Tech Support banner

Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
15 Posts
Discussion Starter #1
I have many problems. I cannot update windows either via web or downloaded sp1a. Cryptographic service error reported it is enabled in services
when online scanners are run housecall results do not show up to select action. When some websites are typed in I get % signs, popups when ewido is run and guarding I get kolweb.b and delf.cf McAfee gets a Downloader -JS. I cannot remove kazaa from add/remove

THANKS
Dan

Logfile of HijackThis v1.99.0
Scan saved at 9:00:14 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Web\PRINTERS\wmskey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\program files\quicktime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-search.cgi?partner=wesb1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e599f1103/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124669225998
O17 - HKLM\System\CCS\Services\Tcpip\..\{842D5252-7F0A-49A4-844D-37F66AB1E2AA}: NameServer = 192.168.1.74
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe

Analyzer
g was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:00:14 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Web\PRINTERS\wmskey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-search.cgi?partner=wesb1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e599f1103/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124669225998
O17 - HKLM\System\CCS\Services\Tcpip\..\{842D5252-7F0A-49A4-844D-37F66AB1E2AA}: NameServer = 192.168.1.74
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


End of KRC HijackThis Analyzer Log.
===============================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Your computer is very SICK!! It's likely that we'll need several runs to get it working again.

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require your next HJT log to be from this newer version


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

CWShredder.exe
  1. Open CWShredder and click - I AGREE
  2. Click - Check For Update
  3. Close CWShredder after updating

Process Explorer

vundo.txt - Right click the file you downloaded ..and rename it to "vundo.reg".


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double click on vundo.reg & answer Yes when prompted to merge.

Run CWShredder & click on Fix.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-sear...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e59...tzip/RdxIE2.cab



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then right-click & select Copy

  • C:\WINDOWS\Web\PRINTERS\wmskey.exe
    C:\WINDOWS\SYSTEM32\fy81.dll
    C:\WINDOWS\java\CLASSES\cap.exe
    C:\WINDOWS\java\CLASSES\cap.exe
    C:\WINDOWS\Web\dllms.exe
    C:\WINDOWS\asiis.exe
    C:\WINDOWS\msagent\infow.exe
    C:\WINDOWS\Config\mp3win.exe
    C:\WINDOWS\repair\caburl.exe
    C:\WINDOWS\system32\Com\accfont.exe
    C:\WINDOWS\repair\netexp.exe
    C:\WINDOWS\inf\unmfc.exe
    C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
    C:\WINDOWS\AppPatch\comole.exe
    C:\WINDOWS\Web\dosutil.exe
    C:\WINDOWS\repair\xmlw.exe
    C:\Program Files\Common Files\updater\wupdater.exe
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh logs from:
  1. HiJackThis
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Before we can proceed any further, please visit Microsoft's Windows Update Page and install ALL Critcal Updates for your system (except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system). At the minimum install at least SP1a for both XP and IE6.

Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update XP to SP1 we must stop the cleansing process here.

Thank you for your cooperation.
 

·
Registered
Joined
·
15 Posts
Discussion Starter #3
Questions before I start

I have been unsuccessful installing windows update either via web or downloaded spa1 burned to cd it is a legit copy of XP

Do I run any in safe mode? You didn't say to but double checking

Save other programs to same directory as HJT do you mean Program files folder or the actual HJT folder inside program files folder

for trendmicro download first then run it or run it from the run save dialog box
you said double click so I assume save it but, just want to be clear.
Thanks
 

·
Registered
Joined
·
15 Posts
Discussion Starter #5
New Hijack This problem

I can't even get past the first step. When I try to install the new hijackthis_sfx.exe file you gave me Mcafee keeps deleting it because it finds a W32/Generic.worm!p2p memory virus

What should I do?

Also should I turn off restore before I start?
Thanks
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
McAfee has been known to do that. For some strange reason, it seems to be the only Antivirus program that flags HijackThis as a virus.

