virus problem, any help would be appreciated

Discussion in 'Windows - Virus and spyware problems' started by cpalmer5, Nov 26, 2006.

  1. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    This virus was created from an email.

    here is my hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 6:35:32 PM, on 11/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\BigFix\bigfix.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mozilla Firefox\winstall.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\msrr.exe
    C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
    c:\program files\mcafee.com\shared\mghtml.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
    C:\Program Files\Common Files\{8CC800F6-07D9-1033-1111-050919050001}\Update.exe
    C:\Documents and Settings\cujo\Desktop\HijackThis_v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\winstall.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\cujo\Desktop\ewido\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
     
    cpalmer5, Nov 26, 2006
    #1
  2. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Hi cpalmer5,

    Please download SmitfraudFix.zip to the desktop from here

    * Extract the files to the desktop.
    * Open the newly created folder [bold]SmitfaudFix[/bold].
    * Double-click [bold]smitfraudfix.cmd[/bold].
    * [bold]Select 1[/bold] and press [bold]Enter[/bold] to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt.
    [bold]Note:[/bold] [bold]please do not run other options unless requested.[/bold]

    Post back with the contents of rapport.txt and a new HijackThis log.
     
    Niobis, Nov 27, 2006
    #2
  3. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    thanks, smitfraud and hj logs below

    SmitFraudFix v2.125

    Scan done at 11:07:29.75, Tue 11/28/2006
    Run from C:\Documents and Settings\cujo\Local Settings\Temp\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cujo


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cujo\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\cujo\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    and

    Logfile of HijackThis v1.99.1
    Scan saved at 11:11:04 AM, on 11/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Mozilla Firefox\winstall.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Documents and Settings\cujo\Desktop\HijackThis_v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\winstall.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\cujo\Desktop\ewido\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

     
    cpalmer5, Nov 28, 2006
    #3
  4. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Go to Add/Remove Programs and uninstall:
    [bold]Need2Find[/bold] (or similar)

    Then, run a scan only with HijackThis, check these(if there):

    [bold]O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\winstall.exe
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL [/bold]

    Close all windows except HijackThis before clicking "Fix checked".
    Exit HijackThis.

    Download this 018 RegFix to your desktop.
    Extract the file to the desktop.
    Double-click on the .reg file and click Yes when prompted to merge with registry.
    After merging, you may delete the file.

    [bold]Note:[/bold] [bold]Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.[/bold]

    * Reboot your computer in Safe Mode (upon boot press [bold]F8[/bold], select "[bold]Safe Mode[/bold]" from the menu and press [bold]Enter[/bold])
    * Open the [bold]SmitfraudFix[/bold] folder.
    * Double-click [bold]smitfraudfix.cmd[/bold]
    * [bold]Select 2[/bold] and hit [bold]Enter[/bold] to delete infect files.
    * You will be prompted: Do you want to clean the registry ? answer [bold]Y (yes)[/bold] and hit Enter in order to remove the desktop background and clean registry keys associated with the infection.
    * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer [bold]Y (yes)[/bold] and hit [bold]Enter[/bold] to restore a clean file.
    * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at [bold]C:\rapport.txt[/bold].

    Exit SmitfraudFix and show hidden files and folders.
    Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
    Click Apply, then OK.

    Locate and delete this file:
    C:\Program Files\Mozilla Firefox\[bold]winstall.exe[/bold]

    Empty the Recycle Bin and hide hidden files again.
    Restart in normal mode.

    Go here to run [bold]Kaspersky Online Scanner[/bold].
    After downloading, click "[bold]My Computer[/bold]" to scan.
    After scanning, click "[bold]Save report as[/bold]".
    Save as a text file on the desktop.

    Please post back with the contents of rapport.txt, the Kaspersky log, and a new HijackThis log.
     
