Jump to content


Photo

I,m dying!!!! Help


  • Please log in to reply
30 replies to this topic

#1 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 26 January 2007 - 03:58 AM

I'm not sure if this is where to start or if this is the right forum but here goes.

I just bought a new computor on 1-17-07 to replace this one I'm using now (I format/recovered my disk and now it's working better han it has in a LONG while (and now my new one is working worse than this one ever did).

I used my MStick to transfer files from old comp to new (BAD IDEA)and used new updated McAfee that came with my computor to scan after they were put on my desktop , but one of the reasons that I bought another comp is because of the POOR customer service I've been getting from Symantec over the years as a paying customer (they wanted $80.00 to tell me how to fix it). Anyway...

It runs SLOWWW on the internet, it won't open sites or email now.
At first it started going alittle crazy when I went to sites like Kimmkomando after I went to grc.com.
When grc's Shields-Up (I wanted to check my new McAfee firewall) was checking my ports it really really started going crazy and would not stop until I actually unplugged my DSL cable. It did indicated however that I had ports 1029 and 1030 "closed" not "stealth".

I'm sure it picked up something from my old computor despite my scanning attempts at each MStick "batch".

Also can My MStick (ScanDisk Cruiser Mini 1-GB) itself be infected or scanned?
Should I "sign it in" to scan it or just "plug and scan"?

I know I'm asking alot of questions but I need help and I have been putting hours and hours into this brand new computor with no luck (9 uot of the 11 days of it brand new life).

I'm using the McAfee (for the first time) that came with my now 11 day old computor and I found the tool
that denies access to certain "unsolicited attempt to access port #***" and I hit the "ban this
address" button (without knowing what I was doing) and things started getting worse.
When I hit the Allow this address" button, it acted as if I was hitting the "Ban" button again and said
"You must remove from banned list..." etc. I found the "remove prior whatever whatever" button but my log still displays "unsolicited attempt by banned site" to the power of ten times more.

I have downloaded some of the free tools from Komando, one of the first is Ad-Aware but the
more tools I tried the worse it got. After doing some more research I discovered that those
viruses sure have gotten alot more complicated. When I ran AdAware it found the Exploit virus
and said it removed it but I still have some BIG problem now.

Also when I'm on the internet my LAN internet indicator comes up next to my internet indicator displaying twin indicators.

I know I downloaded HijackThis to both computors and I think I may have run them in FIX mode
(again, without knowing what I was doing), afterwhich I format/recovered my old one and it is doing MUCH
better, though I still don't trust it yet (we'll do this one later).

I have used regedit to remove viri before and used to be a pretty good DOS man but that was a long Time ago, between that time and the time when I got my first computor (a 3 yr old Win ME) almost two decades had passed.

I want to make sure I understand some of the instuctions.I've read a few of the posts in here and I'm not
too sure of a few things so I figure I'll ask.

When you say "close windows" or "close all programs" are you talking about using Task Manager via
control-alt-del to stop running processes or should I close anything on the toolbar?

Thanks for any support and I can tell that they are keeping everyone busy.

And sorry about being so long winded.

HELP!!!

#2 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 26 January 2007 - 05:35 AM

I just figured out how to transfer my hjThis log ( I hope) to this) I got a couple error boxes stating that file may not be complete but I'm trying.

And I thuoght I read somewhere "Dont post HJThis log untill requested" but I could not find it.




Logfile of HijackThis v1.99.1
Scan saved at 10:35:21 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6009\SAService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Stuff\SlapThisShit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O23 - Service: McAfee Application Installer Cleanup (0229081169732505) (0229081169732505mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\022908~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6009\SAService.exe

#3 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 27 January 2007 - 12:03 AM

Hi,Millleft


Download ATF (Atribune Temp File) Cleaner© by Atribune

Download and Install AVG Anti-Spyware© by Grisoft

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware

( Don't run just Yet )


===============

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

===============

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program


Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Now close AVG Anti-Spyware

===============

Reboot into Normal Mode and do this for me


Please download ComboFix and save it to your desktop.

