Tech Support banner

Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
33 Posts
Discussion Starter · #1 ·
Here is my Hi-Jack log. I am having some issues with my internet recently. It will decide to not work for about 5 minute intervals, sometimes rebooting helps, sometimes not. Granted, I am on a wireless connection, but I never had this problem until recently. Also, I seem to be getting more pop-ups than usual, and I have my pop-up blocker installed and running. Thanks for any help

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:21:14 PM, on 9/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117943373421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello rmerritt,

I'm not seeing anything in this log. What kind of pop-ups are you getting?

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
-Empty Recycle Bins
-Temporary Internet Files
-Delete Cookies
-Delete Prefetch files
-[X]Scan local drives for temporary files (Please uncheck this option)
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

From Normal Mode:

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #3 ·
Sorry it took me so long ot get back on this, the weekend is the only time i have available.

Here's my PandaScan:

Incident Status Location

Adware:adware/neededware No disinfected Windows Registry

and here is my New HijackThis log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:04:28 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117943373421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


End of KRC HijackThis Analyzer Log.
 

·
Premium Member
Joined
·
14,311 Posts
OK, keep in mind that this might not work...but I think it's worth a try. Do the following:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on mdnsnsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Bonjour

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Bonjour\

Restart and run a new HijackThis scan. Save the log file and post it here.
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #5 · (Edited)
Ok, I did all the reccommended actions, and when i restarted for the first time (in safe mode), it gave me the option as logging in as "Administrator" or as "rob", which is myself, but whenever i turn on the computer normally it does not give me this option, i'm not networked to other users and i'm the only one that uses this comp, (maybe it's the wireless network i'm hooked to?) I signed in as Admin cause i figured that would be best. But before i did anything else i made sure those options were unchecked in the view tab of the folder options, which is a good thing i did because they were still checked. There was no "Bonjour" in my add/remove program files, and I ran the hijackthis and fixed the "O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe" that came up but it did not find the other one. I also went into my program files and found and deleted the Bonjour folder. I rebooted (not in safe mode, and into my normal account) and again looked for the bonjour in add/remove and the program files directory, finding it in neither. I ran the hijackthis again and this time it turned up the "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,", ,which i fixed. Then ran it again and saved and analyzed the log, which is as follows.
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:32:55 PM, on 10/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117943373421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
How is the system running now? Are you still having internet issues and pop-ups?
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #7 ·
I'm not having any more pop-ups but I still have my internet connection stop after a while randomly. I don't think it's cause I'm on a wireless though cause if I reset then it works fine again. Also, my AIM doesn't disconnect when it happens, just my browser won't find any pages. And I've tried other browsers too. I have noticed that when I start my laptop lately a window opens in the task bar like a program is starting and then suddenly dissappears. I don't know what this is because there is never a name on it and it's too fast for me to click on it. Seeing as how it's been a week, should I post another HiJack Log? Thanks for the help.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Yes, please post another HijackThis log as well as the following:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #9 ·
Ok here is the startdrek log:
StartDreck (build 2.1.7 public stable) - 2005-10-10 @ 08:33:30 (GMT -06:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Rob at RMERRITT

