Trouble with Hijack this software - HELP!

vits5vits5
edited January 2006 in Spyware & Virus Removal
:confused2 Downloaded the latest version of Hijack this from Short-Media site, but every time I try to execute the program, it quickly flashes on the screen and then goes away. I can't run it???
Having lots of PC problems (pop ups and possibly hijacked), but I need to run Hijack so I can get your help. Any ideas? Thanks!!

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    Download Itty Bitty Process Manager (IBProcMan.zip)(direct download) http://www.merijn.org/files/ibprocman.zip
    Run the process manager. Near the top right there are a couple of icons. Select the one to the left to copy to the clipboard. Paste the results back here.
  • vits5vits5
    edited January 2006
    Here you go... thanks!
    Process list saved on 11:13:34 PM, on 01/01/2006
    Platform: WinNT 5.01.2600 SP1

    [pid] [full path to filename] [file version] [company name]
    380 C:\WINDOWS\System32\smss.exe 5.1.2600.1106 Microsoft Corporation
    460 C:\WINDOWS\system32\winlogon.exe 5.1.2600.1106 Microsoft Corporation
    656 C:\WINDOWS\system32\services.exe 5.1.2600.0 Microsoft Corporation
    668 C:\WINDOWS\system32\lsass.exe 5.1.2600.1106 Microsoft Corporation
    856 C:\WINDOWS\system32\svchost.exe 5.1.2600.0 Microsoft Corporation
    900 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
    1180 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.0 Microsoft Corporation
    1936 C:\WINDOWS\Explorer.EXE 6.0.2800.1106 Microsoft Corporation
    152 C:\WINDOWS\System32\smsc.exe
    528 C:\WINDOWS\System32\msconf.exe
    540 C:\WINDOWS\System32\RUNDLL32.EXE 5.1.2600.0 Microsoft Corporation
    592 C:\WINDOWS\elitemediapop.exe 6.4.0.0 Network1
    868 C:\windows\system32\rpdsregq.exe 1.0.0.1
    980 C:\WINDOWS\System32\qwinqsap.exe 1.0.0.1
    1208 C:\Program Files\SysProtect\syp.exe 1.0.49.0 SysProtect Inc.
    1520 C:\WINDOWS\System32\euarvbk.exe 1.1.0.8
    1612 C:\Program Files\Dell Support\DSAgnt.exe 1.1.0.73 Gteko Ltd.
    1756 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cdic.exe
    1952 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2800.1106 Microsoft Corporation
    2612 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2800.1106 Microsoft Corporation
    3812 C:\temp\gail\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    Open Task Manager by right clicking on the bottom task bar and selecting it.

    End process on each of the following;

    C:\WINDOWS\elitemediapop.exe
    C:\windows\system32\rpdsregq.exe
    C:\WINDOWS\System32\qwinqsap.exe
    C:\Program Files\SysProtect\syp.exe
    C:\WINDOWS\System32\euarvbk.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cdic.exe

    Go to the view tab in task manager and hit the refresh button and check that none of them are running.
    Try running hijackthis again and post the log if successful.

    ==

    Please download the trial version of Ewido anti-malware here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.
    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    Once in Safe Mode, please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

    Save the logfile from the scan and post it here.
  • vits5vits5
    edited January 2006
    I'm having the same problem with 'task mgr'. It flashes on the screen for a split second, then goes away???? I can't get it to stay on the screen. However, I went on to download, update and run in safe mode the Ewido software. The saved report is listed below.

    Also note that although as viruses were found, I hit the clean button -- once the PC was rebooted, Ewido just "constantly" keeps bring up the Infected object found screen. I keep hitting clean, but it never goes away. OK, the report is below. Thanks for your time and assistance.
    ewido anti-malware - Scan report