Double click combofix.exe and follow the prompts.

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Gogo ^_^
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#4 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 27 January 2007 - 04:49 AM

Thanks for the help!

Now for the bad news

I could download AVG & ATF Cleaner (I haven't ran either yet) but I keep getting an "Update Aborted" on the AVG (I've tried 6 times and it has taken aprox 4 hrs).

That "LAN network connection" indicater I mentioned that pops up next to the "Broadband Connection" indicator reads "Searching Network Address" when I hold my mouse pointer over it.
I think this is a symptom of my blocking the those "pingers" with McAfee.

I don't trust allowing them because I can't get a "trace this address" result because it wont pull it up.

Is there anything I can change to get a safe allow to update AVG

OR install it to disk on this PC and transfer it over

OR install it onto this PC, update it and then copy the updated file and any updated component files into a disk and then delete and replace them on the infected PC which does have AVG installed?

Should I run non-updated AVG (in safe mode) along with the ATF and post those results?

Edited by Millleft, 27 January 2007 - 04:51 AM.


#5 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 27 January 2007 - 05:56 AM

Hey,Millleft

Go here and download the updates

http://www.ewido.net...wnload/updates/

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#6 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 27 January 2007 - 06:30 AM

Thanks! Much Better

I downloaded it and double cliked it and it extracted and did it's thing so now should I take up from your instrucions about running it in safe mode? (please say yes) or did I mess up by double clicking it???

Also I downloaded the AVG update on top not the "full Database"

Edited by Millleft, 27 January 2007 - 06:33 AM.


#7 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 27 January 2007 - 06:51 AM

Hi,Millleft

Yes once you updated AVG anti-spyware goto Safe Mode and move
on with the work.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#8 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 27 January 2007 - 03:49 PM

The AVG found no virus and had no report created.

Heres the combofix report.


"Owner" - 07-01-27 8:37:18 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-27 to 2007-01-27 ))))))))))))))))))))))))))))))))))


