Jump to content

Recommended Posts

I am having a serious problem with my Dell D600 laptop. It appears that "winlogon.exe" is really a virus that sucks up all of my system resources until the laptop grinds to a halt. In addition, it appears that McAfee has been compromised in some way. I can't run McAfee in Safe Mode. The McAfee Email Proxy agent goes crazy and also grinds the laptop to a halt. I have run Spybot S&D, AdAware, and McAfee. All acknowledge the infection, but none can remove it.

 

Here is my log from HijackThis. Any help you can recommend is appreciated!

Shawn

=====================================================

Logfile of HijackThis v1.99.1

Scan saved at 11:55:45 AM, on 12/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: acif3vaniqa7a - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\158658.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

O23 - Service: TapiSrv - Unknown owner - C:\WINDOWS\TEMP\130647.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Link to post
Share on other sites

Sorry to be the bearer of bad news :( but you have some very bad trojans here:

C:\WINDOWS\system32\ntos.exe

http://www.symantec.com/security_response/...-99&tabid=1

Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.

 

C:\WINDOWS\repair\smrs.exe

http://www.sophos.com/virusinfo/analyses/w32agobotrc.html

Turns off anti-virus applications

Allows others to access the computer

Steals information

Downloads code from the internet

Reduces system security

Records keystrokes

 

There is more that I can't identify!

 

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

 

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

 

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

 

Please let us know what you have decided to do in your next post.

 

Thanks

Link to post
Share on other sites

Aarrgh. That is unfortunate. And I thought that I was running a pretty tight ship here at my house. I would prefer to try to kill these first, as I'm behind a router and firewalled, which should minimize some of the risks. The other issue would be backing up files safely from the laptop before a re-format. I have my XP disk, but I don't relish the thought of rebuilding the laptop from scratch, finding installation keys for downloaded programs, etc.

 

Let's try to get rid of the invaders.

 

 

Sorry to be the bearer of bad news :( but you have some very bad trojans here:

C:\WINDOWS\system32\ntos.exe

http://www.symantec.com/security_response/...-99&tabid=1

Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.

 

C:\WINDOWS\repair\smrs.exe

http://www.sophos.com/virusinfo/analyses/w32agobotrc.html

Turns off anti-virus applications

Allows others to access the computer

Steals information

Downloads code from the internet

Reduces system security

Records keystrokes

 

There is more that I can't identify!

 

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

 

One or more of the identified infections is a backdoor trojan.

This allows s to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

 

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

 

Please let us know what you have decided to do in your next post.

 

Thanks

 

Link to post
Share on other sites

OK, we will proceed as you wish. I would appreciate it if you would not quote my instructions, waste of space and we can both scroll back to see what I said.

 

Start by deleted the out of date version of HJT you are running:

C:\Program Files\HijackThis\HijackThis.exe

 

Follow these directions to get the new version and properly position it.

Download Trend Micro Hijack This™

http://download.bleepingcomputer.com/hijac.../HJTInstall.exe

Doubleclick the HJTInstall.exe to start it.

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

 

Keep this computer offline except when you are troubleshooting, as soon as I see a new HJT log with version 2.0.2 I will post the first instructions.

 

Thanks

Link to post
Share on other sites

Happy New Year!

Sorry, it was not clear to me how to post without quoting the previous message in its entirety.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:09:35 PM, on 1/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O23 - Service: McAfee Application Installer Cleanup (0129191199210398) (0129191199210398mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\012919~1.EXE

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: acif3vaniqa7a - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\158658.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

O23 - Service: TapiSrv - Unknown owner - C:\WINDOWS\TEMP\130647.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

--

End of file - 9568 bytes

Link to post
Share on other sites

You are doing fine now, just click on "New Reply" then copy/paste your information, do not quote or code.

Read and follow the instructions carefully, the tools will not work unless you do.

 

Thanks to andymanchesta and anyone else who helped with the fix.

 

Download SDFix and save it to your Desktop

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

Thanks

Link to post
Share on other sites

SDFix Log and HJT Log follow. Thank you for your efforts.

