Multiple issues,Update, Web Hijack,trojans HJT analyzer

1968 Views 16 Replies 2 Participants Last post by sUBs, Sep 16, 2005

jabear

Discussion Starter · Sep 9, 2005

I have many problems. I cannot update windows either via web or downloaded sp1a. Cryptographic service error reported it is enabled in services
when online scanners are run housecall results do not show up to select action. When some websites are typed in I get % signs, popups when ewido is run and guarding I get kolweb.b and delf.cf McAfee gets a Downloader -JS. I cannot remove kazaa from add/remove
THANKS
Dan

Logfile of HijackThis v1.99.0
Scan saved at 9:00:14 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Web\PRINTERS\wmskey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\program files\quicktime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-search.cgi?partner=wesb1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e599f1103/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124669225998
O17 - HKLM\System\CCS\Services\Tcpip\..\{842D5252-7F0A-49A4-844D-37F66AB1E2AA}: NameServer = 192.168.1.74
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe

Analyzer
g was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:00:14 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Web\PRINTERS\wmskey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-search.cgi?partner=wesb1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e599f1103/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124669225998
O17 - HKLM\System\CCS\Services\Tcpip\..\{842D5252-7F0A-49A4-844D-37F66AB1E2AA}: NameServer = 192.168.1.74
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

End of KRC HijackThis Analyzer Log.
===============================================

Top Contributors this Month