C:\ ...
12:10:18 [File Scan] Scanned 102901 files: 34 alarms in 2245.297 seconds (Avg 46.83 files/sec)
12:10:18 [File Scan] Scanning in D:\ ...
12:30:16 [File Scan] Scanned 101807 files: 34 alarms in 1197.359 seconds (Avg 86.03 files/sec)
12:30:16 [File Scan] Scanning in E:\ ...
12:30:16 [File Scan] Scanned 0 files: 34 alarms in 0 seconds (Avg -1.#IND files/sec)
12:30:16 [File Scan] Scanning in F:\ ...
12:30:16 [File Scan] Scanned 0 files: 34 alarms in 0.03125 seconds (Avg 1. files/sec)
12:30:16 [Scan] Finished.

alarms pasted below:

Scan Control Dumped @ 12:42:45 22-03-05
File Trace: Default trojan filename: Worm.Serflog
File: C:\Death of crazy frog!.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Hot babe!.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Really Cute.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\My piccy.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Bungee-****.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\I_love_you.123greetings.com.com

File Trace: Default trojan filename: Worm.Serflog
File: C:\Paris Hilton Sex Tape.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Shoot Bill Gates!.exe

File Trace: Default trojan filename: Worm.Serflog
File: C:\Best_Friend.scr

File Trace: Default trojan filename: Worm.Serflog
File: C:\lol Busted Are Gay!.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Saddam Song!.pif

File Trace: Default trojan filename: Worm.Serflog
File: C:\Me at the Beach!.pif

Positive identification: Trojan.Win32.StartPage.y
File: c:\bootconf.exe

Suspicious Filename: Dual extensions
File: c:\i_love_you.123greetings.com.com

Positive identification (embedded in file): TrojanDownloader.Win32.VB.em
File: c:\windows\system32\cxe0n.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\cxe0n.exe

Positive identification (embedded in file): TrojanDownloader.Win32.VB.em
File: c:\windows\system32\awdzm.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\awdzm.exe

Positive identification (embedded in file): TrojanDownloader.Win32.VB.em
File: c:\windows\system32\rcj6krn.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\rcj6krn.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\lnaqxu3.exe

Positive identification (embedded in file): RAT.RADS.e
File: c:\windows\system32\mlwwa.exe

Positive identification: RAT.RADS.f
File: c:\windows\system32\mlwwa.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\hno2rdu5.exe

Positive identification: TrojanDownloader.Win32.VB.em
File: c:\windows\system32\lgw0.exe

Positive identification: TrojanDownloader.Win32.Small.fo
File: c:\recycled\1.exe

Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971l\program\restart.exe

Positive identification (DLL): Adware.DlMax.a (dll)
File: c:\program files\microsoft antispyware\quarantine\1c643f32-960c-4689-9627-bfe0cc\b4ba54cd-5f36-4ca0-a4d2-880999

Positive identification (DLL): Adware.Midable.b (dll)
File: c:\found.048\file0001.chk

Positive identification: TrojanDropper.Win32.VB.cd
File: c:\documents and settings\all users\application data\ieservice\v28.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\hayley.denise-xixop29g\my documents\chem 11...........doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\hayley.denise-xixop29g\my documents\chem 12..........doc

Positive identification (DLL): Adware.Midable.b (dll)
File: c:\found.044\file0003.chk

Positive identification (DLL): Adware.Midable.b (dll)
File: c:\found.045\file0000.chk

----------------------------------------------

thanks. nettle.

nettle · 03-22-2005, 12:34 PM

OK! after may hours of chipping away at this, I think I'm just about there!

I'm finally submitting this from the previously infected PC. Please could you check the following HJT results file to confirm all clear?

*** "System restore off" is currently enabled awaiting your word.***

Many thanks for all your suggestions.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 19:18:05, on 22/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\a disk\h\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

End of KRC HijackThis Analyzer Log.
====================================================================

MicroBell · 03-23-2005, 12:10 AM

Your current log is clean. Did you delete those files TDS-3 found? If not...do so..and run the hoster file again to restore your hosts file just to make sure.

Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

nettle · 03-23-2005, 01:00 AM

yes I went ahead and deleted all the TDS alarmed files and then ran system hoster.

Thanks again for your help. Have now brought my anti-virus up to date and will read through the other recommendations. thanks.