This was taken from Merijin's site
May 22, 2005:
McAfee is at is again, unfortunately. Yes, I am aware of the fact that McAfee detects HijackThis 1.99.1 as a generic worm. For the fourth time. Yes, I am aware of the fact that McAfee detects the StartupList standalone as an mhtml exploit webpage. This makes respectively the fifth and sixth time McAfee has mistakenly detected one of my programs as some brand of virus. And I'm getting pretty tired of this. Am I supposed to email each and every new version of a program I publish to McAfee so they can verify that UPX compression does not automatically equal a scary virus??
Turn off McAfee's realtime scanner. There's nothing to worry about.
Looking at your previous log, McAfee hasnt done that good a job for you :grin:
 

·
Registered
Joined
·
15 Posts
Discussion Starter #7
Killbox questions

When I get to killbox and copy the the text you stated from notepad and attempt to paste from clipboard I only get three items listed in the drop down box. Do I have to do them individually? When asked to clean after reboot I click yes then it asks to reboot Now? If I have to do them all individually do I reboot after all have been killed?

Thanks
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
HJT reads entries from the registry. It doesnt validate the presence of the physical file. If killbox list only 3 files, that means the rest of them do not exist anymore. Please proceed with the fix.
 

·
Registered
Joined
·
15 Posts
Discussion Starter #9
Some progress, pc is faster now.

I was able to run and clean some things. I may have some hardware issues.
I was unable to run the Panda scan. Still unable to update Windows either the web update or disk install keep getting update.inf and crytographic services error. activeX controls keep resetting and tmas keeps posting the Morpheus results but I can't seem to find them and I thought I had removed them. Hi-Wire and Virtumonde were the ones I noticed the most whilest removing problems
Logs are here:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:02:10 AM, on 9/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124669225998
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{842D5252-7F0A-49A4-844D-37F66AB1E2AA}: NameServer = 192.168.1.74
O20 - Winlogon Notify: kbsrv - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vrsbk.dat (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe


End of KRC HijackThis Analyzer Log.
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=CROWNHARTS
Time=Thu Sep 15 01:25:07 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition (Build 2600)

--------------------------------- Anti-Spyware session started ---------------------------------
Machine=CROWNHARTS
Time=Thu Sep 15 01:25:34 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Windows Shell Settings: Found 'Administrative Tools' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Files and Directories: Found '' in 'C:\Program Files\Morpheus'
Files and Directories: Found '' in 'C:\Program Files\Morpheus\My Shared Folder'
Finished Scanning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=CROWNHARTS
Time=Thu Sep 15 01:48:56 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Windows Policy Settings: Found 'AUOptions' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=CROWNHARTS
Time=Thu Sep 15 09:36:23 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
 

·
Registered
Joined
·
15 Posts
Discussion Starter #11
Update question w/tmas

Do I need to disable all real time scanners while attempting the IE6 update tmas keeps popping up saying windows startup changes have been made with it's venus flytrap feature and that it has not passed microsaft signing?

Thanks
 

·
Registered
Joined
·
15 Posts
Discussion Starter #12
Problems -they are back

I had been doing much of this work offline. When I plugged back in to update the IE6 tmas and ewido found both the Hi-wire and vitumonde again. This is so frustrating! Keep plugging away I guess.

Unless you instruct me to do something else should I unplug and start at the beginning of the process and post new logs?


Thanks
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Let's ignore Ewido & TMAS notifications for the moment. Finish the IE6 update & post a new HJT log.
 

·
Registered
Joined
·
15 Posts
Discussion Starter #14
Pc Add

All Done Dancing!
Hi Subs
I screwed something up good!
I tried to install IE6 ignoring the 2 security apps and then my NIC wouldn't work tried to fix reinstall then I couldn't log in "my profile was corrupted"
I backed everything up. I just didn't want to have to reinstall programs and drivers.

I have to search TSF to find out out to clean install with the small FAT and NTFS system partitions. If you have a link to specifics that would be great!

Thanks for all the help!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Installing Internet Explorer would not corrupt your user profile. I suggest that you do a system restore to repair the profile.
 

·
Registered
Joined
·
15 Posts
Discussion Starter #16
Wish

I wish I could. I can't even log in. I tried starting from XP cd and it wouldn't give me or let me repair XP only a "fresh" install? After the NIC and corrupt problems I removed the other user as she had very few things in her profile. That was probably my mistake!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Do you have any data you wish to save from Drive C:? You can slave it to another PC & save those data.

You can format & then clean install into Drive C: only.
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top