2007-01-27 08:33 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-26 21:01 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Sun
2007-01-26 18:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-26 18:07 <DIR> d-------- C:\Program Files\Grisoft
2007-01-25 22:31 <DIR> d-------- C:\Program Files\Stuff
2007-01-23 23:41 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\McAfee
2007-01-23 22:24 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-23 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-01-22 23:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-22 23:27 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Lavasoft
2007-01-21 23:14 19,328 --a------ C:\WINDOWS\system32\NotSleep.dll
2007-01-21 23:13 <DIR> d-------- C:\Program Files\NoTrax
2007-01-21 20:12 <DIR> d-------- C:\Program Files\Erace
2007-01-20 12:23 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Template
2007-01-20 11:31 114,744 --a------ C:\WINDOWS\system32\hpzlnt04.dll
2007-01-20 11:28 <DIR> d-------- C:\Program Files\hp deskjet 825c series
2007-01-20 11:28 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-01-20 10:17 1,933,312 --a------ C:\WINDOWS\system32\Tropix.scr
2007-01-19 22:53 802,816 --a------ C:\WINDOWS\feedingfrenzy.scr
2007-01-19 22:43 <DIR> d-------- C:\My Games
2007-01-19 22:36 <DIR> d-------- C:\My Download Files
2007-01-19 22:31 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-01-18 22:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-01-18 22:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-18 22:51 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\AdobeUM
2007-01-18 22:50 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Adobe
2007-01-18 22:41 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Google
2007-01-18 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-18 22:00 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-01-18 22:00 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-18 22:00 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\SiteAdvisor
2007-01-18 22:00 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\SiteAdvisor
2007-01-18 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SiteAdvisor
2007-01-18 21:59 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-01-18 21:58 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-01-18 21:58 35,048 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-01-18 21:58 34,120 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-01-18 21:58 31,944 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-01-18 21:58 168,392 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-01-18 21:58 100,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-01-18 21:55 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-01-18 21:26 <DIR> d-------- C:\Program Files\Common Files\AolCoach
2007-01-18 18:22 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\WildTangent
2007-01-18 17:16 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Help
2007-01-18 07:06 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2007-01-18 07:06 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2007-01-18 07:06 131,072 --a------ C:\WINDOWS\system32\mclsp(2)(2).dll
2007-01-18 07:06 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2007-01-18 05:52 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-18 05:52 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-18 05:51 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-18 05:50 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-18 05:49 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-18 05:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-18 05:46 <DIR> d-------- C:\89db9ade18ab4de354a1
2007-01-18 05:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-18 05:29 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-18 05:27 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-01-18 05:27 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-17 22:19 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-01-17 22:19 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-01-17 22:19 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-01-17 22:19 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-01-17 22:19 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-01-17 22:19 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-01-17 22:19 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-01-17 22:19 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-01-17 22:18 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-01-17 22:18 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-01-17 22:18 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-01-17 22:18 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-01-17 22:18 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-01-17 22:18 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-01-17 22:18 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-01-17 22:18 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-01-17 22:18 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-01-17 22:17 253,952 --------- C:\WINDOWS\SBCDSL.exe
2007-01-17 22:16 99,544 --------- C:\WINDOWS\system32\GetFlash.exe
2007-01-17 22:01 <DIR> d--hs---- C:\DOCUME~1\Owner\UserData
2007-01-17 21:22 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-01-17 21:22 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\You've Got Pictures Screensaver
2007-01-17 21:22 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\SampleView
2007-01-17 21:12 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-27 08:33 -------- d-------- C:\Program Files\mcafee
2007-01-23 23:17 -------- d-------- C:\Program Files\real
2007-01-20 22:37 126 --a------ C:\DOCUME~1\Owner\Application Data\wklnhst.dat
2007-01-20 22:37 -------- d---s---- C:\DOCUME~1\Owner\Application Data\microsoft
2007-01-18 22:09 -------- d-------- C:\Program Files\google
2007-01-18 22:03 -------- d-------- C:\Program Files\mcafee.com
2007-01-18 21:27 -------- d-------- C:\Program Files\pure networks
2007-01-18 21:26 -------- d-------- C:\Program Files\windows nt
2007-01-18 21:26 -------- d-------- C:\Program Files\Common Files\aol
2007-01-18 19:08 -------- d-------- C:\Program Files\online services
2007-01-18 06:12 -------- d-------- C:\DOCUME~1\Owner\Application Data\macromedia
2007-01-18 05:38 -------- d-------- C:\Program Files\messenger
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6009\\SiteAdv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90b60451-656d-11db-9e07-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 07-01-27 8:39:45

#9 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 27 January 2007 - 06:33 PM

I'm not sure if this will help or if I should post it without request but I fould the first Ad-Aware log that identified the virus (that I thougt was exploit but it was iehijack) I had deleted the quarentine archive and assumed that it automaticly deleted the log (I wish I would have found this forum before I tried to fix things on my own).

I'm not sure if this helps with the problems that I'm still having but these viri I'm almost sure came from transferring files from my old PC.

THANKS AGAIN and here it is



Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, January 22, 2007 11:28:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R146 22.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
IEHIjacker.SearchExe(TAC index:6):5 total references
MRU List(TAC index:0):20 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-22-2007 11:28:44 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2471188847-1457541131-3360027596-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 480
ThreadCreationTime : 1-22-2007 4:48:41 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 1-22-2007 4:48:42 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 1-22-2007 4:48:43 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 616
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 628
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 772
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 6.14.10.4121
ProductVersion : 6.14.10.4121
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 856
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 892
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 1-22-2007 4:48:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1008
ThreadCreationTime : 1-22-2007 4:48:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1224
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 6.14.10.4121
ProductVersion : 6.14.10.4121
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1292
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1316
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [hwapi.exe]
FilePath : C:\Program Files\Common Files\McAfee\HackerWatch\
ProcessID : 1508
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 8.1.105.0
ProductVersion : 8.1.105.0
ProductName : McAfee HackerWatch Service
CompanyName : McAfee, Inc.
FileDescription : McAfee HackerWatch Service
LegalCopyright : © McAfee, Inc. All rights reserved.
OriginalFilename : HWAPI.exe