03-19-2005, 10:39 AM	#1 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	Prevented from running - Anti spyware, security webpages/downloads, regedit etc! Writing this from laptop due to problems below with home PC. When my daughter was on MSN, found that she was apparently sending virus' to her contacts. Shut down MSN, but immediately after this, unable to run anti-virus software, Spyware Blaster (Ad-aware SE would run but hasn't fixed main problems), unable to connect to security websites - programs just flash open and then close. Unable to see System Restore options tab, and being prevented from changing the settings when running gpedit.msc Unable to run Regedit - flash's open then close. Have tried all these in safe modes, but still the same. Even command prompt page disappears. Various .exe's come back into Startup list, even after being disabled and trying to start in Safe mode. Two of them are: svhost, farmmext, but also lots of others that are not listed on Startup file lists (e.g. csnss, awdzm, Rcj6krn. Please can someone help. I'm not a PC expert by any means, just been searching around on the net on my Work PC to see what might work, but with no success. Thanks.

03-19-2005, 12:26 PM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Hi nettle and welcome to TSF. We will need a HJT log from the infected computer. The programs we advize you to run are also to be downloaded and run on the infected computer. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. __________________

03-19-2005, 08:43 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	nettle: I want to try something. Make a folder of C:\ called hostme. Navigate to c:\windows\system32\drivers\etc\ Copy your hosts file to the hostme folder. Once you have that backup hosts file in that folder..delete the one c:\windows\system32\drivers\etc\ Reboot. Now see if you get to the links POADB posted. I want to see if this MSN virus is using just the hosts file...or the registry also. Let me know the outcome. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-20-2005, 03:09 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Is it possible for you to get the downloads from another computer and copy it here? If so, do it now. If that computer could burn CDs also, I want you to get the following program: Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If that computer can't burn CDs, then just get the other programs and put it on a floppy (they will fit). Give us the log when you are ready. Hopefully whatever is preventing these programs from running, won't do the same with HijackThis. If it does, try this: Open up HijackThis but don't run it yet. Hit ctrl+alt+del and then go to the processes tab. Now look for explorer.exe and click on it. Then click on End Process. Now run HijackThis scan. Save the log. Hit ctrl+alt+del and go to File->New Task and type in explorer and hit OK. Post that log here. Come to think of it, if the above will work that way, you can probably run Ad-aware and Microsoft Antispyware that way also. Just open them first, but don't run it yet. Then end explorer.exe and run those programs. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-21-2005, 02:40 AM	#8 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	The infection you have is a real nasty. I've had it before. Unfortunately, I couldn't get rid of this and only made my problems worse. In the end I was forced to format has the computer refused to boot. From what I can remember, everything security related is prevented. Websites and programs. I believe your host files get hijacked, but since you cant run IE, you cant test this. It's important we get a virus scan done ASAP, and I dont believe the TDS-3 trojan finder will be affected by this virus. G'luck. __________________

03-19-2005, 02:13 PM	#3 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	thanks for your quick response, but I'm afraid this ones not going to be that easy. I am rebooting in "safe mode with networking" (XP Pro). When I try the two links you suggested IE is just immediately closed by this thing. I have tried to download SPybot - downloaded OK but then went to the folder to unzip and the window was closed down before I could get to it. Same thing happens when running Microsofts antispyware which I have loaded and also spywareblaster - I can see that Msoft antispyware has found some things when it flashes open but doesn't stay open for more than a split second. Ad-aware SE does update and run OK but doesn't seem to get rid of this! Also, as i said previously the option to check "see hidden files" has disappeared. I read on another thread somewhere that this could be fixed from running regedit and resetting but bug wont let it regedit run. And also the menu for system restore has disappeared - when i run gpedit.msc to try to reset this the bug wont let me change those settings. this thing seems to have a lot of things covered to keep itself hidden. Any other suggestions? Thanks.

03-20-2005, 01:30 AM	#5 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	followed your instructions but same problem as before for both links - IE closes down before getting anywhere. Repeated the exercise of moving and deleting hosts and rebooting but without running IE and the Hosts file has been recreated in the usual place upon reboot. what next? thanks

03-21-2005, 01:30 AM	#7 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	thanks for your reply - unfortunately I just missed it last night with the time difference. just heading off to work so will download some stuff there onto disk and try your suggestions this pm (GMT). By the way, I can't run Task Manager from ctrl-alt-del at present. just flashes open then closes like the other things. Since the problem the only thing that runs of a security nature is Ad-aware SE. Tried to update my anti-virus from disk but wouldn't let me uninstall old one first. Anyway, get back to you later. thanks.

