[Snorky]

Winfixer is not something I've downloaded but may have come from one of the dodgy sites I was researching when I accidentally clicked on it!

Logfile of HijackThis v1.99.1
Scan saved at 09:25:08, on 02/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJTHotkey\HJTHotkey.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\Administrator\Desktop\WinFixer2005ScannerInstall.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124893691906
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'd also appreciate knowing what resource hogs I can 'fix'.

Many thanks

 

[Ried]

Hi Snorky :grin:

I'm not seeing Winfixer, or anything else 'bad' in your log. Please do the following;

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply along with another HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

I suggest going to this site: http://www.liutilities.com/products/wintaskspro/processlibrary
You'll find information explaining what these processes are and whether or not they need to be running at start up, or continuously running in background for proper operation of Windows. :smile:

 

[Snorky]

Sorry Reid - I'm always finding things that aren't there! :grin: I'm posting below steps taken so far. Microbell suggested posting an hjt log just in case, which I did.

O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\Administrator\Desktop\WinFixer2005Scanner Install.exe"
was the entry I was querying as it wasn't in my last log and I didn't do it. Honest! Don't even know what that is. Is it supposed to be showing on my desktop or what? And anyone else who even walks within 10 feet of my PCs gets a clip round the ear (so to speak) so no-one else has put it there.

My post in General Security

Pre-SP2 install clean-up
-------------
Posted this question in the 'lodge' but it didn't like it and rejected me overnight (some problem with a data base excuse ) so thought I'd try here. I'm doing a cleanup before installing SP2 on my pcs and ran Ad-aware, Spybot, Trendmicro and Panda, Kaspersky which didn't work, and nothing was found. Tried Ewido and it found and cleaned 72 tracking cookies.

I'm just wondering now whether there's anything else to try or have I done enough cleaning.

Microbell's response

Snorky:

Can you download hijackthis (link in my signature) and post a log so I can have peek in case something was missed.

So that's the story of why I was posting. :smile:

And I was cheating really asking about the resource hogs. I'm very new to XP so not sure how to stop things running from start up without getting annoying messages about changing the start up program. Will wait for the book that Geekgirl recommended to arrive.

PS. I googled the entry and got nothing, so googled various bits and came up with 3 results for [NI.UWFX5].

 

[Ried]

:laugh: No, Snorky--totally my fault on that...was looking for the entry a different way.

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\Administrator\Desktop\WinFixer2005Scanner Install.exe"

Delete the following file:

C:\Documents and Settings\Administrator\Desktop\WinFixer2005Scanner Install.exe

Reboot back into Normal Mode.

Run that scan with Panda anyway and post it here so we can be sure you're ready for the SP2 install.

In Windows XP, every time you use msconfig and disable or enable items at Startup, you'll get that annoying box when you reboot. Just click the 'Do not show this message again' box. :smile:

 

[Snorky]

Thanks Ried - Did that and the entry is now gone although there was no folder to delete. My IE browser isn't working at the moment so unless there's a scanner using Firefox, I'll try again to run the Pandascan later or tomorrow.

Many thanks for your help.

 

[Ried]

What's wrong with I.E.? Are you getting any error messages?

Let's do this in the meantime:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

 

[Snorky]

The link goes to an old page - its been moved apparently. This seems to be the new one http://www.mwti.net/products/mwav/mwav.asp. Will report back in due course.

 

[Snorky]

The IE is a connection problem I think. My other pc IE isn't working this morning either. I'll post in relevant forum as BT say it isn't their fault this time.

Mwav results as follows.