    Last edited: Nov 28, 2006
    Niobis, Nov 28, 2006
    #4
  5. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    here are the three logs

    SmitFraudFix v2.125

    Scan done at 16:54:55.15, Tue 11/28/2006
    Run from C:\Documents and Settings\cujo\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
    Logfile of HijackThis v1.99.1
    Scan saved at 6:54:04 PM, on 11/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\cujo\Desktop\ewido\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\Program Files\BigFix\bigfix.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\mcafee.com\agent\McDash.exe
    c:\program files\mcafee.com\shared\mghtml.exe
    c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\cujo\Desktop\HijackThis_v1.99.1.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Glass2k] C:\Program Files\Glass2k\Glass2k.exe
    O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\cujo\Desktop\ewido\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    end


    Scan Statistics
    Total number of scanned objects 59081
    Number of viruses found 3
    Number of infected objects 6 / 0
    Number of suspicious objects 0
    Duration of the scan process 01:15:30

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cert8.db Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\history.dat Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\key3.db Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\parent.lock Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\cujo\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\cujo\Desktop\Reboot your computer in Safe Mode.doc Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Temp\~DF3B23.tmp Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Temp\~DF430F.tmp Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Temp\~DF8624.tmp Object is locked skipped
    C:\Documents and Settings\cujo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\cujo\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\cujo\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\eMachine_Specific.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security_UK.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\UK_Specific.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Urgent.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Virus.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Welcome.dat Object is locked skipped
    C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\WinXP.dat Object is locked skipped
    C:\Program Files\Mozilla Firefox\mcnew.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
    C:\Program Files\MSN Messenger\msnmsgr.exe Infected: Backdoor.Win32.MSNMaker.ab skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035457.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.apt skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035457.exe/stream Infected: Trojan-Downloader.Win32.Zlob.apt skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035457.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035457.exe UPX: infected - 2 skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP224\A0043748.dll Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP224\A0043784.dll Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP226\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    Scan process completed.
     
    cpalmer5, Nov 28, 2006
    #5
  6. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Hmm, the MSN backdoor has infected the main messenger file. I can't find much on this, being the main file, only in Spanish...
    AVGAS will remove this backdoor, I just hope it doesn't remove the entire file. After running the scan, if the backdoor is cleaned, try to use MSN Messenger. If it doesn't work, you'll need to reinstall it.


    Go here to download the trial version of [bold]AVG Anti-spyware[/bold].

    Install and open AVGAS.
    Click "[bold]Update[/bold]" then click "[bold]Start update[/bold]".
    After updating, close AVGAS.
    [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
    Restart your computer in safe mode(press [bold]F8[/bold] upon boot, select "[bold]Safe Mode[/bold]" from menu and press [bold]Enter[/bold]).
    Open AVGAS and click "[bold]Scanner[/bold]".
    Click "[bold]Complete System Scan[/bold]".
    When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
    Click "[bold]Apply All Actions[/bold]".
    Click "[bold]Save Report[/bold]" and save it to the desktop.
    Exit AVGAS.

    Locate and delete this file if AVGAS didn't quarantine it.
    C:\Program Files\Mozilla Firefox\[bold]mcnew.exe[/bold]

    Restart in normal mode.

    Turn off [bold]System Restore[/bold].
    Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]".
    Click [bold]Apply[/bold], then [bold]OK[/bold].
    Restart and turn System Restore back on.

    Post back with the AVGAS report.
     
    Last edited: Nov 28, 2006
    Niobis, Nov 28, 2006
    #6
  7. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    thanks for the help. Here is the avg report.

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:13:53 PM 11/28/2006

    + Scan result:



