HJT Analyzer log, have ABI Network/Nail.exe MALWARE. any help appreciated

flyers16 · 08-09-2005, 10:34 PM

Hi,

I followed instructions in the 'Before posting HJT logfile' and am ready to go. Tried unsuccessfully by myself,

now I'm asking for help. I was close to just reformatting since I figured I was due anyway....but would rather rid myself of this nasty little trojan who keeps coming back.

Thanks in advance....

P.S. This logfile is from HJT Analyzer

Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:22:58 AM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\mcfbhdu.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\I-Mesh\iMeshBHO.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\APPS\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jrmaowoe.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\APPS\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [sfvosjj] C:\WINDOWS\system32\mcfbhdu.exe r
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/...GameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095370148234
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

MicroBell · 08-10-2005, 12:57 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove iMeshBar if listed.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: System Startup Service (SvcProc)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\I-Mesh\iMeshBHO.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jrmaowoe.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [sfvosjj] C:\WINDOWS\system32\mcfbhdu.exe r
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
C:\I-Mesh\iMeshBHO.dll
C:\WINDOWS\system32\lanbrup.exe
C:\WINDOWS\system32\mcfbhdu.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\mcfbhdu.exe
C:\WINDOWS\dsr.dll
C:\WINDOWS\system32\jrmaowoe.dll

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

On the reboot...boot directly back to safe mode.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Run Cleanup again and reboot/logoff when prompted.

ONce back to normal windows....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Select the “Autofix/Clean” option and save the activescan log. Then post that log in your next post along with the Ewido scan log and another hijackthis log.

So I need..

Ewido Log
Panda scan log
Hijackthis log

flyers16 · 08-16-2005, 02:21 AM

Many thanks for the response MB, ok, I've done as instructed and now have attached the 3 logs you asked for. Let me know how to proceed.....thanks again.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:52:05 PM, 8/15/2005
+ Report-Checksum: 9EB329DF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\IExplorr24.clsDW -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\IExplorr24.clsDW\Clsid -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06} -> Spyware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6CB0-410C-8C3D-8FA8D2011D0A} -> Spyware.iMesh : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} -> Spyware.InetSpeak : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52FE5233-367C-4EFB-BDD7-0BE4D212C107} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} -> Spyware.InetSpeak : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
[432] VM_01100000 -> Adware.BetterInternet : Error during cleaning
[708] C:\WINDOWS\system32\ywtjsrl.exe -> Trojan.Agent.cp : Cleaned with backup
C:\HJT\backups\backup-20050815-193150-913.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\fmqahelcay.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\mfrzmm.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\eorpdvwe.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\ywtjsrl.exe -> Trojan.Agent.cp : Cleaned with backup

::Report End

and here's the "Panda' scan log..........

Incident Status Location

Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Spyware:spyware/betterinet No disinfected Windows Registry
Virus:Trj/Citifraud.A Disinfected Local Folders\Deleted Items\Washington Mutual - Important Fraud Alert[~000001.txt]

and this is from HJT....not HJT Analyzer

Logfile of HijackThis v1.99.1
Scan saved at 3:56:51 AM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\APPS\Ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\APPS\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\APPS\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/...GameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095370148234
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\APPS\Ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

**POADB** · 08-16-2005, 03:30 AM

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

KillBox v2.0.0.175 - Save to Desktop.

Nailfix - Unzip to the desktop

FindIt's.zip - Unzip to a new folder on Desktop

= = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\Nail.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\abiuninst.htm

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = =

Reboot to SafeMode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = =

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

= = = = = = = = = = == = = = = = = = = = =

Enable the viewing of Hidden files
1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. enable the option for `Show hidden files and folder´
3. disable the option for `Hide file extensions for known types´
4. disable the option for `Hide protected operating system files´
5. click "Yes" to confirm & then click "OK"

= = =

Locate and delete the following file, if present:

C:\Windows\Nail.exe

= = = = = = = = = = =

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = =

Reboot to NormalMode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = =

Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply

In your next post, please include fresh copies of:

HiJackThis log
List of files that Panda failed to disinfect
FindIt's log
AntiSpyware log

flyers16 · 08-16-2005, 01:17 PM

ok, thanks. having trouble getting 'FindIt's' .zip......seems like the site is temporarily down. I'll post back with the logs when I complete this, hoping it'll be within a few hours........

flyers16 · 08-16-2005, 06:37 PM

alrighty guys, here's the requested info. Again.....many thanks for your time & help......