03-21-2005, 03:13 PM	#9 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	am now trying the things suggested and will post what I get. all in safe mode. firstly have installed TDS, updated the database before running and then attempted to scan. An option popped up while/when about to scan and without thinking I said yes - scan seemed to start but then program shut. now wont run - program closes while doing initial memory scan. Microsoft antispyware is running in the background and asking if I wish to allow TDS shell extension in c:\windows\system32\tds3shl.dll - should I allow or block?

03-21-2005, 04:59 PM	#10 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	no further luck with TDS3 but finally here is my Hijack results: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 23:19:22, on 21/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\mcsv.com C:\a disk\h\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com O1 - Hosts: 212.58.240.33 www.symantec.com O1 - Hosts: 212.58.240.33 www.sophos.com O1 - Hosts: 212.58.240.33 www.mcafee.com O1 - Hosts: 212.58.240.33 www.viruslist.com O1 - Hosts: 212.58.240.33 www.f-secure.com O1 - Hosts: 212.58.240.33 www.avp.com O1 - Hosts: 212.58.240.33 www.kaspersky.com O1 - Hosts: 212.58.240.33 www.networkassociates.com O1 - Hosts: 212.58.240.33 www.ca.com O1 - Hosts: 212.58.240.33 www.my-etrust.com O1 - Hosts: 212.58.240.33 www.nai.com O1 - Hosts: 212.58.240.33 www.trendmicro.com O1 - Hosts: 212.58.240.33 www.grisoft.com O1 - Hosts: 212.58.240.33 securityresponse.symantec.com O1 - Hosts: 212.58.240.33 symantec.com O1 - Hosts: 212.58.240.33 sophos.com O1 - Hosts: 212.58.240.33 mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com O1 - Hosts: 212.58.240.33 viruslist.com O1 - Hosts: 212.58.240.33 f-secure.com O1 - Hosts: 212.58.240.33 kaspersky.com O1 - Hosts: 212.58.240.33 kaspersky-labs.com O1 - Hosts: 212.58.240.33 avp.com O1 - Hosts: 212.58.240.33 networkassociates.com O1 - Hosts: 212.58.240.33 ca.com O1 - Hosts: 212.58.240.33 mast.mcafee.com O1 - Hosts: 212.58.240.33 my-etrust.com O1 - Hosts: 212.58.240.33 download.mcafee.com O1 - Hosts: 212.58.240.33 dispatch.mcafee.com O1 - Hosts: 212.58.240.33 secure.nai.com O1 - Hosts: 212.58.240.33 nai.com O1 - Hosts: 212.58.240.33 update.symantec.com O1 - Hosts: 212.58.240.33 updates.symantec.com O1 - Hosts: 212.58.240.33 us.mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantec.com O1 - Hosts: 212.58.240.33 customer.symantec.com O1 - Hosts: 212.58.240.33 rads.mcafee.com O1 - Hosts: 212.58.240.33 trendmicro.com O1 - Hosts: 212.58.240.33 grisoft.com O1 - Hosts: 212.58.240.33 sandbox.norman.no O1 - Hosts: 212.58.240.33 www.pandasoftware.com O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing) O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe End of KRC HijackThis Analyzer Log. ================= Nice long list of host redirections and lots of other suspicious stuff? hope to hear from you soon with further instructions. Thanks a lot.