 

 

SDFix: Version 1.122

 

Run by cust on Wed 01/02/2008 at 07:43 AM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

smtpdrv

 

Path:

System32\DRIVERS\smtpdrv.sys

 

smtpdrv - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\13.TMP - Deleted

C:\3.TMP - Deleted

C:\5.TMP - Deleted

C:\C.TMP - Deleted

C:\E.TMP - Deleted

C:\E8.TMP - Deleted

C:\WINDOWS\system32\7_exception.nls - Deleted

C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted

C:\WINDOWS\system32\h.exe - Deleted

C:\WINDOWS\system32\u.exe - Deleted

C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted

C:\WINDOWS\system32\drivers\ctl_w32.sys - Deleted

C:\WINDOWS\system32\ntos.exe - Deleted

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted

 

 

 

Folder C:\WINDOWS\system32\wsnpoem - Removed

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-02 08:12:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Jcv46]

"Type"=dword:00000001

"Tag"=dword:00000002

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Jcv46]

"Type"=dword:00000001

"Tag"=dword:00000002

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Jcv46]

"Type"=dword:00000001

"Tag"=dword:00000002

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\drivers\symavc32.sys 178688 bytes executable

C:\WINDOWS\system32\drivers\Jcv46.sys 185344 bytes executable

 

scan completed successfully

hidden processes: 0

hidden services: 1

hidden files: 2

 

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\Common Files\\AOL\\1142221563\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1142221563\\ee\\aolsoftware.exe:*:Enabled:AOL Services"

"C:\\Program Files\\Common Files\\AOL\\1142221563\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1142221563\\ee\\aim6.exe:*:Enabled:AIM"

"C:\\Program Files\\Microsoft Office\\OFFICE11\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\\Program Files\\Kinko's\\FPFK\\FPKMain.exe"="C:\\Program Files\\Kinko's\\FPFK\\FPKMain.exe:*:Enabled:File, Print FedEx Kinko's"

"C:\\Program Files\\Kinko's\\FPFK\\Kinkos.Jupiter.GUI.Queue.exe"="C:\\Program Files\\Kinko's\\FPFK\\Kinkos.Jupiter.GUI.Queue.exe:*:Enabled:File, Print FedEx Kinko's System Tray"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"

"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"

"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

"C:\\Documents and Settings\\All Users\\Documents\\Alex's Music\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\All Users\\Documents\\Alex's Music\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:backWeb-8876480"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Enabled:McAfee Data Backup"

"C:\\WINDOWS\\system32\\wmedia32.exe"="C:\\WINDOWS\\system32\\wmedia32.exe:*:Enabled:ENABLE"

"C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player"

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Remaining Files:

---------------

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

Thu 18 Oct 2007 87,552 ..SHR --- "C:\WINDOWS\repair\smrs.exe"

Mon 25 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Thu 17 May 2007 89,600 ..SHR --- "C:\WINDOWS\system32\dllcache\aolserver.exe"

Wed 7 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Fri 21 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5b662b7887793c36c7b10d29ea0e0cdc\BIT2.tmp"

Fri 21 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"

 

Finished!

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:09:16 AM, on 1/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O23 - Service: acif3vaniqa7a - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\158658.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

O23 - Service: TapiSrv - Unknown owner - C:\WINDOWS\TEMP\130647.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

--

End of file - 9356 bytes

Link to post
Share on other sites

Thanks for returning your information:

 

I need your to check a couple of files, your will need to enable all files and folders to do it:

How to make files and folders visible:

Click Start > Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm. Click OK.

You may reverse this for safety when we are finished.

 

Use one or more of these free online scan and post the results:

http://virusscan.jotti.org/

http://www.kaspersky.com/scanforvirus

http://www.virustotal.com/

 

These are the files to scan:

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\rsvp.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

 

 

1) Please download ATF Cleaner by Atribune

http://www.atribune.org/content/view/25/2/

Save it to your Desktop. We will use this later.

 

2) Disable the Service

Click Start > Run and type services.msc

Scroll down to acif3vaniqa7a and right click on it.

Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

 

RasMan and TapiSrv <<< do the same thing for those two services in red.