#:16 [mclogsrv.exe]
FilePath : C:\PROGRA~1\McAfee\MSC\
ProcessID : 1544
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 7,1,131,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : MSC Log Manager
InternalName : mclogsrv
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mclogsrv.exe

#:17 [mcupdmgr.exe]
FilePath : C:\PROGRA~1\McAfee\MSC\
ProcessID : 1588
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 7,1,137,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : McAfee Update Manager Service
InternalName : mcupdmgr
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mcupdmgr.exe

#:18 [mcnasvc.exe]
FilePath : c:\program files\common files\mcafee\mna\
ProcessID : 1616
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 1,1,110,0
ProductVersion : 1,1,0,0
ProductName : McAfee Integrated Security Platform
CompanyName : McAfee, Inc.
FileDescription : McAfee Network Agent
InternalName : McNASvc
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : McNASvc.exe

#:19 [mcods.exe]
FilePath : C:\PROGRA~1\McAfee\VIRUSS~1\
ProcessID : 1640
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 11,1,124,0
ProductVersion : 11,1,0,0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan - On Demand Scan
InternalName : mcods.exe
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mcods.exe

#:20 [mcpromgr.exe]
FilePath : C:\PROGRA~1\McAfee\MSC\
ProcessID : 1656
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 7,1,131,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : McAfee Integrated Security Platform
InternalName : McProMgr
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : McProMgr.exe

#:21 [mcproxy.exe]
FilePath : c:\PROGRA~1\COMMON~1\mcafee\mcproxy\
ProcessID : 1684
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 1,1,118,0
ProductVersion : 1,1,0,0
ProductName : McAfee Proxy
CompanyName : McAfee, Inc.
FileDescription : McAfee Proxy Service Module
InternalName : McProxy
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : McProxy.exe
Comments : McAfee Proxy Service

#:22 [redirsvc.exe]
FilePath : c:\PROGRA~1\COMMON~1\mcafee\redirsvc\
ProcessID : 1720
ThreadCreationTime : 1-22-2007 4:48:46 AM
BasePriority : Normal
FileVersion : 1,1,116,0
ProductVersion : 1,1,0,0
ProductName : McAfee Redirector
CompanyName : McAfee, Inc.
FileDescription : McAfee Redirector Service Module
InternalName : McRedirector
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : RedirSvc.exe
Comments : McAfee Redirector Service

#:23 [mcshield.exe]
FilePath : C:\PROGRA~1\McAfee\VIRUSS~1\
ProcessID : 1780
ThreadCreationTime : 1-22-2007 4:48:47 AM
BasePriority : High


#:24 [mcsysmon.exe]
FilePath : C:\PROGRA~1\McAfee\VIRUSS~1\
ProcessID : 1844
ThreadCreationTime : 1-22-2007 4:48:47 AM
BasePriority : Normal
FileVersion : 11,1,130,0
ProductVersion : 11,1,0,0
ProductName : McAfee VirusScan API
CompanyName : McAfee, Inc.
FileDescription : McAfee SystemGuards Service
InternalName : sysmon
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : sysmon.exe

#:25 [mctskshd.exe]
FilePath : C:\PROGRA~1\McAfee\MSC\
ProcessID : 1868
ThreadCreationTime : 1-22-2007 4:48:48 AM
BasePriority : Normal
FileVersion : 7,1,133,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : McAfee Tqsk Scheduler
InternalName : McTskShd
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mctskshd.exe

