Help - Search - Members - Calendar
Full Version: Help: Homepage Altered To "www.sysnetsecurity.com" And "system Alert" Icon Appears In Taskbar
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
Alexander
Jun 21 2006, 02:00 AM
I'm new here, lacking in technical knowledge, and it appears that my computer has just been infected. Here are the immediate changes that I've noticed:

1. In the notification area of the taskbar, a flashing, yellow warning-like icon has appeared. It displays the following message:

"System Alert: Popups
Your computer is infected with spyware managing pop-up advertisements (OHPE ver 4.12_23). Click the icon to learn more on what you can do about pop-up windows and other unwanted software."

2. If I open Internet Explorer I am taken to hxxp://w w w.sysnetsecurity.com. When this page loads, a pop-up appears stating:

"Warning!

W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected computer.

Type: Virus
Infection Length: 138,293 bytes
Systems Affected: WIndows 95, 98, ME, NT (All versions), 2003, WIndows XP (all service packs)
Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netware, OS/2, UNIX,
Technical Details:
1. Creates files in %Windire%\ directory. By default, this is C:\Windows.
2.Adds value to registry keys:
HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Scans the hard drive for .exe files and infects any executable files.
Searches for passwords/information, which it may send to a remote attacker.
Recomendations: Click "OK" to download officially approved securiy software. Always keep your patch levels up-to-date."

3. Somehow, my internet security settings have been altered. When I restore the level to default, it is later lowered again (to the lowest setting).


I have run Adaware SE (after having checked for and installed updates), and my logfile appears below. Any help will be greatly appreciated. Thank you!

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, June 20, 2006 7:32:37 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R112 15.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):4 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-20-2006 7:32:37 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 788
ThreadCreationTime : 6-17-2006 7:33:03 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 6-17-2006 7:33:04 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 880
ThreadCreationTime : 6-17-2006 7:33:06 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 6-17-2006 7:33:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 936
ThreadCreationTime : 6-17-2006 7:33:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1120
ThreadCreationTime : 6-17-2006 7:33:07 PM
BasePriority : Normal
FileVersion : 6.14.10.4124
ProductVersion : 6.14.10.4124.04
ProductName : ATI External Event Utility for WindowsNT and
Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1136
ThreadCreationTime : 6-17-2006 7:33:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1224
ThreadCreationTime : 6-17-2006 7:33:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1312
ThreadCreationTime : 6-17-2006 7:33:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1356
ThreadCreationTime : 6-17-2006 7:33:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1524
ThreadCreationTime : 6-17-2006 7:33:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1720
ThreadCreationTime : 6-17-2006 7:33:09 PM
BasePriority : Normal


#:13 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1732
ThreadCreationTime : 6-17-2006 7:33:09 PM
BasePriority : Normal
FileVersion : 4.10.47.3
ProductVersion : 4.10.47.3
ProductName : Dell Wireless WLAN Card Wireless Network Controller
CompanyName : Dell Inc.
FileDescription : Dell Wireless WLAN Card Wireless Network Controller
InternalName : bcmwltry.exe
LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:14 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1784
ThreadCreationTime : 6-17-2006 7:33:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 240
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 6.14.10.4124
ProductVersion : 6.14.10.4124.04
ProductName : ATI External Event Utility for WindowsNT and
Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 396
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [ehtray.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 544
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 5.1.2715.2765 (xpsp(wmbla).050928-2135)
ProductVersion : 5.1.2715.2765
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe

#:18 [wltray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 556
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 4.10.47.3
ProductVersion : 4.10.47.3
ProductName : Dell Wireless WLAN Card Wireless Network Tray
Applet
CompanyName : Dell Inc.
FileDescription : Dell Wireless WLAN Card Wireless Network Tray
Applet
InternalName : wltray.exe
LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.
OriginalFilename : wltray.exe

#:19 [stsystra.exe]
FilePath : C:\WINDOWS\
ProcessID : 564
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 1.0.4823.0 nd322 cp1
ProductVersion : 1.0.4823.3 nd322 cp1
ProductName : C-Major Audio
CompanyName : SigmaTel, Inc.
FileDescription : Sigmatel Audio system tray application
InternalName : stsystray.exe
LegalCopyright : Copyright © 2004-2005, SigmaTel, Inc.
OriginalFilename : stsystray.exe

#:20 [quickset.exe]
FilePath : C:\Program Files\Dell\QuickSet\
ProcessID : 572
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 7, 1, 8, 0
ProductVersion : 7, 1, 8, 0
ProductName : QuickSet
CompanyName : Dell Inc
FileDescription : QuickSet
InternalName : QuickSet
LegalCopyright : Copyright Dell Inc © 2005
OriginalFilename : Quickset.exe

#:21 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 580
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 8.2.4.3 29Nov05
ProductVersion : 8.2.4.3 29Nov05
ProductName : Synaptics Pointing Device Driver
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Synaptics Enhancements Application
LegalCopyright : Copyright © Synaptics, Inc. 1996-2005
OriginalFilename : SynTPEnh.exe

#:22 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 588
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal


#:23 [dvdlauncher.exe]
FilePath : C:\Program Files\CyberLink\PowerDVD\
ProcessID : 604
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 3.00.0000
ProductVersion : 3.00.0000
ProductName : Cyberlink PowerCinema 3.0
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
LegalCopyright : Copyright © 2003 CyberLink Corp.
OriginalFilename : DVDLauncher.EXE