Logfile of HijackThis v1.99.1
Scan saved at 8:21:28 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\APPS\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\APPS\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/...GameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095370148234
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\APPS\Ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Panda failed to fix 3 files, 2 were the nailfix I downloaded, the other was labeled 'spyware':spyware/betterinet windows registry. That's all it had on that. Below starts the 'FindIt's log.

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 08/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
»»»»» lagitamate file's can/will show in this section.

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\LORDST~1\DESKTOP\FINDIT'S\FIND-IT'S\XFIND.COM

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 64AB-9ECA

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 64AB-9ECA

Directory of C:\WINDOWS\system32

08/16/2005 07:13 PM 1,406 AddQuit.ico
08/16/2005 07:13 PM 9,470 Desktop.ico
08/16/2005 07:13 PM 1,406 Help.ico
08/16/2005 07:13 PM 5,350 IE.ico
08/16/2005 07:13 PM 1,718 Open.ico
08/16/2005 07:13 PM 1,718 Quick.ico
08/16/2005 07:13 PM 2,550 Uninstall.ico
7 File(s) 23,618 bytes
0 Dir(s) 29,718,757,376 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

This starts the antispyware log......

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\iMesh'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\ResultsFilter'
Found '' in 'Software\Kazaa\Settings'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Advanced'
Found '' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\LocalContent'
Found '' in 'Software\Kazaa\Skins'
Found '' in 'Software\Kazaa\UserDetails'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'Software\iMesh'
Found 'LastSearchHash' in 'Software\Kazaa'
Found 'ScanFolder' in 'Software\Kazaa\Advanced'
Found 'IgnoreAll' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\Search'
Found 'adult_filter_level' in 'Software\Kazaa\ResultsFilter'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'CacheDiscoveryTime' in 'Software\Kazaa\Transfer'
Found 'CacheHost' in 'Software\Kazaa\Transfer'
Found 'CachePort' in 'Software\Kazaa\Transfer'
Found 'CountryCode' in 'Software\Kazaa\UserDetails'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'DlDir0' in 'Software\Kazaa\Transfer'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'AutoConnected' in 'Software\Kazaa\UserDetails'
Found 'firewall_filter' in 'Software\Kazaa\ResultsFilter'
Found 'SkinsDir' in 'Software\Kazaa\Skins'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'UserName' in 'Software\Kazaa\UserDetails'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMesh 5'
Found '' in 'SOFTWARE\iMeshBar'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}'
Found '' in 'SOFTWARE\Classes\TypeLib\{C8791281-D7A4-440D-A0F8-C02E2085A21D}'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}'
Found '' in 'SOFTWARE\Classes\Interface\{D5E7424B-5AAD-41C5-944A-077CF49F9D45}'
Found '' in 'SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}'
Found '' in 'SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}'
Found '' in 'SOFTWARE\Classes\Interface\{6D9A2918-F869-40F8-85ED-4F7F1B4BB6B7}'
Found '' in 'SOFTWARE\Classes\Interface\{00000000-A447-4EB9-A8D8-0C4B0661D988}'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton\CurVer'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton.1'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect\CurVer'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect.1'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect'
Found '' in 'SOFTWARE\Classes\GnucCOM.Core\CLSID'
Found '' in 'SOFTWARE\Classes\GnucCOM.Core'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\Programmable'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}'
Found '' in 'Software\iMesh\iMesh5\Transfer'
Found '' in 'Software\iMesh\iMesh5\SetSplitter'
Found '' in 'Software\iMesh\iMesh5\SetListCol'
Found '' in 'Software\iMesh\iMesh5\Gnutella'
Found '' in 'Software\iMesh\iMesh5\AutoConnect'
Found '' in 'Software\iMesh\iMesh5'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{42AB8D08-F741-4166-8A0D-3C1A50B43F93}\InProcServer32'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Found 'np.tmp' in 'C:\Documents and Settings\Lord Stanley\Application Data\Kazaa Lite\db'
Found 'libeay32.dll' in 'C:\I-Mesh'
Found 'searchMesh.dll' in 'C:\I-Mesh'
Found 'ssleay32.dll' in 'C:\I-Mesh'
Found 'Uninstall iMeshBar.dll' in 'C:\Program Files'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Lord Stanley\Application Data\Kazaa Lite\db\np.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Lord Stanley\Application Data\Kazaa Lite\db\np.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Lord Stanley\Application Data\Kazaa Lite\db\np.tmp'
Checking for 'C:\I-Mesh\libeay32.dll' in shortcut areas.
Checking for 'C:\I-Mesh\libeay32.dll' in startup areas.
Cleaning 'C:\I-Mesh\libeay32.dll'
Checking for 'C:\I-Mesh\searchMesh.dll' in shortcut areas.
Checking for 'C:\I-Mesh\searchMesh.dll' in startup areas.
Cleaning 'C:\I-Mesh\searchMesh.dll'
Checking for 'C:\I-Mesh\ssleay32.dll' in shortcut areas.
Checking for 'C:\I-Mesh\ssleay32.dll' in startup areas.
Cleaning 'C:\I-Mesh\ssleay32.dll'
Checking for 'C:\Program Files\Uninstall iMeshBar.dll' in shortcut areas.
Checking for 'C:\Program Files\Uninstall iMeshBar.dll' in startup areas.
Cleaning 'C:\Program Files\Uninstall iMeshBar.dll'
Finished Cleaning