#:26 [mcusrmgr.exe]
FilePath : C:\PROGRA~1\McAfee\MSC\
ProcessID : 1996
ThreadCreationTime : 1-22-2007 4:48:48 AM
BasePriority : Normal
FileVersion : 7,1,131,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : MISP User Manager
InternalName : McUsrMgr
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : McUsrMgr.exe

#:27 [mpfsrv.exe]
FilePath : C:\Program Files\McAfee\MPF\
ProcessID : 120
ThreadCreationTime : 1-22-2007 4:48:49 AM
BasePriority : Normal
FileVersion : 8.1.123.0
ProductVersion : 8.1.123.0
ProductName : McAfee Personal Firewall
CompanyName : McAfee, Inc.
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service

#:28 [msksrver.exe]
FilePath : C:\Program Files\McAfee\MSK\
ProcessID : 364
ThreadCreationTime : 1-22-2007 4:48:49 AM
BasePriority : Normal
FileVersion : 8.1.117.0
ProductVersion : 8.1
ProductName : McAfee SpamKiller
CompanyName : McAfee Inc.
FileDescription : McAfee SpamKiller MskServer
InternalName : MskServe
LegalCopyright : Copyright © 2006, McAfee Inc.
OriginalFilename : MskServe.exe

#:29 [saservice.exe]
FilePath : C:\Program Files\SiteAdvisor\6009\
ProcessID : 252
ThreadCreationTime : 1-22-2007 4:48:50 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SAService Application
CompanyName : McAfee, Inc.
FileDescription : SAService Application
InternalName : SAService
LegalCopyright : Copyright McAfee, Inc. 2006
OriginalFilename : SAService.exe

#:30 [pdvdserv.exe]
FilePath : C:\Program Files\CyberLink\PowerDVD\
ProcessID : 1100
ThreadCreationTime : 1-22-2007 4:48:54 AM
BasePriority : Normal
FileVersion : 6.00.1027
ProductVersion : 6.00.1027
ProductName : PowerDVD
CompanyName : Cyberlink Corp.
FileDescription : PowerDVD RC Service
InternalName : PowerDVD RC Service
LegalCopyright : Copyright © CyberLink Corp. 1997-2004
OriginalFilename : PDVDSERV.EXE

#:31 [rthdcpl.exe]
FilePath : C:\WINDOWS\
ProcessID : 1128
ThreadCreationTime : 1-22-2007 4:48:54 AM
BasePriority : Normal
FileVersion : 2.1.0.6
ProductVersion : 2.1.0.6
ProductName : Realtek HD Audio Sound Effect Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek HD Audio Control Panel
LegalCopyright : Copyright © 2004 Realtek Semiconductor Corp.
OriginalFilename : RTHDCPL.EXE

#:32 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ProcessID : 1268
ThreadCreationTime : 1-22-2007 4:48:55 AM
BasePriority : Normal
FileVersion : 6.14.10.5168
ProductVersion : 6.14.10.5168
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2005 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:33 [mskagent.exe]
FilePath : C:\Program Files\McAfee\MSK\
ProcessID : 1988
ThreadCreationTime : 1-22-2007 4:48:55 AM
BasePriority : Normal
FileVersion : 8.1.117.0
ProductVersion : 8.1
ProductName : McAfee SpamKiller
CompanyName : McAfee Inc.
FileDescription : McAfee SpamKiller MskAgent Application
InternalName : MskAgent
LegalCopyright : Copyright © 2006, McAfee Inc.
OriginalFilename : MskAgent.exe

#:34 [siteadv.exe]
FilePath : C:\Program Files\SiteAdvisor\6009\
ProcessID : 2008
ThreadCreationTime : 1-22-2007 4:48:55 AM
BasePriority : Normal
FileVersion : 2.3.0
ProductVersion : 2.3.0
ProductName : SiteAdvisor
CompanyName : McAfee, Inc.
FileDescription : SiteAdvisor
InternalName : SiteAdv
LegalCopyright : Copyright McAfee, Inc. All rights reserved.
OriginalFilename : SiteAdv