File C:\Documents and Settings\Administrator\Desktop\New Folder\Nics\Academy\my logs\Old logs\log 6.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
Object "RedV Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\2Wire_Wireless_WINDOWS" refers to invalid object "C:\Program Files\2Wire 802.11g Wireless\2Wire_Wireless_WINDOWS". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MediaRack.exe" refers to invalid object "C:\Program Files\C-Media 3D Audio\MediaRack.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\thiefg.exe" refers to invalid object "C:\ThiefG\thiefg.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".$$$". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".001". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".avg". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".FH10". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".iso". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lbl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".RST". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sav". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".torrent". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E08ED408-E365-4273-AA07-257CD6CD70F8}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{26443ba0-b735-11d0-8384-0040c7216358}" refers to invalid object "C:\Program Files\WinPortrait\wpcpl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98DDB7CA-0D08-43B1-A459-3453FA53BBF2}" refers to invalid object "C:\Program Files\Adobe\Photoshop 5.0 LE\photosle.exe /StiDevice:%1 /StiEvent:%2". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A302BA68-A1B0-11D7-A362-000476CE4CF1}" refers to invalid object "C:\PROGRA~1\YAMAHA\SGPTOO~1\MAGICS~1\MAGICS~1\MAGICS~1.EXE". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2E00600-E49D-11cf-94CF-00A02400D8F5}" refers to invalid object "C:\Program Files\Adobe\Photoshop 5.0 LE\photosle.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FC0429E3-4291-49BD-B8BE-2E6DAA06FCF3}" refers to invalid object "C:\Program Files\Adobe\Photoshop 5.0 LE\photosle.exe /StiDevice:%1 /StiEvent:%2". Action Taken: No Action Taken.
Entry "HKCR\.acf" refers to invalid object "Photoshop.CustomFilterKernel". Action Taken: No Action Taken.
Entry "HKCR\.asp" refers to invalid object "Photoshop.SepTablesFile". Action Taken: No Action Taken.
Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V1J8R0a03012 tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V1J8R0b03012 tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\New Folder\Nics\Academy\my logs\Old logs\log 6.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\V1J8R0a03012 tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\Documents and Settings\Administrator\Local Settings\Temp\V1J8R0b03012 tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\New Folder\UBCD4WinV25.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\New Folder\UBCD4WinV25.zip tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
File C:\System Volume Information\_restore{57F84213-D72E-4419-AA4F-3FACA9A0ACF8}\RP206\A0066159.exe tagged as not-a-virusownloader.Win32.Agent.c. No Action Taken.

Apologies for the extra work with the invalid objects.

Many thanks

 

[Ried]

Hi Snorky,

To clean out those orphaned registry entries showing in Mwav, please download Ccleaner www.ccleaner.com Do not run it yet.

Upload this file C:\Documents and Settings\Administrator\Desktop\New Folder\Nics\Academy\my logs\Old logs\log 6.txt to http://virusscan.jotti.org/ and submit it. Wait for the analysis and post it here

Reboot into Safe Mode.

Click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section.

Click 'Analyze', then 'Fix Issues'

 

[Snorky]

Hi Reid

Not sure what bit you wanted so posting both bits.

File: log_6.txt
Status: INFECTED/MALWARE
MD5 7e039e98e855bd85a96ee3cfee702a73
Packers detected: -

Scanner Results

AntiVir Found HTML/Exploit.Mhtml
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Exploit.HTML.Mht (probable variant)
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Statistics

Last file scanned at least one scanner reported something about: nada.exe, detected by:

Scanner Malware name

AntiVir BDS/Small.EL
ArcaVir Trojan.Small.El
Avast X
AVG Antivirus BackDoor.Generic.KNF
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/Small.EO-net
Kaspersky Anti-Virus Backdoor.Win32.Small.el
NOD32 X
Norman Virus Control X
UNA X
VBA32 Backdoor.Win32.Small.el


I appreciate your time on this and hope above is readable.

 

[POADB]

Snorky - you should come acustomed to such procedures, as your training nears the end - you shall be expected to make such judgements on your own. Take for example, log6.txt which we asked you to upload to jotti:

The only virus scanners to flag it was Antivir & Kaspersky, which was bundled with mwav.exe in the first scan:

AntiVir Found HTML/Exploit.Mhtml
Kaspersky Anti-Virus Found Exploit.HTML.Mht (probable variant).

Since this was the only results, and since we know log6.txt of the practice range has no potential threat - we can rule this out as a false positive.

What is HTML/Exploit.Mhtml I here you ask -

This file has been detected because it contains an instruction which attempts to download and install a malicious program on your computer by using a security breach in Internet Explorer.

Kasperksy has likely recognised some of the 016's within in the log... so I assume.

Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

 

[Snorky]

Thank you for your help Ried and POADB.

 

[POADB]

Can I see a new HJT log now please, and perhaps a scan from Panda? Also - how is your system behaving now?