**POADB** · 08-17-2005, 03:26 AM

Findit.bat failed to run correctly. I'm confident your system is now clean, and should be behaving normally again - but I'd like you to try and run FindIt again, please.

flyers16 · 08-17-2005, 02:36 PM

again, I'm grateful for all the help & time you guys put in, many thanks.

ok, d-loaded another copy of FindIt's.zip (for piece of mind) and ran it again, from several different locations (root of C:, HJT directory, desktop, etc.) but still get the same results, strange.....not sure what else to try.

Glad you feel I should be good to go, I'll go ahead and use my PC normally now and we'll see what happens.

Should I keep all of the programs I downloaded & installed ? I'm running McAfee security center, should I remove EWIDO ?

thanks.....

MicroBell · 08-18-2005, 01:27 AM

Before clearing you...please post another Ewido log and Panda scan log.

flyers16 · 08-19-2005, 04:44 PM

ok no prob, here ya go.......thanks

Incident Status Location

Spyware:spyware/betterinet No disinfected Windows Registry
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\Lord Stanley\Desktop\NailFix\Process.exe
Security Risk:Application/ProcessorNo disinfected C:\HJT\Nailfix.zip[Process.exe]
Adware:Adware/Beginto No disinfected C:\I-Mesh\D-Loads\Compressed wizetrade.zip[Self Extracting.exe]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:37:27 PM, 8/19/2005
+ Report-Checksum: 92CA5DA3

+ Scan result:

C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@buycom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfkokmajwfp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfkyclczsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfmiolcpelp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkoapd5oap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkyagcpwcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkyqpczcgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjny-1jc5kh.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnygpc5gdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnyoldpscp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnyshczaap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

::Report End

**POADB** · 08-20-2005, 01:19 AM

That's fine. Perhaps run CleanUp again to delete Cookies and clear temp directories etc...

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Clear Java Cache

Click Start >Settings>Control Panel
Click the Java Plugin Icon
Click the Cache tab
Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

flyers16 · 08-21-2005, 06:55 PM

got, thanks for all the help !!! All seems to be running fine now, I took care of the 'House Cleaning' issues as well.

Thanks again.........