#:35 [hpztsb04.exe]
FilePath : C:\WINDOWS\system32\spool\drivers\w32x86\3\
ProcessID : 2012
ThreadCreationTime : 1-22-2007 4:48:55 AM
BasePriority : Normal
FileVersion : 2,76,0,0
ProductVersion : 2,76,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2001

#:36 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2080
ThreadCreationTime : 1-22-2007 4:48:55 AM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:37 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2164
ThreadCreationTime : 1-22-2007 4:48:58 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:38 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2184
ThreadCreationTime : 1-22-2007 4:48:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:39 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ProcessID : 2192
ThreadCreationTime : 1-22-2007 4:48:59 AM
BasePriority : Normal
FileVersion : 7,1,133,0
ProductVersion : 7,1,0,0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc.
FileDescription : McAfee Integrated Security Platform
InternalName : McAgent
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : McAgent.exe

#:40 [googletoolbarnotifier.exe]
FilePath : C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\
ProcessID : 2248
ThreadCreationTime : 1-22-2007 4:48:59 AM
BasePriority : Normal
FileVersion : 1, 2, 908, 8472
ProductVersion : 1, 2, 908, 8472
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright © 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe

#:41 [bigfix.exe]
FilePath : C:\Program Files\BigFix\
ProcessID : 2572
ThreadCreationTime : 1-22-2007 4:49:05 AM
BasePriority : Normal
FileVersion : 2, 0, 2, 3
ProductVersion : 2, 0, 2, 3
ProductName : BigFix
CompanyName : BigFix Inc.
FileDescription : BigFix Client Application
InternalName : BigFix
LegalCopyright : Copyright © 2002
OriginalFilename : BigFix.exe

#:42 [mps.exe]
FilePath : C:\PROGRA~1\McAfee\MPS\
ProcessID : 2740
ThreadCreationTime : 1-22-2007 4:49:11 AM
BasePriority : Normal
FileVersion : 9.1.137.0
ProductVersion : 9.1.137.0
ProductName : McAfee Privacy Service
CompanyName : McAfee, Inc.
FileDescription : McAfee Privacy Service 9.0
InternalName : mps9
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mps.exe

#:43 [mpsevh.exe]
FilePath : C:\Program Files\McAfee\MPS\
ProcessID : 2828
ThreadCreationTime : 1-22-2007 4:49:15 AM
BasePriority : Normal
FileVersion : 9.1.130.0
ProductVersion : 9.1.130.0
ProductName : McAfee Privacy Service
CompanyName : McAfee, Inc.
FileDescription : McAfee Privacy Service 9.0 Event Handler
InternalName : MpsEventHandler
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : mpsevh.exe

#:44 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3196
ThreadCreationTime : 1-22-2007 4:49:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:45 [emproxy.exe]
FilePath : C:\PROGRA~1\COMMON~1\McAfee\EmProxy\
ProcessID : 3416
ThreadCreationTime : 1-22-2007 4:54:32 AM
BasePriority : Normal
FileVersion : 11,2,115,0
ProductVersion : 11,2,0,0
ProductName : McAfee Email Proxy
CompanyName : McAfee, Inc.
FileDescription : McAfee Email Proxy
InternalName : EmProxy
LegalCopyright : Copyright © 2006 McAfee, Inc.
OriginalFilename : EmProxy.exe

#:46 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3860
ThreadCreationTime : 1-23-2007 5:27:19 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IEHIjacker.SearchExe Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 21


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:owner@zedo.com/
Expires : 1-19-2017 11:18:32 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@revsci[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:owner@revsci.net/
Expires : 1-17-2027 11:18:06 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:owner@atdmt.com/
Expires : 1-21-2012 6:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@real[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:24
Value : Cookie:owner@real.com/
Expires : 3-23-2007 5:28:42 PM
LastSync : Hits:24
UseCount : 0
Hits : 24