    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037782.dll -> Adware.404Search : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037770.dll -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037771.dll -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037772.exe -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037774.dll -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037775.dll -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037776.dll -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037777.exe -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037778.exe -> Adware.Altnet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP205\A0037780.dll -> Adware.Altnet : No action taken.
    C:\Program Files\Uninstall Need2Find Bar.dll -> Adware.IESearch : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP226\A0046230.DLL -> Adware.IESearch : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035421.cpl -> Adware.P2PNet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0035422.exe -> Adware.P2PNet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0036373.DLL -> Adware.P2PNet : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP199\A0036375.dll -> Adware.RXToolbar : No action taken.
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP226\A0046265.exe -> Backdoor.Agent.aim : No action taken.
    C:\Program Files\Mozilla Firefox\mcnew.exe -> Downloader.Agent.bca : No action taken.
    :mozilla.121:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.122:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.125:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.79:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.80:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.81:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.82:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.83:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.84:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.85:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    :mozilla.164:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
    :mozilla.165:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
    :mozilla.99:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Com : No action taken.
    :mozilla.281:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
    :mozilla.282:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
    :mozilla.283:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
    :mozilla.284:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
    :mozilla.107:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
    :mozilla.186:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
    :mozilla.294:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
    :mozilla.211:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
    :mozilla.212:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
    :mozilla.459:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.460:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.461:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.462:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.464:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.166:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.167:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.168:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.169:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.170:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.171:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.172:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.173:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.183:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Starware : No action taken.
    :mozilla.184:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Starware : No action taken.
    :mozilla.185:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Starware : No action taken.
    :mozilla.187:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Starware : No action taken.
    :mozilla.188:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Starware : No action taken.
    :mozilla.113:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.114:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.115:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.116:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.117:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.118:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.207:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
    :mozilla.208:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
    :mozilla.209:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
    :mozilla.348:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Yadro : No action taken.
    :mozilla.277:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.278:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.89:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
    :mozilla.90:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
    :mozilla.93:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
    :mozilla.97:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
    :mozilla.98:C:\Documents and Settings\cujo\Application Data\Mozilla\Firefox\Profiles\inl33h7v.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
    C:\Program Files\Mozilla Firefox\vsetup.exe -> Trojan.Small : No action taken.


    ::Report end

     
    cpalmer5, Nov 28, 2006
    #7
  8. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    I'm sorry to inform you, but you'll need to run AVGAS again...


    Nah, I'm just kidding. :) We won't waste the time running a new scan and we'll just remove those manually. But next time you run AVGAS(if you keep it) be sure to click the Apply all actions button after scanning and setting files found to quarantine or delete.


    Turn off [bold]System Restore[/bold].
    Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]".
    Click [bold]Apply[/bold], then [bold]OK[/bold].

    Restart in safe mode and delete the following:
    C:\Program Files\Uninstall Need2Find Bar.dll <--file
    C:\Program Files\Mozilla Firefox\mcnew.exe <--file
    C:\Program Files\Mozilla Firefox\vsetup.exe <--file

    Empty the Recycle Bin and restart in normal mode.
    Turn System Restore back on.

    Run CCleaner to clean the cookies and it will also clean temp files. I recommend you keep this program and run it often.
    Go here and download [bold]CCleaner[/bold].
    [bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
    Open [bold]CCleaner[/bold].
    Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
    Close all windows.
    Click Cleaner > [bold]Run Cleaner[/bold].


    Edit: I typed this up before thinking about the backdoor, I apologize. AVGAS didn't pick it up so after you report back, "Done" with these instructions we'll work on that MSN backdoor. :)
     
    Last edited: Nov 28, 2006
    Niobis, Nov 28, 2006
    #8
  9. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    done
     
    cpalmer5, Nov 30, 2006
    #9
  10. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Okay good. Let's scan the file before we try anything.

    Go to Jotti's malware scan.
    Copy/Paste this file into the "[bold]File to upload and scan[/bold]" area.
    [bold]C:\Program Files\MSN Messenger\msnmsgr.exe[/bold]
    Click "[bold]Submit[/bold]".
    Copy/paste the results to Notepad and save them.
    Post the results in your next reply.


    Note: if for some reason there are two files with the name msnmsgr, scan both.
     
    Niobis, Nov 30, 2006
    #10
  11. cpalmer5

    cpalmer5 Member

    Joined:
    Jul 9, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    VirusBuster
    Found nothing
    VBA32
    Found nothing
     
    cpalmer5, Nov 30, 2006
    #11
  12. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Heh, what happened? It's no longer appearing to be infected... :)

    I hate to do it to you, but I would like to be certain you're clean.

    Go here to run [bold]ActiveScan[/bold].
    Click "[bold]Panda ActiveScan[/bold].
    Fill in the form with your information.
    After downloading, click [bold]My Computer[/bold] to scan.
    When it finishes, click "[bold]See Report[/bold]".
    Click "[bold]Save report[/bold]" and save it to the desktop.

    Please post the ActiveScan log along with a new HijackThis log.

    Also, are you having any problems or symptoms with the computer?
     
    Last edited: Nov 30, 2006
    Niobis, Nov 30, 2006
    #12

Share This Page