08-09-2005, 10:34 PM	#1 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	HJT Analyzer log, have ABI Network/Nail.exe MALWARE. any help appreciated Hi, I followed instructions in the 'Before posting HJT logfile' and am ready to go. Tried unsuccessfully by myself, now I'm asking for help. I was close to just reformatting since I figured I was due anyway....but would rather rid myself of this nasty little trojan who keeps coming back. Thanks in advance.... P.S. This logfile is from HJT Analyzer Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:22:58 AM, on 8/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\mcfbhdu.exe C:\PROGRA~1\Logitech\Video\FxSvr2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - Default URLSearchHook is missing O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\I-Mesh\iMeshBHO.dll O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\APPS\SpyBot\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jrmaowoe.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\APPS\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe O4 - HKLM\..\Run: [sfvosjj] C:\WINDOWS\system32\mcfbhdu.exe r O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/...GameLoader.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095370148234 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe End of KRC HijackThis Analyzer Log. ====================================================================

08-10-2005, 12:57 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware® SE Personal Edition Spybot Search & Destroy CWShredder Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point. Download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove iMeshBar if listed. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: System Startup Service (SvcProc) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R3 - Default URLSearchHook is missing O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\I-Mesh\iMeshBHO.dll O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing) O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jrmaowoe.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe O4 - HKLM\..\Run: [sfvosjj] C:\WINDOWS\system32\mcfbhdu.exe r O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS) C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL C:\I-Mesh\iMeshBHO.dll C:\WINDOWS\system32\lanbrup.exe C:\WINDOWS\system32\mcfbhdu.exe C:\WINDOWS\svcproc.exe C:\WINDOWS\system32\mcfbhdu.exe C:\WINDOWS\dsr.dll C:\WINDOWS\system32\jrmaowoe.dll Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. On the reboot...boot directly back to safe mode. Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Run Cleanup again and reboot/logoff when prompted. ONce back to normal windows.... Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm Select the “Autofix/Clean” option and save the activescan log. Then post that log in your next post along with the Ewido scan log and another hijackthis log. So I need.. Ewido Log Panda scan log Hijackthis log __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-16-2005, 03:30 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Hi and Welcome to TSF! Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. . = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. KillBox v2.0.0.175 - Save to Desktop. Nailfix - Unzip to the desktop FindIt's.zip - Unzip to a new folder on Desktop = = = = = = = = = = = Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\Nail.exe C:\WINDOWS\SYSTEM32\DrPMon.dll C:\WINDOWS\abiuninst.htm Start KillBox. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. = = = = = = = = = = = Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. = = = = = = = = = = == = = = = = = = = = = Enable the viewing of Hidden files 1. From Windows Explorer, go to Tools>Folder Options>View tab. 2. enable the option for `Show hidden files and folder´ 3. disable the option for `Hide file extensions for known types´ 4. disable the option for `Hide protected operating system files´ 5. click "Yes" to confirm & then click "OK" = = = Locate and delete the following file, if present: C:\Windows\Nail.exe = = = = = = = = = = = Run Cleanup! & configure the program as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup = = = = = = = = = = = Reboot to NormalMode. Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. = = = = = = = = = = = Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply In your next post, please include fresh copies of: HiJackThis log List of files that Panda failed to disinfect FindIt's log AntiSpyware log __________________

08-17-2005, 03:26 AM	#7 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Findit.bat failed to run correctly. I'm confident your system is now clean, and should be behaving normally again - but I'd like you to try and run FindIt again, please. __________________