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:owner@doubleclick.net/
Expires : 1-21-2010 12:42:20 AM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 26



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 26


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 26


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 26




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IEHIjacker.SearchExe Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

IEHIjacker.SearchExe Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

IEHIjacker.SearchExe Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Search Page

IEHIjacker.SearchExe Object Recognized!
Type : RegData
Data : 1
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL
Data : 1

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 30

11:37:16 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:32.187
Objects scanned:156155
Objects identified:10
Objects ignored:0
New critical objects:10

#10 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 27 January 2007 - 10:37 PM

Hi,Millleft

First make sure to update Ad-Aware Se

Next run this tool here then run your scan with Ad-Aware see if it shows up again.


Download & install CCleaner

Please select/download the toolbar-free CCleaner v1.36.430 - Basic or Slim (English-only) version instead of the Standard Build (which will also install Yahoo Toolbar).

Once installed, run CCleaner & select the Windows tab

Select ONLY the options illustrated below (Nothing in Applications tab should be checked):

cleaner.gif


(The illustration above's a bit outdated but most the options are still there. You may check Cookies, too, if you wish.)

Next: click Options > click Advanced > Uncheck "Only delete files older than 48 hrs" > click [OK]

Return to Cleaner main then click Run Cleaner (bottom right)

A pop up box will appear advising this process will permanently delete files from your system.

Click "OK" and it will scan and clean your system.

Click "exit" when done.

CCleaner should be run with the above settings in each User Profile! Don't forget to do this.


Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#11 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 28 January 2007 - 01:41 AM

Hey HJT

OK, I,ve completed those steps and AdAware only found 1 MRU file
(also, just in case I confused things more by my last post, that AdAware log was from Mon 1-22-07 not recent. It was the first one I ran after file transfer from old PC), it hasn't found anything that negative since.

I'm wondering about when you said "each user profile", I logged off of windows and the only profile to log back on was Owner. It didn't show Administer profile....so is this what you're talking about? Do I need to do something else?

I'm not sure how much is left to do but I eagerly await your expertise!

Thanks again

#12 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 28 January 2007 - 04:25 AM

Hi,Millleft

Sorry for the hold-up and yes that for all users on the PC
now so the files Ad-Aware Se had found before are now gone
is this what you are saying.

Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#13 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 28 January 2007 - 05:41 AM

No prob about the hold up we all have things to do.


Yes that is correct,

I posted the old log because I didn't realize I still had it and thougt it might help with the problems I'm still having.

Sorry about the confusion!

Also do I need to "enable" administrator and re-run CCleaner?

Edited by Millleft, 28 January 2007 - 05:42 AM.


#14 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 28 January 2007 - 10:07 AM

Hey,Millleft

Yes please and the problme you are talking about is the PC is
still running slow to you.

if so here is something to try for me please do this for just a Min or 2
disable McAfee and till me if the same thing happens to you.
again do this only for a Min or 2

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#15 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 28 January 2007 - 04:24 PM

I disabled McAfee and it had no improvement,

as far as accounts go, when I hit Log Off and then Switch User User the only option is Owner

When I go to Control Panel User Accounts the only options are;

Owner
computor administrator
and


Guest
Guest account is off


I can access Administrator account in safe mode but then the CCleaner (and other tools) are not accessable.
Help!!!

My symptoms are still slow slow slow internet and email, it 2 to 3 mins sometime to open an internet and it still has the twin internet indicators, the fan runs a little fast even when idle and still speeds up when I go to sites like kimkomando and grc.com. Sometimes it dont want to disconnect from the net unless I turn off the modem, and when I connect (before going to any sites) there seems to be alot of computor/modem activity.

It acts like something is still trying to re-direct my internet page.

When It's not connected to the modem it seems ok, it's not quite as quick as it seemed when I first got it but it does real good on my RealArcade games and other non-internet tasks.