 

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

 

C:\WINDOWS\TEMP\ <<< delete the contents of that TEMP folder (not the folder)

 

C:\WINDOWS\system32\ntos.exe<<< delete that file if there

 

5) Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Click Select All found at the bottom of the list.

Click the Empty Selected button.

Click Exit on the Main menu to close the program.

 

Post the information from the file scan and a new HJT log.

 

Thanks

Link to post
Share on other sites

Followed your instructions. I couldn't delete some of the files in the Temp folder. It

 

said they were in use by another program. Should I go into Safe mode to try to delete them?

 

Also, in HJT, I see that one of the items that you told me to check (F2...\ntos.exe) is

 

still there in the new log file. Are we making progress, or is this just confirmation of

 

your original diagnosis and I have a C:\ re-format in my future?

 

 

Kaspersky

Scanned file: smrs.exe - Infected

 

smrs.exe - infected by Backdoor.Win32.SdBot.aad

 

Scanned file: rsvp.exe - Clean

 

 

Scanned file: aolserver.exe - Infected

 

aolserver.exe - infected by Backdoor.Win32.SdBot.aad

 

====================================================

VirusTotal

 

Scanned File - C:\WINDOWS\repair\smrs.exe

 

Antivirus Version Last Update Result

AhnLab-V3 - - -

AntiVir - - Worm/SdBot.87552.3

Authentium - - -

Avast - - -

AVG - - IRC/BackDoor.SdBot3.VFW

BitDefender - - -

CAT-QuickHeal - - Backdoor.SdBot.aad

ClamAV - - -

DrWeb - - -

eSafe - - Win32.SdBot.aad

eTrust-Vet - - -

Ewido - - -

FileAdvisor - - -

Fortinet - - -

F-Prot - - -

F-Secure - - Backdoor.Win32.SdBot.aad

Ikarus - - Backdoor.Win32.Rbot.cgu

Kaspersky - - Backdoor.Win32.SdBot.aad

McAfee - - -

Microsoft - - -

NOD32v2 - - -

Norman - - W32/Hupigon.gen76

Panda - - Suspicious file

Prevx1 - - BACKDOOR.DIMPY.WIN32VBSY.Q

Rising - - -

Sophos - - -

Sunbelt - - VIPRE.Suspicious

Symantec - - -

TheHacker - - Backdoor/SdBot.aad

VBA32 - - -

VirusBuster - - -

Webwasher-Gateway - - Worm.SdBot.87552.3

Additional information

MD5: a2f5f3b60836120c62b45decfb1ad96d

 

Scanned File - C:\WINDOWS\System32\rsvp.exe

 

Antivirus Version Last Update Result

AhnLab-V3 - - -

AntiVir - - TR/Crypt.XPACK.Gen

Authentium - - -

Avast - - Win32:Agent-PBE

AVG - - Downloader.Generic6.XBY

BitDefender - - Trojan.Downloader.Nurech.BX

CAT-QuickHeal - - -

ClamAV - - -

DrWeb - - Trojan.DownLoader.38087

eSafe - - -

eTrust-Vet - - Win32/Chepvil!generic

Ewido - - -

FileAdvisor - - -

Fortinet - - -

F-Prot - - -

F-Secure - - -

Ikarus - - Trojan-Downloader.Nurech.BX

Kaspersky - - -

McAfee - - -

Microsoft - - TrojanDownloader:Win32/Chepvil.gen!A

NOD32v2 - - Win32/TrojanDownloader.Nurech.NCE

Norman - - -

Panda - - -

Prevx1 - - Trojan.Nudos

Rising - - -

Sophos - - Mal/Generic-A

Sunbelt - - Trojan-Downloader.Nurech.Gen

Symantec - - -

TheHacker - - -

VBA32 - - -

VirusBuster - - -

Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

Additional information

MD5: 337915d40c893b64ef57fe3866dadb8f

 

 

Scanned File - C:\WINDOWS\System32\dllcache\aolserver.exe

 