08-18-2005, 01:27 AM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Before clearing you...please post another Ewido log and Panda scan log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-16-2005, 02:21 AM	#3 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	Many thanks for the response MB, ok, I've done as instructed and now have attached the 3 logs you asked for. Let me know how to proceed.....thanks again. --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 9:52:05 PM, 8/15/2005 + Report-Checksum: 9EB329DF + Scan result: HKLM\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\IExplorr24.clsDW -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\IExplorr24.clsDW\Clsid -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06} -> Spyware.InetSpeak : Cleaned with backup HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6CB0-410C-8C3D-8FA8D2011D0A} -> Spyware.iMesh : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} -> Spyware.InetSpeak : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52FE5233-367C-4EFB-BDD7-0BE4D212C107} -> Spyware.Begin2Search : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} -> Spyware.InetSpeak : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup HKU\S-1-5-21-789336058-261478967-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup [432] VM_01100000 -> Adware.BetterInternet : Error during cleaning [708] C:\WINDOWS\system32\ywtjsrl.exe -> Trojan.Agent.cp : Cleaned with backup C:\HJT\backups\backup-20050815-193150-913.dll -> Spyware.SafeSurfing : Cleaned with backup C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup C:\WINDOWS\fmqahelcay.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\mfrzmm.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\system32\eorpdvwe.dll -> Spyware.SafeSurfing : Cleaned with backup C:\WINDOWS\system32\ywtjsrl.exe -> Trojan.Agent.cp : Cleaned with backup ::Report End and here's the "Panda' scan log.......... Incident Status Location Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm Spyware:spyware/betterinet No disinfected Windows Registry Virus:Trj/Citifraud.A Disinfected Local Folders\Deleted Items\Washington Mutual - Important Fraud Alert[~000001.txt] and this is from HJT....not HJT Analyzer Logfile of HijackThis v1.99.1 Scan saved at 3:56:51 AM, on 8/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\APPS\Ewido\security suite\ewidoctrl.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Logitech\Video\AlbumDB2.exe C:\PROGRA~1\Logitech\Video\FxSvr2.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\APPS\SpyBot\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\APPS\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\APPS\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/...GameLoader.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095370148234 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O23 - Service: ewido security suite control - ewido networks - C:\APPS\Ewido\security suite\ewidoctrl.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

08-16-2005, 01:17 PM	#5 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	ok, thanks. having trouble getting 'FindIt's' .zip......seems like the site is temporarily down. I'll post back with the logs when I complete this, hoping it'll be within a few hours........

08-17-2005, 02:36 PM	#8 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	again, I'm grateful for all the help & time you guys put in, many thanks. ok, d-loaded another copy of FindIt's.zip (for piece of mind) and ran it again, from several different locations (root of C:, HJT directory, desktop, etc.) but still get the same results, strange.....not sure what else to try. Glad you feel I should be good to go, I'll go ahead and use my PC normally now and we'll see what happens. Should I keep all of the programs I downloaded & installed ? I'm running McAfee security center, should I remove EWIDO ? thanks.....

08-19-2005, 04:44 PM	#10 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	ok no prob, here ya go.......thanks Incident Status Location Spyware:spyware/betterinet No disinfected Windows Registry Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\Lord Stanley\Desktop\NailFix\Process.exe Security Risk:Application/ProcessorNo disinfected C:\HJT\Nailfix.zip[Process.exe] Adware:Adware/Beginto No disinfected C:\I-Mesh\D-Loads\Compressed wizetrade.zip[Self Extracting.exe] --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 6:37:27 PM, 8/19/2005 + Report-Checksum: 92CA5DA3 + Scan result: C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@buycom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfkokmajwfp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfkyclczsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wfmiolcpelp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkoapd5oap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkyagcpwcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjkyqpczcgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjny-1jc5kh.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnygpc5gdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnyoldpscp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@e-2dj6wjnyshczaap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Lord Stanley\Cookies\lord stanley@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup ::Report End

08-20-2005, 01:19 AM	#11 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	That's fine. Perhaps run CleanUp again to delete Cookies and clear temp directories etc... Your log is clean. Well done Do you have any more problems with your computer? If not, you should be set to go. However, there still remains a few bits of housekeeping ... Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Clear Java Cache Click Start >Settings>Control Panel Click the Java Plugin Icon Click the Cache tab Click the Clear button and click OK to confirm Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel Follow the instructions outlined here to clear Sun Java's cache. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

08-21-2005, 06:55 PM	#12 (permalink)
flyers16 Registered User Join Date: Jun 2003 Posts: 11 OS: XP Home	got, thanks for all the help !!! All seems to be running fine now, I took care of the 'House Cleaning' issues as well. Thanks again.........