03-21-2005, 09:32 PM	#11 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. You have the Peper infection. Download PeperUninstall. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix and save it to your Desktop. Run it and click Find and Fix (reboot if prompted). The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\mcsv.com Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mcsv.com O1 - Hosts: 212.58.240.33 www.symantec.com O1 - Hosts: 212.58.240.33 www.sophos.com O1 - Hosts: 212.58.240.33 www.mcafee.com O1 - Hosts: 212.58.240.33 www.viruslist.com O1 - Hosts: 212.58.240.33 www.f-secure.com O1 - Hosts: 212.58.240.33 www.avp.com O1 - Hosts: 212.58.240.33 www.kaspersky.com O1 - Hosts: 212.58.240.33 www.networkassociates.com O1 - Hosts: 212.58.240.33 www.ca.com O1 - Hosts: 212.58.240.33 www.my-etrust.com O1 - Hosts: 212.58.240.33 www.nai.com O1 - Hosts: 212.58.240.33 www.trendmicro.com O1 - Hosts: 212.58.240.33 www.grisoft.com O1 - Hosts: 212.58.240.33 securityresponse.symantec.com O1 - Hosts: 212.58.240.33 symantec.com O1 - Hosts: 212.58.240.33 sophos.com O1 - Hosts: 212.58.240.33 mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com O1 - Hosts: 212.58.240.33 viruslist.com O1 - Hosts: 212.58.240.33 f-secure.com O1 - Hosts: 212.58.240.33 kaspersky.com O1 - Hosts: 212.58.240.33 kaspersky-labs.com O1 - Hosts: 212.58.240.33 avp.com O1 - Hosts: 212.58.240.33 networkassociates.com O1 - Hosts: 212.58.240.33 ca.com O1 - Hosts: 212.58.240.33 mast.mcafee.com O1 - Hosts: 212.58.240.33 my-etrust.com O1 - Hosts: 212.58.240.33 download.mcafee.com O1 - Hosts: 212.58.240.33 dispatch.mcafee.com O1 - Hosts: 212.58.240.33 secure.nai.com O1 - Hosts: 212.58.240.33 nai.com O1 - Hosts: 212.58.240.33 update.symantec.com O1 - Hosts: 212.58.240.33 updates.symantec.com O1 - Hosts: 212.58.240.33 us.mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantec.com O1 - Hosts: 212.58.240.33 customer.symantec.com O1 - Hosts: 212.58.240.33 rads.mcafee.com O1 - Hosts: 212.58.240.33 trendmicro.com O1 - Hosts: 212.58.240.33 grisoft.com O1 - Hosts: 212.58.240.33 sandbox.norman.no O1 - Hosts: 212.58.240.33 www.pandasoftware.com O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing) O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\farmmext.exe C:\WINDOWS\farmmext.ini C:\WINDOWS\svhost.exe C:\WINDOWS\system32\csnss.exe C:\WINDOWS\system32\mcsv.com C:\WINDOWS\System32\oiidofkx.exe C:\WINDOWS\System32\Rcj6KrN.exe Run CleanUp! again. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

03-22-2005, 12:23 AM	#12 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	need further advice as some instructions not possible thanks for your response. hope I can now get further BUT, as i said previously the option to check "see hidden files" has disappeared. I read on another thread somewhere that this could be fixed from running regedit and resetting but bug wont let me run reged. And also the menu for system restore has disappeared - when i run gpedit.msc to try to reset back onto the menu the bug wont let me change those settings. I was wondering whether I could work something from the safe mode dos prompt but the dos window shuts down too. SO, what should I do next and in what order?? I still have the Hijack this open from the run before - should I do something with that first? thanks.

