mywebsearch toolbar

vanagon40vanagon40 Indiana Member
edited May 2004 in Spyware & Virus Removal
My daughter brought her laptop home from college and complained it was a little buggy. She had no updated virus protection, ect.

I am cleaning and noticed a mywebsearch toolbar. Daughter cannot remember whether she intentionally installed or not. She previously had problems with spyware and had Ad-Aware (not updated) already installed.

Two questions:

Is mywebsearch toolbar harmless, or should I wipe it out? Ad-Aware did not object to its presence.

Ad-Aware found malware "Win32.Sasser." Is this related to the sasser worm or is it something else?

Thanks in advance for any information.

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Mywebseach is definitely spyware. Read about it here. It appears relatively easy to remove. As for Ad-Aware not recognizing it, make sure you're running the latest release with the latest definitions.

    Win32.Sasser sounds like the Sasser virus to me. Follow the removal instructions here.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Thanks for the quick response, Mr. Kwitko. Seems like there might be several problems. Critical updates not installed. Can't check for the sasser worm yet 'cause microsoft can't (won't) check 'till the patch is installed. Something is blocking access to the McAfee website.

    Odd that you think Ad-Aware should object to mywebsearch toolbar as I updated Ad-Aware immediately before running it.

    Going to take some time to get the microsoft updates as I'm on dial-up.

    I'm not seeking additional assistance at this time. I'll clean as best I can and then see if I need help.

    Thanks again,

    Jim
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    As previously stated, the laptop was full of bugs. Removed toolbar. Could not install microsoft critical updates. Access to known anti-virus websites is blocked. Finally got to trendmicro.com and ran scan. Multiple instances of Sasser.C and Agobot worms were found and deleted. Found Trojan MSCACHE.A but could not remove. Now access to trendmicro is blocked. When attempting to go to known anti-virus website, address bar shows: [url]http:///? www.*****.com[/url], where ***** represents address (e.g., mcafee, trendmicro, etc.). Little bugger has good survival instincts.

    Where do I go from here? Seems that MSCACHE.A might be the problem as it was only virus that trendmicro did not delete.

    There may be some delay in responding as I work days (US) and the laptop is at home.

    Last microsoft critical updates were installed mid April.

    Thanks for any suggestions.

    Jim
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Would also note that I'm unable to open or install SpybotS&D. Got HiJack This, but the program shuts down after approximately 2 seconds. I'll try running HJT in the safe mode this evening.

    Any suggestions?
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Definitely had sasser and agobot. Spybot found too many problems to list here.

    I've run Ad-Aware, Spybot 1.3, and CWShredder.

    Here are some of my symptoms:

    Will not allow microsoft critical updates to install (I managed to install most in safe mode)

    Will not allow McAfee to install (although I can now access the web page, when previously I could not).

    After disconnecting from internet (I'm now on dial-up), programs are requesting access to internet (e.g., Scooby_doo3.yi.org, oxygen13.ath.ex)

    Here is my HJT log run in safe mode:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:50:12 AM, on 5/20/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\virus stuff\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\virus stuff\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuikShield] qkshield.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [File System Service] wmiprvsc.exe
    O4 - HKLM\..\Run: [System Update Service] wmiprvsv.exe
    O4 - HKLM\..\Run: [System Updater Process] wmiprvsw.exe
    O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
    O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
    O4 - HKLM\..\RunServices: [System Update Service] wmiprvsv.exe
    O4 - HKLM\..\RunServices: [System Updater Process] wmiprvsw.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I know my thread title is no longer accurate.

    I am also 99.9% certain that wmiprvsv.exe is part of agobot.

    Please advise on exactly what entries to remove, and any other steps to cure this ailing laptop.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    OK, I got impatient waiting for a response, so I deleted the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

    Ok, but don't use

    R3 - Default URLSearchHook is missing

    Could not see any harm in deleting

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

    Don't use. Do I need it if want to use in future?

    O4 - HKLM\..\Run: [QuikShield] qkshield.exe

    Got rid of QuidShield all together.

    O4 - HKLM\..\Run: [File System Service] wmiprvsc.exe
    O4 - HKLM\..\Run: [System Update Service] wmiprvsv.exe
    O4 - HKLM\..\Run: [System Updater Process] wmiprvsw.exe
    O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
    O4 - HKLM\..\RunServices: [System Update Service] wmiprvsv.exe
    O4 - HKLM\..\RunServices: [System Updater Process] wmiprvsw.exe

    99.9% sure this is Agobot

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

    Smiley Central crap

    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...81/mcinsctl.cab

    My failed attempt to install McAfee, I'll try again

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    On line virus scan, don't need

    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/...nfo/webscan.cab

    Another on line virus scan

    O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

    Removed program

    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab

    Another failed McAfee download

    Did I miss something?