    + Created on: 3:53:54 PM, 1/2/2006
    + Report-Checksum: F52A1767

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@data1.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
    C:\Documents and Settings\Johnny\Cookies\johnny@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temp\adwsetup_upd.exe -> Dropper.Agent.abb : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temp\ei.exe -> Downloader.Small.bgl : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temp\temp.frE96D\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\2LH5DJW6\ei[1].exe -> Downloader.Small.bgl : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\SLMR4X2J\emoticonz[1].exe -> Trojan.LowZones.cf : Cleaned with backup
    C:\Documents and Settings\Johnny\Local Settings\Temporary Internet Files\Content.IE5\SLMR4X2J\newfrn[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\emoticonz.exe -> Trojan.LowZones.cf : Cleaned with backup
    C:\n.exe -> Downloader.Small.cdy : Cleaned with backup
    C:\Program Files\Common Files\ufif\ufifd\ufifc.dll -> Downloader.Small : Cleaned with backup
    C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll -> Spyware.Nomeh : Cleaned with backup
    C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe -> Spyware.Nomeh : Cleaned with backup
    C:\Program Files\Winad Client\ClientCom.dll -> Spyware.WinAD : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000010.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000014.dll -> Adware.Sud : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000017.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000022.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000026.exe -> Downloader.Adload.l : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000027.exe -> Spyware.ZenoSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000028.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000038.exe -> Adware.BetterInternet : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000040.dll -> Hijacker.Small.jf : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000041.dll -> Spyware.ActivShopper : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000042.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000043.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000044.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000045.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000046.exe -> Trojan.Imiserv.c : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000047.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000048.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000049.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000050.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000051.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000052.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000053.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000054.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000055.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000056.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000057.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000058.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000059.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000060.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000061.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000062.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000063.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000064.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000065.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000066.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000067.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000068.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000069.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000070.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000071.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000072.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000073.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000074.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000075.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000076.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000077.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000078.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000079.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000080.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000081.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000082.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000083.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000084.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000085.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000086.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000087.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000088.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000089.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000090.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000091.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000092.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000093.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000094.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000095.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000096.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000097.exe -> Trojan.Poler.a : Cleaned with backup
    C:\temp\msbb.exe -> Spyware.180Solutions : Cleaned with backup
    C:\temp\msbbhook.dll -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\USYP_0001_N57M2911NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
    C:\WINDOWS\inst_FI002.exe -> Spyware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
    C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\newfrn.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\noC=.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
    C:\WINDOWS\stub_110_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
    C:\WINDOWS\svcproc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\SYSTEM32\aupdate.exe -> Downloader.Adload.k : Cleaned with backup
    C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\bridge[1].cab/bridge.dll -> Logger.Briss.g : Cleaned with backup
    C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\bridge[1].cab/jao.dll -> Logger.Briss.g : Cleaned with backup
    C:\WINDOWS\SYSTEM32\dsa_32.dll -> Logger.Agent.gk : Cleaned with backup
    C:\WINDOWS\SYSTEM32\dsa_32.exe -> Logger.Agent.gk : Cleaned with backup
    C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\SYSTEM32\eins005.exe -> Downloader.Adload.k : Cleaned with backup
    C:\WINDOWS\SYSTEM32\eins008.exe -> Downloader.Adload.k : Cleaned with backup
    C:\WINDOWS\SYSTEM32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup


    ::Report End
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    Can you get a logfile from hijackthis in safe mode? If not, try this, then try running hijackthis again in normal mode;


    Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

    -

    Save all the below files to a text document (notepad) to be used shortly.

    C:\WINDOWS\elitemediapop.exe
    C:\windows\system32\rpdsregq.exe
    C:\WINDOWS\System32\qwinqsap.exe
    C:\Program Files\SysProtect\syp.exe
    C:\WINDOWS\System32\euarvbk.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cdic.exe


    Open the text file you saved and left click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
    Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and try to get a log from hijackthis.
  • vits5vits5
    edited January 2006
    I am able to run HJT in safe mode, as well as other tasks. I am attaching the log I obtained during the safe mode boot. It seems when I do a regular boot, that's when all hell breaks loose. Viruses, trojans, etc are discovered.
    Logfile of HijackThis v1.99.1
    Scan saved at 10:40:04 AM, on 1/3/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\temp\gail\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
    O4 - HKLM\..\Run: [0sis001w.dll] RUNDLL32.EXE 0sis001w.dll,b 267718
    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\qwinqsap.exe FI002
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
    O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dksdgp.exe reg_run
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c2.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    dinst
    Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.
    • Download DSRFIX from HERE onto your Desktop.
      • Unzip and EXTRACT the files to your Desktop.
      • The program creates and names the new folder to house the files.
      • DO NOT RUN IT YET
    • Download Cleanup from Here (Alternate site if the above is not working Go Here)
      • A window will open and choose SAVE, then DESKTOP as the destination.
      • On your Desktop, click on Cleanup40.exe icon.
      • Then, click RUN and place a checkmark beside "I Agree"
      • Then click NEXT followed by START and OK.
      • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
      • Click OK
      • DO NOT RUN IT YET
    • CLOSE INTERNET EXPLORER, if it is open
    • Open the folder dsrfix
      • Double click on the dsrfix batch file( the one with the little gear in it )
      • Once dsrfix has completed it will close on its own
    • Please restart HJT, put a checkmark next to the following items, and with all windows closed except for HJT, click “Fix Checked” and EXIT the program.