Antivirus Version Last Update Result

AhnLab-V3 2008.1.3.10 2008.01.02 -

AntiVir 7.6.0.46 2008.01.02 HEUR/Crypted

Authentium 4.93.8 2008.01.02 -

Avast 4.7.1098.0 2008.01.02 -

AVG 7.5.0.516 2008.01.02 -

BitDefender 7.2 2008.01.03 -

CAT-QuickHeal 9.00 2008.01.02 (Suspicious) - DNAScan

ClamAV 0.91.2 2008.01.02 -

DrWeb 4.44.0.09170 2008.01.02 -

eSafe 7.0.15.0 2008.01.02 Suspicious File

eTrust-Vet 31.3.5426 2008.01.03 -

Ewido 4.0 2008.01.02 -

FileAdvisor 1 2008.01.03 -

Fortinet 3.14.0.0 2008.01.02 -

F-Prot 4.4.2.54 2008.01.02 -

F-Secure 6.70.13030.0 2008.01.02 Backdoor.Win32.SdBot.aad

Ikarus T3.1.1.15 2008.01.02 Backdoor.Win32.Rbot.cgu

Kaspersky 7.0.0.125 2008.01.02 Backdoor.Win32.SdBot.aad

McAfee 5198 2008.01.03 -

Microsoft 1.3109 2008.01.02 -

NOD32v2 2761 2008.01.02 -

Norman 5.80.02 2008.01.02 W32/Hupigon.gen76

Panda 9.0.0.4 2008.01.02 Suspicious file

Prevx1 V2 2008.01.03 Heuristic: Suspicious File With Code Injection Technology

Rising 20.25.22.00 2008.01.02 -

Sophos 4.24.0 2008.01.03 Mal/Behav-164

Sunbelt 2.2.907.0 2008.01.03 VIPRE.Suspicious

Symantec 10 2008.01.02 -

TheHacker 6.2.9.176 2008.01.01 -

VBA32 3.12.2.5 2008.01.02 -

VirusBuster 4.3.26:9 2008.01.02 -

Webwasher-Gateway 6.0.1 2008.01.02 Heuristic.Crypted

Additional information

File size: 89600 bytes

MD5: b80ab8c689c37a4038057c965e0e2d86

SHA1: f70da9e8f6db922bdafb3f15202043bd89645c47

PEiD: -

packers: PELock

Prevx info:

 

http://info.prevx.com/aboutprogramtext.asp...10599009F0510D9

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed

 

suspicious through heuristics.

 

==========================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:47:50 PM, on 1/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

 

http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

 

C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

 

Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

 

c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} -

 

C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

 

C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} -

 

C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

 

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)

 

- http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

 

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

 

Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

 

http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

 

http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

 

http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) -

 

http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

 

http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O23 - Service: McAfee Application Installer Cleanup (0238201199314080)

 

(0238201199314080mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023820~1.EXE (file

 

missing)

O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\254656.exe (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file

 

missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -

 

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner -

 

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. -

 

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common

 

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\WINDOWS\TEMP\239564.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common

 

Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. -

 

C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

 

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

 

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. -

 

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

 

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. -

 

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

 

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

 

Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -

 

C:\WINDOWS\System32\msdtc.exe

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner -

 

C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner -

 

C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner -

 

C:\WINDOWS\System32\wltrysvc.exe

 

--

End of file - 9446 bytes

Link to post
Share on other sites

Please turn off "Word Wrap" in Notepad and leave it off until we finish when you post HJT logs.

Notepad > Format > Word Wrap unchecked.

 

Post a new HJT log.

 

Thanks

Link to post
Share on other sites

Word Wrap is off now:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:11:04 AM, on 1/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\dllcache\aolserver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\repair\smrs.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

c:\PROGRA~1\mcafee\msc\mcupdui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O23 - Service: McAfee Application Installer Cleanup (0238201199314080) (0238201199314080mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023820~1.EXE (file missing)

O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\254656.exe (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\WINDOWS\TEMP\239564.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

--

End of file - 9634 bytes

Link to post
Share on other sites

Please read and follow the directions carefully.

 

1) Make sure files and folders are visible.

 

2) Disable the Service

Click Start > Run and type services.msc

Scroll down to aawservice and right click on it.

Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

 

Do the same with these two:

SrV-AOLv3

Sys_SM-Service

 

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

(make sure you are checking each of these items)

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\254656.exe (file missing)

O23 - Service: SrV-AOLv3 - Unknown owner - C:\WINDOWS\System32\dllcache\aolserver.exe

O23 - Service: Sys_SM-Service - Unknown owner - C:\WINDOWS\repair\smrs.exe

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

 

C:\WINDOWS\system32\ntos.exe <<< be sure this file is gone, make me aware of that fact!

 

C:\WINDOWS\System32\dllcache\aolserver.exe <<< delete that file

 

C:\WINDOWS\repair\smrs.exe <<< delete that file

 

C:\WINDOWS\TEMP\ <<< delete the contents of that TEMP folder

 

5) Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Click Select All found at the bottom of the list.

Click the Empty Selected button.

Click Exit on the Main menu to close the program.

 

Restart the computer and post a new HJT log. Tell me how the computer runs now.

 

Thanks

Link to post
Share on other sites

I followed your instructions, with notes below

1) all files and folders visible

2) Stopped aawservice

Couldn't stop SrV-AOLv3 or sys_sm-service in services.msc. I did it in Task Manager, then came back to services and disabled

 

3)checked the first item on your list, but none of the other three were listed

 

4) c:\windows\system32\ntos.exe was NOT present

I deleted the other files, EXCEPT there were 8 files in the TMP folder that wouldn't delete. They have names like "mcafee_aegawgawjjegpiaweg"

 

5) Ran ATF cleaner

 

Upon restart, McAfee announced that I was not protected because VirusScan was not running. I attempted to start VirusScan using the "Fix" button in McAfee Security Center, but got a message that Virus Scan could not be started due to an error. At the same time, something called McAfee Email Proxy announced that it could not send some messages. Every time I clicked "ok", it popped back up again, until I got a notice that it had crashed due to an unknown error.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:22:52 PM, on 1/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...182/mcfscan.cab

O23 - Service: McAfee Application Installer Cleanup (0060531199358811) (0060531199358811mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006053~1.EXE (file missing)

O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\182933.exe (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\WINDOWS\TEMP\239564.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

--

End of file - 9049 bytes

Link to post
Share on other sites

Thanks for returning your information and the feedback. You will need to take up McAfee issues with McAfee. They will probably have you uninstall and reinstall.

 

I am wondering why this item is still in the HJT log:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

You said:

4) c:\windows\system32\ntos.exe was NOT present

Here in the SDFix log it is indicated as being deleted:

C:\WINDOWS\system32\ntos.exe - Deleted

 

Use Search companion, Start > Search > All Files and Folders and do a seatch for that file:

ntos.exe <<< let's make sure it is not anywhere on the computer. Allow time for search to complete, there are a lot of files to search.

Make sure all files and folders are enabled:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Besides the McAfee issues, any other malware problems?

http://service.mcafee.com/

 

Thanks

Link to post
Share on other sites

Search found 4 files with "ntos.exe" in the file name. One was "ntos.exe" in the Spybot Search and Destroy recovery folder. One was "ntos.exe" in the SDFix\backups\catchme.zip folder. The other was "ntos.exe.1" in the same SDFix folder, and the last was in Windows\Prefetch called "ntos.exe-1A029211.pf" Are the executables in Spybot and SDFix folders quarantined? I went ahead and deleted them. I will contact McAfee about the issues with it. I'm concerned that I can't turn on VirusScan, but would the deleted malware have corrupted McAfee and need to be uninstalled and reinstalled anyway?

 

Everything seems okay so far. I'll keep an eye out. I sincerely appreciate your help in trying to do these fixes.