I just got it and at first, before I got virused it was WAY faster than the "old" computor (though it's less than 1 1/2 yrs old),
I haven't had much use time since I got tagged right after transferring my pics (and Favorites, I know now that I shouldn't have done that).

should I post another hijack-this log?

Also I started another topic with my "old" PC since I beleive it is the source of my new PC's (this one) infection. I dont feel safe checking my credit card accounts or any other senitive data.

Here is a link

http://www.lavasofts...?showtopic=6611

It started running slower after I ran AdAware so I posted it as a new topic since it is a different PC and I am still worried about it. Maybe it can help point to the problem here. I just don't know what to do.

Edited by Millleft, 29 January 2007 - 02:09 AM.


#16 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 29 January 2007 - 07:15 AM

Hi,Millleft

Not a bad idea now lit me ask by chance did you happen to add
Ram to the new PC and yes i have done this.

and what if anything did you plug in to the new PC
talking about hardware did you try Unpluging any of them.
i will be looking for more info see what if anythng i can find.

Gogo :(
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#17 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 29 January 2007 - 12:56 PM

Hey man,

No, haven't added RAM or anything else inside, machine is an eMachines T3516 desktop, only items plugged in is a new Envision LCD flat screen (with auto adjust), my HP printer and the Siemans SpeedStream 4100 DSL modem which I unplug to hook it to my "better old" computor to access the net.

The secondary internet indicator seemed to start popping up after blocked those sites w/ McAfee but it didn't help disabling it.

It just acts like some evil little creatures are living inside.

I'm almost ready to try destructive Format/Recover on this one, it seemed to help the other one.

Many Thanks!

Heres my new log;


Logfile of HijackThis v1.99.1
Scan saved at 5:47:22 AM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6009\SAService.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Stuff\SlapThisShit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{706DA73F-4A05-4869-856D-F5F097BB38BC}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O23 - Service: McAfee Application Installer Cleanup (0112911170070116) (0112911170070116mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\011291~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6009\SAService.exe

Edited by Millleft, 29 January 2007 - 01:01 PM.


#18 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 29 January 2007 - 07:28 PM

I'm not sure if this means anything but when pulled up the forums and hit refresh because it pulled up a very old page the address in the address bar read;


http://www.lavasofts...hp?showforum=36

with the hex code in it. I never saw that before and I kept hitting refresh on my posts and it would not show the last post I posted this morning.

I switched to my other computor and the address bar read;

http://www.lavasofts...?showtopic=6538

more hex, after that I couldn't get any more hex codes to display but I could read my last post on the old PC

I'm going CRAZY!!!

NEVER MIND it wont display the hex in this post, appearently it deleted it.

But I AM going crazy!!

Edited by Millleft, 29 January 2007 - 07:31 PM.


#19 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 30 January 2007 - 01:59 AM

Hi,Millleft

Yes i know just how you feel, now before you go doing that try this for me

Device Manager: 1.Click Start, and then click Control Panel.

2. Click Performance and Maintenance, and then click System.

3. Click the Hardware tab, and then click Device Manager.


And have a look see if there are any symbols like say question marks "?"
and so on lit me know.

Gogo :(
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#20 Millleft

Millleft

    Member

  • Members
  • PipPip
  • 24 posts

Posted 30 January 2007 - 02:48 AM

No evrything looks legit.

I did notice something that I forgot about and didn't get a good answer fom symantec about (I had never seen it before) but

what is the 1394 Connection that is in my network connections? it always says connected even when I have the modem cord unplugged.

Also something that I just remembered after reading someone elses post a few mins ago was that one of the things that got me (on my old PC before I bougt this one and transferred files over) was some type of false codec page popped up and when I tried to close it things just turned to crap.

I know, I always have alot of questions but I sure am thankful for your time.

One other thing is that I discovered is, that when I right click over the "exta" internet indicator when it pops up and then left click on repair, it does a few things and things almost goes normal for amost 1 minute and then things start dragging again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users