Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter #1
Hello,

I was online lastnite and had what I thought was browser hijack attempt. My screen froze and my firewall alerted me that there has been a trojan virus attempt , but has been cleaned. There was also a big wallpaper warning on my screen saying that my computer may have been compromised.

I ran adware Se and Mcafee Virus scanner. Some were removed. I think there is at least one left that was able to be cleaned.

I will like a help in looking at what's running on my computer so that I don't remove good stuffs.

Thanks.
 

·
Registered
Joined
·
18 Posts
Discussion Starter #3
Posting result.txt from hijackthislog

Hi,

Thanks for assisting. I am attaching the result.txt from hijackthis analyzer.
 

Attachments

·
Premium Member
Joined
·
14,311 Posts
Welcome to TSF.

Please go to the Windows Update site now and get Service Pack 4 immediately. Without it, you are wide open to reinfection.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.geekstogo.com/click counter/click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe


Uninstall ShopSafe via the Add/Remove panel if listed.

Delete this folder if found -> C:\Program Files\ShopSafe\

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoftware.com/products/activescan.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
 

·
Registered
Joined
·
18 Posts
Result of cleanup

first of all, I am sorry it has taken me this long to post these logs. I was out on a work assignment.

I have used the suggested programs to clean things up. Shopsafe was not removed because I know what it is.

The are a lot more things in these files I don't recognize.

For some reason smitrem couldn't work. So I only used Ewido, adware SE, hijackthis and cleanup.

Thanks for your continued support and the good work you do.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:49:17 PM, on 9/27/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\uzo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:59:02 PM, 9/27/2005
+ Report-Checksum: 91841178

+ Scan result:

C:\WINDOWS\SYSTEM\mxhbewbl.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\TEMP\sa4394.TMP.exe -> TrojanDownloader.Small.uf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\QDow.dll -> TrojanDownloader.QDown.d : Cleaned with backup
C:\NULL -> TrojanDownloader.QDown.d : Cleaned with backup
C:\WINNT\sites.ini -> Spyware.PSGuard : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_28.exe -> TrojanDownloader.Mediket.au : Error during cleaning


::Report End
 

Attachments

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Please post your logs in the thread and not as an attachment.

*Note* Copy the following file to a safe location....

C:\WINNT\Temp\RecoverFromReboot.exe

Because your going to run Cleanup later...it will delete all files in that directory so I need you to make a copy..and then after Cleanup is run..move it back to that TEMP folder.


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\System32\msmsgs.exe


C:\WINNT\System32\msmsgs.exe <--delete that file

C:\eied_s7.cab or eied_s7_c_28.exe <--delete both if you have them

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Once back to normal windows...

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.


Let me know how things are running.
 

·
Registered
Joined
·
18 Posts
Discussion Starter #7
These files are the result after following an earlier instruction from 9/17/05 and then instruction to post the file not as an attachment.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:49:17 PM, on 9/27/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\uzo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


End of KRC HijackThis Analyzer Log.


====================================================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:59:02 PM, 9/27/2005
+ Report-Checksum: 91841178

+ Scan result:

C:\WINDOWS\SYSTEM\mxhbewbl.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\TEMP\sa4394.TMP.exe -> TrojanDownloader.Small.uf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\QDow.dll -> TrojanDownloader.QDown.d : Cleaned with backup
C:\NULL -> TrojanDownloader.QDown.d : Cleaned with backup
C:\WINNT\sites.ini -> Spyware.PSGuard : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_28.exe -> TrojanDownloader.Mediket.au : Error during cleaning


::Report End


Thanks to you guys again for you continued support.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Ummm post another hijackthis log. Make sure you delete the older log in the analyzer as your posting the same log twice. Date and Time of the last 2 logs are the same.

Even your Ewido log is old and the same one as before.
 

·
Registered
Joined
·
18 Posts
Discussion Starter #9
New result.txt and scan report from Ewido

I am attaching the New result.txt obtained using hijackthis analyzer. I am also attaching the result from Ewido.

Thanks for helping.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:22:18 PM, 10/4/2005
+ Report-Checksum: 8E8D2F30

+ Scan result:

C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\uzo\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_28.exe -> TrojanDownloader.Mediket.au : Cleaned with backup


::Report E





====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
c:\program files\mcafee.com\shared\mghtml.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:24:30 PM, on 10/4/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\mysql\bin\winmysqladmin.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\Documents and Settings\uzo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Registered
Joined
·
6,574 Posts
FYI:

If you have one of these, you will most likely have the other. Either way, here are some information on them:

BroadJump - Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit.

Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information.

I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself.


Are you experiencing any problems now?
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top