Link to post
Share on other sites

Thanks for the feedback, I"ll try to answer these questions:

Search found 4 files with "ntos.exe" in the file name

These items would have been shown in a scan near the end to check for hidden stuff. Recover and Quarantine can not harm you but "Prefetch" could and we have cleaned that "Prefetch" folder twice with ATF-Cleaner? Open ATF-Cleaner and look at the seventh item down. Go ahead and click "Select All" and "Empty Selected" again. Keep in mind Prefetch does not need cleaned all of the time and it will slow your compouter until Windows repopulates it with stuff it needs to fetch quickly for you.

http://www.windowsnetworking.com/articles_...refetch-XP.html

 

Delete the contents of the Spybot S&D Recovery folder

http://ict.cas.psu.edu/training/howto/util...ovespybot.htm#1

 

SDFix\backups\catchme.zip folder <<< delete SDFix completely from your computer. It does not update and needs to be downloaded new anytime it is needed.

and the last was in Windows\Prefetch called "ntos.exe-1A029211.pf"

and we just covered that above, but now that Prefetch should be empty or close to it, navigate to that folder:

C:\Windows\Prefetch\ and make sure that item in red is not there.

but would the deleted malware have corrupted McAfee and need to be uninstalled and reinstalled anyway?

I posted this information for you at the start:

C:\WINDOWS\repair\smrs.exe

http://www.sophos.com/virusinfo/analyses/w32agobotrc.html

Turns off anti-virus applications

Allows others to access the computer

Steals information

Downloads code from the internet

Reduces system security

Records keystrokes

I personally dropped McAfee after using it for years because this new program is so hugh and slows the computer. There is little doubt the program has been compromised, but I would strongly suggest you seek the help of tech support just in case you have issues. Once you have McAfee up and running, check back with me (I will leave your topic open) so we can do a final online scan and take a final look at a HJT log.

 

Thanks...Phil

Link to post
Share on other sites

Good morning, Phil. I don't know what I did, but now my poor laptop won't stay on the internet, turns off Windows Firewall, and is behaving badly in general. And "ntos.exe" is back in the the windows\system32 folder. It was not present when I followed your last batch of instructions.

 

On reboot, I got a message that my virtual memory is too small, that "cmd.exe" won't load, and that Windows Firewall is turned off. When I attempt to turn on the firewall, I get a message that a required service "SharedAccess" is not running, do I want to start it? I click "yes" and it comes back with an error message that it can't start the service.

 

The laptop connects to the internet through my router, but after a few minutes, it goes into an eternal "Acquiring Network Address" loop.

 

I'm beginning to think I should have just sucked it up and done the reformat. Your thoughts?

Link to post
Share on other sites

I'll look at another HJT log if you wish, but once this junk gets on your computer you can never be sure that you got it all. Here are the reformat instructions if you wish to give it some thought:

 

http://spyware-free.us/tutorials/reformat/

http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

http://helpdesk.its.uiowa.edu/windows/inst...ns/reformat.htm

 

Let me know what you wish to do.

 

Thanks...Phil

Link to post
Share on other sites

I'm going to reformat. My wife is tired of me moping around about my laptop. The only challenges I saw in reading the tutorials that you provided was getting all of the drivers and downloading XP SP2 when I can't stay on the Internet with the infected laptop. I get kicked off my router after a few minutes. I guess I could order the SP2 CD from Microsoft, but that will take a while.

Link to post
Share on other sites

I have successfully reformatted my hard drive and re-installed Windows XP on my infected laptop. It wasn't too painful, and now that I have done it, it won't be so intimidating if I have to do it in the future. Hopefully I can keep my system locked down so I am never infected again. Thank you for all your help.

 

Shawn

Link to post
Share on other sites

Hi Shawn, thanks for the feedback in the private message. Here is some information that may be handy:

http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx

 

Some good information for you:

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

 

Here is some great information from experts in this field that will help you stay clean and safe online.

http://users.telenet.be/bluepatchy/miekiem...prevention.html

http://forums.spybot.info/showthread.php?t=279

http://russelltexas.com/malware/allclear.htm

http://forum.malwareremoval.com/viewtopic.php?t=14

http://www.bleepingcomputer.com/forums/topict2520.html

http://cybercoyote.org/security/not-admin.shtml

 

Thanks...pskelley

http://pcpitstop.com/about/supportus.asp

If you are reading this information...thank a teacher,

If you are reading it in English...thank a soldier.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...