03-22-2005, 06:14 AM	#13 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	TDS logs after running the fixes in HJT then was able to run TDS. logs below. ***still wondering what to do about lack of system restore optionality!* **can you please advise? thanks.******* 11:29:59 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 11:29:59 [Init] Started 22-03-05 11:29:59 GMT Standard Time (UTC: 0), Internet Time @520.82 11:29:59 [Init] Loading TDS-3 Systems ... 11:29:59 [Init] Token successfully adjusted. 11:29:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 11:30:00 [Init] • Plugins : OK. Loaded 13 11:30:00 [Init] • Exec Protection : Not Installed 11:30:00 [Init] WARNING: Your Radius.TD3 database needs to be updated! 11:30:00 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 11:30:00 [Init] Licensed users can use the Update facility from the TDS menu 11:30:00 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 11:30:07 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 11:30:07 [Init] • Systems Initialised [50030 references - 25116 primaries/12719 traces/12195 variants/other] 11:30:08 [Init] Radius Systems loaded. <Databases updated 21-03-2005> 11:30:08 [Init] TDS-3 Ready. <Administrator@192.168.0.3, 127.0.0.1 - United Kingdom> 11:30:08 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu! 11:30:08 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 11:30:08 [TDS] Good morning Administrator. 11:30:13 [Mutex Memory Scan] Started... 11:30:14 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:30:14 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 11:31:37 [CRC32] Started - verifying 29 files ... 11:31:49 [CRC32] Test finished. 11:32:39 [Memory Scan] Memory scan started, please wait a moment ... 11:32:42 [Memory Scan] Memory scan complete. 11:32:42 [Mutex Memory Scan] Started... 11:32:43 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:32:43 [Trace Scan] Started... 11:32:49 [Trace Scan] Finished. 11:32:49 [ServiceScan] Scanning for services and drivers ... 11:32:52 [ServiceScan] Scanned 305 services and drivers. 11:32:52 [File Scan] Scanning in A:\ ... 11:32:53 [File Scan] Scanned 0 files: 12 alarms in 1.09375 seconds (Avg 1. files/sec) 11:32:53 [File Scan] Scanning in C:\ ... 12:10:18 [File Scan] Scanned 102901 files: 34 alarms in 2245.297 seconds (Avg 46.83 files/sec) 12:10:18 [File Scan] Scanning in D:\ ... 12:30:16 [File Scan] Scanned 101807 files: 34 alarms in 1197.359 seconds (Avg 86.03 files/sec) 12:30:16 [File Scan] Scanning in E:\ ... 12:30:16 [File Scan] Scanned 0 files: 34 alarms in 0 seconds (Avg -1.#IND files/sec) 12:30:16 [File Scan] Scanning in F:\ ... 12:30:16 [File Scan] Scanned 0 files: 34 alarms in 0.03125 seconds (Avg 1. files/sec) 12:30:16 [Scan] Finished. alarms pasted below: Scan Control Dumped @ 12:42:45 22-03-05 File Trace: Default trojan filename: Worm.Serflog File: C:\Death of crazy frog!.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Hot babe!.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Really Cute.pif File Trace: Default trojan filename: Worm.Serflog File: C:\My piccy.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Bungee-**.pif File Trace: Default trojan filename: Worm.Serflog File: C:\I_love_you.123greetings.com.com File Trace: Default trojan filename: Worm.Serflog File: C:\Paris Hilton Sex Tape.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Shoot Bill Gates!.exe File Trace: Default trojan filename: Worm.Serflog File: C:\Best_Friend.scr File Trace: Default trojan filename: Worm.Serflog File: C:\lol Busted Are Gay!.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Saddam Song!.pif File Trace: Default trojan filename: Worm.Serflog File: C:\Me at the Beach!.pif Positive identification: Trojan.Win32.StartPage.y File: c:\bootconf.exe Suspicious Filename: Dual extensions File: c:\i_love_you.123greetings.com.com Positive identification (embedded in file): TrojanDownloader.Win32.VB.em File: c:\windows\system32\cxe0n.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\cxe0n.exe Positive identification (embedded in file): TrojanDownloader.Win32.VB.em File: c:\windows\system32\awdzm.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\awdzm.exe Positive identification (embedded in file): TrojanDownloader.Win32.VB.em File: c:\windows\system32\rcj6krn.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\rcj6krn.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\lnaqxu3.exe Positive identification (embedded in file): RAT.RADS.e File: c:\windows\system32\mlwwa.exe Positive identification: RAT.RADS.f File: c:\windows\system32\mlwwa.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\hno2rdu5.exe Positive identification: TrojanDownloader.Win32.VB.em File: c:\windows\system32\lgw0.exe Positive identification: TrojanDownloader.Win32.Small.fo File: c:\recycled\1.exe Positive identification: Riskware.ProcessRestart File: c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971l\program\restart.exe Positive identification (DLL): Adware.DlMax.a (dll) File: c:\program files\microsoft antispyware\quarantine\1c643f32-960c-4689-9627-bfe0cc\b4ba54cd-5f36-4ca0-a4d2-880999 Positive identification (DLL): Adware.Midable.b (dll) File: c:\found.048\file0001.chk Positive identification: TrojanDropper.Win32.VB.cd File: c:\documents and settings\all users\application data\ieservice\v28.exe Suspicious Filename: Dual extensions File: c:\documents and settings\hayley.denise-xixop29g\my documents\chem 11...........doc Suspicious Filename: Dual extensions File: c:\documents and settings\hayley.denise-xixop29g\my documents\chem 12..........doc Positive identification (DLL): Adware.Midable.b (dll) File: c:\found.044\file0003.chk Positive identification (DLL): Adware.Midable.b (dll) File: c:\found.045\file0000.chk ---------------------------------------------- thanks. nettle.

03-22-2005, 12:34 PM	#14 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	OK! after may hours of chipping away at this, I think I'm just about there! I'm finally submitting this from the previously infected PC. Please could you check the following HJT results file to confirm all clear? * "System restore off" is currently enabled awaiting your word.* Many thanks for all your suggestions. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 19:18:05, on 22/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\a disk\h\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-23-2005, 12:10 AM	#15 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Your current log is clean. Did you delete those files TDS-3 found? If not...do so..and run the hoster file again to restore your hosts file just to make sure. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-23-2005, 01:00 AM	#16 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	yes I went ahead and deleted all the TDS alarmed files and then ran system hoster. Thanks again for your help. Have now brought my anti-virus up to date and will read through the other recommendations. thanks.