»Registry
»Run Keys
»Current User
»Run
*TOSCDSPD=C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*AGRSMMSG=AGRSMMSG.exe
*Apoint=C:\Program Files\Apoint2K\Apoint.exe
*CeEKEY=C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
*TPNF=C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
*PadTouch=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
*CeEPOWER=C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
*Pinger=c:\toshiba\ivp\ism\pinger.exe /run
*HP Component Manager="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
*RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
*RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
*MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
*VSOCheckTask="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
*VirusScan Online=C:\Program Files\McAfee.com\VSO\mcvsshld.exe
*OASClnt=C:\Program Files\McAfee.com\VSO\oasclnt.exe
*MPFExe=C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Avant Browser\avant.exe" %1
+.html
*htmlfile="C:\Program Files\Avant Browser\avant.exe" %1
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*MSEvents.MSEvents.1/{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
`InprocServer32=C:\WINDOWS\System32\ddcyy.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.toshiba.com/search
*Search Page=
*Start Page=http://mail.yahoo.com/
+SearchUrl
*provider=
»Default User
*Search Bar=http://www.toshiba.com/search
*Start Page=http://toshibadirect.com/
»Local Machine
*Default_Page_URL=http://toshibadirect.com/
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=
*Start Page=http://mail.yahoo.com/
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Rob\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+560=\SystemRoot\System32\smss.exe
+608=\??\C:\WINDOWS\system32\csrss.exe
+632=\??\C:\WINDOWS\system32\winlogon.exe
+676=C:\WINDOWS\system32\services.exe
+688=C:\WINDOWS\system32\lsass.exe
+844=C:\WINDOWS\System32\Ati2evxx.exe
+872=C:\WINDOWS\system32\svchost.exe
+900=C:\WINDOWS\System32\svchost.exe
+976=C:\WINDOWS\System32\ACS.exe
+1084=C:\WINDOWS\System32\svchost.exe
+1120=C:\WINDOWS\System32\svchost.exe
+1444=C:\WINDOWS\system32\spoolsv.exe
+1540=C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
+1552=C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
+1576=C:\WINDOWS\System32\DVDRAMSV.exe
+1624=c:\program files\mcafee.com\agent\mcdetect.exe
+1640=c:\PROGRA~1\mcafee.com\vso\mcshield.exe
+1660=c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
+1908=c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
+2036=C:\WINDOWS\Explorer.EXE
+180=C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
+392=C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
+404=C:\WINDOWS\System32\svchost.exe
+452=c:\progra~1\mcafee.com\vso\mcvsescn.exe
+476=c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
+492=c:\program files\mcafee.com\agent\mcagent.exe
+612=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+864=C:\WINDOWS\AGRSMMSG.exe
+928=C:\WINDOWS\System32\wdfmgr.exe
+984=C:\Program Files\Apoint2K\Apoint.exe
+1000=C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
+1012=C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
+1200=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
+1240=C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
+1248=C:\toshiba\ivp\ism\pinger.exe
+1280=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
+1424=C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
+1876=C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
+1940=C:\Program Files\iTunes\iTunesHelper.exe
+1968=C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
+1988=C:\WINDOWS\System32\ctfmon.exe
+2120=C:\Program Files\Apoint2K\Apntex.exe
+2164=C:\WINDOWS\system32\RAMASST.exe
+2192=C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
+2612=C:\Program Files\iPod\bin\iPodService.exe
+2156=C:\Program Files\AIM\aim.exe
+2424=c:\progra~1\mcafee.com\vso\mcvsftsn.exe
+2520=C:\Program Files\Avant Browser\avant.exe
+772=C:\startdreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

and here is a new HiJackThis log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:33:58 AM, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddcyy.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117943373421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\System32\ddcyy.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files

*This will create a VundoFix folder on your desktop.
*After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
*Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
*You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net

At this point press enter one time.

Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\ddcyy.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point, please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\yycdd.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open.

In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddcyy.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\System32\ddcyy.dll


After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
** Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
-Empty Recycle Bins
-Delete Cookies
-Delete Prefetch files
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #11 ·
ok will do, but before i start, when i reboot into safe mode do you want me to log in as admin or as myself? As i mentioned before, I'm the only user on this comp and the only time it gives me that option is when I log in in safe mode.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
If all you've used is the User account, log in with that. :smile:
 

·
Registered
Joined
·
33 Posts
Discussion Starter · #13 ·
ok, couple of notes first:
when I rebooted the second time, FROM safe mode into normal, I saw that non-descript window pop open in the task bar for a fraction of a sec again. When I was in safe mode and did the HiJackThis it did not find the O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddcyy.dll, but it did find the other one, although that one had next to it in paranthesis (file missing) but i checked it and hit fix anyway. The online Panda Scan thing wasn't working, i clicked to button several times and nothing happen (yes i turned off my popup blocker). Other than that, here's my new HiJackThis log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:23:39 PM, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Avant Browser\avant.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117943373421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


End of KRC HijackThis Analyzer Log.
====================================================================

and here's the vundofix.txt:


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Suspending PID 184 'smss.exe'
Threads [188][192][196]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 756 'explorer.exe'
Killing PID 756 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 256 'winlogon.exe'
Killing PID 256 'winlogon.exe'
Killing PID 256 'winlogon.exe'
Killing PID 256 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


Thanks again for the help!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Since you can't run the Panda Scan, please do the following:

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Reboot into Safe Mode.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily and post the results here along with a new HijackThis log.
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top