      O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

    • Run Cleanup
      • Click on the "Cleanup" button and let it run.
      • Once its done, close the program.
    • REBOOT your system.

    ==

    Once done, please do the following;

    ===============

    Go to Add/Remove programs and remove(uninstall) the following, if present:

    WebHancer

    The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

    ===============

    Scan with HiJackThis, click "Scan", then check(tick) the following, if present:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com

    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)

    O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
    O4 - HKLM\..\Run: [0sis001w.dll] RUNDLL32.EXE 0sis001w.dll,b 267718
    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\qwinqsap.exe FI002
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
    O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dksdgp.exe reg_run
    O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe

    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c2.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    folders...

    C:\Program Files\webHancer

    files...

    C:\WINDOWS\z00096.exe
    C:\WINDOWS\System32\qwinqsap.exe
    C:\windows\mrjj.exe
    C:\WINDOWS\System32\dksdgp.exe
    C:\WINDOWS\svcproc.exe

    Search for...

    msconf.exe
    0sis001w.dll

    ...using "Start | Search...".

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    To help protect your system from hostile ActiveX content, or special 'downloadable' files:

    Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

    1) Check for any available updates; if present, they'll be automatically downloaded and installed.
    2) Next, "Enable all protection".
    3) Exit the program.

    -

    Note: Remember to regularly check for updates.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • vits5vits5
    edited January 2006
    HI!
    Did everything you said. The only thing is that anywhere you referenced running HJT, I had to do it in safe mode. However...after doing everything you said, I now have access to Hijack This and my task manager again (yeah!). I am attaching the latest HJT log below. Also, (1) I've seen some warnings from the AVG anti virus software and Ewido suite about the following: nail.exe - ei.exe and img_32.dll. And.(2)some things that I checked and fixed in HJT appears to still be in the log. Lastly, (3) the trusted sites, could they be problems? Is there something I should do?

    You've been very helpful and I really appreciate your time and assistance. Hijack log follows.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:17:19 PM, on 01/03/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\Run: [wiaimg] C:\WINDOWS\System32\wiaimg.exe
    O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
    O4 - Startup: Zeno.lnk = C:\HJT\HijackThis.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    I noticed svcproc in your last log but was not concerned as it had (file missing) after it. If you are getting hits from nail.exe though, there is a chance it is still on your pc. Please do the following; (Ignore what you have already downloaded as this is a standard fix for the nail infection and I am too lazy to edit out the unnecessary stuff :D)

    You may want to print or save these instructions locally before starting.

    Please download, install, and update the free version of Ewido trojan scanner:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful")
    5. Exit Ewido. DO NOT scan yet.

    Download CCleaner and install, but do not run it yet.

    Please download the Nailfix utility.
    DO NOT run it yet.

    Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
    1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
    2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
    3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

    Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Next, run Ewido again.
    1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
    3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


    Then run HijackThis, click Scan, and place a checkmark by the following item:

    F2 - REG:system.ini: UserInit=userinit.exe

    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)


    Close all open windows except for HijackThis and click Fix Checked.

    Now, run CCleaner.
    1. Uncheck "Cookies" under "Internet Explorer".
    2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
    Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

    ====

    Know what this is?

    C:\WINDOWS\SYSTEM32\dwdsregt.exe

    If not, upload it for a scan and let me know what's up.

    http://virusscan.jotti.org/
  • vits5vits5
    edited January 2006
    Hi!

    Okay, did everything. HJT log and Ewido log is below. Also, tried to upload the file for scanning that you ask me to, but the message said the file, C:\windows\system32\dwdsregt.exe has 0 bytes - it is likely a firewall or a piece of malware is prohibiting you from uploading this file.

    Summary of current state of PC: When I boot to normal mode, the software AVG is still finding several trojans/viruses. I delete them and/or clean them, but they come back upon rebooting? I no longer see reference to the nail.exe file however.

    The HJT log still looks like there's a couple of things that shouldn't be there, but then again, what do I know.

    Thanks for sticking with me. The log files are below.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:20:26 PM, on 01/04/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\dhceac.exe
    C:\WINDOWS\System32\dhceac.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\Run: [dhceac] C:\WINDOWS\System32\dhceac.exe
    O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\RunOnce: [dhceac] C:\WINDOWS\System32\dhceac.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.elitemediagroup.net
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    ewido anti-malware - Scan report

    + Created on: 2:11:32 PM, 1/4/2006
    + Report-Checksum: A9D9C4AF

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000113.exe -> Downloader.Adload.k : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000114.dll -> Logger.Agent.gk : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000115.exe -> Logger.Agent.gk : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001122.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001123.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001124.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001125.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001126.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001127.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001129.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001139.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001140.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001141.exe -> Trojan.Poler.a : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0007443.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0007444.dll -> Logger.Agent.gk : Cleaned with backup


    ::Report End
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    Can you please do the following.