    Did I delete too much?

    Is anyone listening? (I would appreciate a little feedback, if even to only say I'm doing good.)

    Must be doing some good, as now microsoft critical updates are being allowed to install. However, as I am on dial-up, I still have 6 hours left on the update install.

    Jim
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Just trying to move up the list to get a reply.

    Jim
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Post your latest log.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I think I'm getting closer. Note the updated IE version.

    Here is the log run in normal mode

    Logfile of HijackThis v1.97.7
    Scan saved at 11:05:13 AM, on 5/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\GWHotKey.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINNT\System32\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 7.0\aim.exe
    C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Purdue University\Air Link\cvpnd.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\wuauclt.exe
    C:\virus stuff\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\virus stuff\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I've still got agobot. Either the computer associates virus information center tool is not removing it, or I am getting reinfected. It seems to be blocking access to known anti-virus web sites.
  • muddocktormuddocktor
    edited May 2004
    One thing you can try is downloading another browser like Firebird and see if you can get to the AV websites. The virii you have on that machine might not know how to deal with a standalone browser like Firebird.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Delete this:
    O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe

    Then delete the file while in safe mode.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Thank you Mr. Kwitko.

    O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
    and
    O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe

    were definitely Agobot. I think Agobot is finally gone.

    Found the solution to the blocked anti-virus sites. => http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html
    Many of the viruses/worms today are attacking your "hosts" file so you can't access antivirus sites.

    With Notepad, open up the file

    c:\windows\system32\drivers\etc\hosts

    If you see lines like this:

    0.0.0.0 www.symantec.com
    0.0.0.0 www.norton.com

    or any other site mapped to 0.0.0.0, delete those lines. Also, if you see any common sites you recognize (such as Google) mapped to another number (IP address), delete those lines.

    Your browser checks this hosts file first when you type a web address into your browser. So, when it sees a site listed, it automatically uses that IP address.

    Hopefully, deleting these lines from your hosts file will allow you to update your AV. And, hopefully that updated AV will get rid of your virus problem.

    I'm downloading McAfee as I type.

    I'll post a HJT log after updating everything, but I think I may finally be clean. Only took me four days to clean up two semesters worth of bugs.

    Thanks again.

    Jim
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Make the hosts file read-only. I was going to mention looking at the hosts file, but usually HiJackThis will list strange entries. In this case it didn't.

    Attach a copy of the hosts file so we can clean out the junk.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Hosts file is now blank. Only entries in host file were redirects to my computer for anti-virus sites. I cleared all.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    After four days, I think I've finally got it. Sasser and Agobot (and a host of other infections) removed.

    McAfee installed and updated.

    Scrubbed system with Spybot 1.3, Ad-Aware, and CWShredder (all updated).

    SpywareBlaster (updated) installed.

    Immunized with Spybot.

    All microsoft updates installed.

    Original Java removed and Sun Java installed.

    I can't think of anything else. Any suggestions apprecited.

    Hosts file now empty. Deleted the folowing entries:

    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 kaspersky-labs.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 nai.com
    127.0.0.1 www.nai.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.grisoft.com


    Finally, my most recent HJT log (run in normal mode):

    Logfile of HijackThis v1.97.7
    Scan saved at 12:03:27 AM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\GWHotKey.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINNT\System32\qttask.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 7.0\aim.exe
    C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\virus stuff\hijackthis\HijackThis.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Purdue University\Air Link\cvpnd.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\System32\imapi.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VIRUSS~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Special thanks to Mr. Kwitko for helping me get rid of Agobot.

    That's All!

    Jim a/k/a Vanagon45
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Glad your machine is clean. :)
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited May 2004
    It's been a long road, huh? ;D
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    primesuspect wrote:
    It's been a long road, huh? ;D

    Yeah, in the past month I have become a reluctant debugger. Sasser at home (Windows XP), About:blank (CWS) at work (Windows 98), and Sasser and Agobot (plus too many others to list) on my daughter's laptop (Windows XP). The only easy one was Sasser at home. Learned a lot about updating Windows and IE on a timely basis, as well as some other computer functions. Had to pat myself on the back a little bit in being able to fix all three. Still spent way too much time on fixing (probably 40 hours on about:blank and 20 hours on Agobot).

    The Internet is a great source of information (as well as computer viruses).

    Thanks to everyone for the help.

    Jim
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited May 2004
    Yep, my business is computer maintenance, and in the last few months, it seems as if that's all we've been doing is "(fill in the blank) removal"
Sign In or Register to comment.