    Please find C:\windows\system32\dwdsregt.exe and right click on it. Choose Properties. Click the version tab and get the manufacturer and original filename please. Maybe that will give a clue. Any other info also.

    ===============

    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\WINDOWS\System32\dhceac.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

    ===============

    Scan with HiJackThis, click "Scan", then check(tick) the following, if present:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - Default URLSearchHook is missing

    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

    O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\Run: [dhceac] C:\WINDOWS\System32\dhceac.exe
    O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
    O4 - HKCU\..\RunOnce: [dhceac] C:\WINDOWS\System32\dhceac.exe

    O15 - Trusted Zone: *.elitemediagroup.net


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    files...

    C:\WINDOWS\System32\dhceac.exe

    Search for...

    msconf.exe

    ...using "Start | Search...".

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • vits5vits5
    edited January 2006
    Did everything you asked where possible. Outcome as follows:
    1. Unable to locate the file dwdsregt.exe in system32.
    2. Tried to kill process dhceac.exe (listed twice). Appeared to be killed, but came back and everytime it came back, AVG kicked off a virus warning on three files.
    3. Deleted the file 'dhceac.exe and the process killed itself. However, the HJT log shows the file again?

    HJT log attached.
    Logfile of HijackThis v1.99.1
    Scan saved at 5:49:31 PM, on 01/04/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack This\HijackThis.exe

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [dhceac] C:\WINDOWS\System32\dhceac.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136405718234
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    vits5 wrote:
    3. Deleted the file 'dhceac.exe and the process killed itself. However, the HJT log shows the file again?
    Probably an orphaned entry. HJT will remove it. Just be certain the file itself has gone.

    Can you please do the following.

    ===============

    Scan with HiJackThis, click "Scan", then check(tick) the following, if present:


    O4 - HKCU\..\Run: [dhceac] C:\WINDOWS\System32\dhceac.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe

    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    files...

    C:\WINDOWS\System32\dhceac.exe
    C:\WINDOWS\SYSTEM32\dwdsregt.exe

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • vits5vits5
    edited January 2006
    HI!!
    Performed all requests. The two files you asked me to search and delete were found in a folder called /Prefetch, within /Windows. I don't want to say this too loud, but all seems well right now (hooray!).

    I do have a question for you before we part: This system still has Service Pack 1 on it. If I download the service pack 2 from Microsoft and install, is there any reason I should be afraid that something will go wrong with the install or is it a straight forward update? Also, what version of IE should I be at and is the download safe?

    Latest, and hopefully last HJT log below.
    Logfile of HijackThis v1.99.1
    Scan saved at 12:11:47 PM, on 01/05/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hijack This\HijackThis.exe

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136405718234
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    vits5 wrote:
    HI!!
    Performed all requests. The two files you asked me to search and delete were found in a folder called /Prefetch, within /Windows. I don't want to say this too loud, but all seems well right now (hooray!).

    I do have a question for you before we part: This system still has Service Pack 1 on it. If I download the service pack 2 from Microsoft and install, is there any reason I should be afraid that something will go wrong with the install or is it a straight forward update? Also, what version of IE should I be at and is the download safe?

    Latest, and hopefully last HJT log below.

    Once clean, I see no reason why you should not install service pack 2. You have the most up-to-date IE now :).

    ==

    Congratulations! Your log looks clean - good work!

    ===============

    Now that your PC is clean you need to follow these easy steps to keeping it this way:

    Secure your Internet Explorer by going here and following the instructions there.

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

    Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

    Install and keep updated, Ad-Aware SE, and Spybot S&D.
    Run them both on a regular basis, following the manufacturer's recommendations.

    Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


    Clear your Temp folders.
    Clear out your Temporary internet files and other temp files.
    Go to Start > Settings > Control Panel >Internet Options.
    Under the General tab click the Delete temporary internet files,
    delete all Offline content as well. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.

    For XP users.
    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start>Run and type msconfig. Press enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.

    ===============

    If you have any more problems, post back.

    -

    Happy surfing,

    crunchie.
  • vits5vits5
    edited January 2006
    Crunchie,
    Thanks so much for allyour time, patience and assistance. This PC belonged to my disabled nephew, and he'll be so happy to get it back! Thanks again!! A happy and healthy New Year to you and yours!
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    You are welcome :). A happy New Year to you too.

    This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

    Include the link to the thread and detail why you need it reopened.

    If this is not your thread please start a New Topic.
This discussion has been closed.