#:24 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 612
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 1.04.08a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:25 [issch.exe]
FilePath : C:\Program Files\Common
Files\InstallShield\UpdateService\
ProcessID : 628
ThreadCreationTime : 6-17-2006 7:33:15 PM
BasePriority : Normal
FileVersion : 4, 50, 100, 33433
ProductVersion : 4, 50
ProductName : InstallShield Update Service
CompanyName : InstallShield Software Corporation
FileDescription : InstallShield Update Service Scheduler
InternalName : Scheduler
LegalCopyright : Copyright © 1990-2004 InstallShield Software
Corporation
OriginalFilename : issch.exe

#:26 [oasclnt.exe]
FilePath : C:\Program Files\McAfee.com\VSO\
ProcessID : 660
ThreadCreationTime : 6-17-2006 7:33:16 PM
BasePriority : Normal
FileVersion : 10, 0, 0, 24
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan OAS Client
InternalName : OasClnt
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : OasClnt.exe
Comments : McAfee VirusScan OAS Client

#:27 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ProcessID : 716
ThreadCreationTime : 6-17-2006 7:33:16 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 16
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe

#:28 [mcvsshld.exe]
FilePath : C:\Program Files\McAfee.com\VSO\
ProcessID : 808
ThreadCreationTime : 6-17-2006 7:33:16 PM
BasePriority : Normal
FileVersion : 10, 0, 0, 22
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : McVsShld
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : McVsShld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:29 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 840
ThreadCreationTime : 6-17-2006 7:33:16 PM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MPFTRAY.EXE
Comments : Tray Icon for McAfee Personal Firewall

#:30 [mskagent.exe]
FilePath : C:\PROGRA~1\McAfee\SPAMKI~1\
ProcessID : 1160
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Normal
FileVersion : 7.0.2.0
ProductVersion : 7.0
ProductName : McAfee SpamKiller
CompanyName : McAfee Inc.
FileDescription : McAfee SpamKiller Agent Interface module
InternalName : MskAgent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : MskAgent.exe

#:31 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 1364
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Normal
FileVersion : 10, 0, 0, 20
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:32 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1492
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights
Reserved.
OriginalFilename : iTunesHelper.exe

#:33 [mscifapp.exe]
FilePath : C:\PROGRA~1\mcafee.com\mps\
ProcessID : 1508
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Normal
FileVersion : 8.1.0.136
ProductVersion : 8.1.0.136
ProductName : McAfee Privacy Service
CompanyName : McAfee, Inc.
FileDescription : McAfee Privacy Service
InternalName : mscifapp
LegalCopyright : Copyright © 2005 McAfee, Inc.
All rights reserved
OriginalFilename : mscifapp.exe

#:34 [dsagnt.exe]
FilePath : C:\Program Files\Dell Support\
ProcessID : 1568
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Below Normal
FileVersion : 1, 1, 1, 121
ProductVersion : 1, 1, 1, 121
ProductName : Dell Support
CompanyName : Gteko Ltd.
FileDescription : Dell Support
InternalName : AUAgent
LegalCopyright : Copyright © 2000 - 2005 Gteko Ltd.
OriginalFilename : AUAgent.exe

#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1592
ThreadCreationTime : 6-17-2006 7:33:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:36 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ProcessID : 1676
ThreadCreationTime : 6-17-2006 7:33:18 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BVRP Software TestLine
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
LegalCopyright : Copyright © 2003
OriginalFilename : TestLine.exe

#:37 [sqlmangr.exe]
FilePath : C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\
ProcessID : 1692
ThreadCreationTime : 6-17-2006 7:33:18 PM
BasePriority : Normal
FileVersion : 2000.080.2039.00
ProductVersion : 8.00.2039
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Service Manager
InternalName : SQLMANGR
LegalCopyright : © 1988-2004 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft
Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLMANGR.exe
Comments : NT INTEL X86

#:38 [ehrecvr.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 2176
ThreadCreationTime : 6-17-2006 7:33:25 PM
BasePriority : Above Normal
FileVersion : 5.1.2715.2812 (xpsp(wmbla).051215-1116)
ProductVersion : 5.1.2715.2812
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Receiver Service
InternalName : ehRecvr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehRecvr.exe

#:39 [ehsched.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 2188
ThreadCreationTime : 6-17-2006 7:33:26 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Scheduler Service
InternalName : ehSched
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehSched.exe

#:40 [mcdetect.exe]
FilePath : c:\program files\mcafee.com\agent\
ProcessID : 2248
ThreadCreationTime : 6-17-2006 7:33:26 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 19
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee WSC Integration Service
InternalName : McDetect
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McDetect.exe
Comments : McAfee WSC Integration Service

#:41 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 2280
ThreadCreationTime : 6-17-2006 7:33:26 PM
BasePriority : High


#:42 [mctskshd.exe]
FilePath : c:\PROGRA~1\mcafee.com\agent\
ProcessID : 2324
ThreadCreationTime : 6-17-2006 7:33:26 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 13
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee Task Scheduler
InternalName : McTskshd
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McTskshd.exe

#:43 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\
ProcessID : 2376
ThreadCreationTime : 6-17-2006 7:33:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:44 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 2432
ThreadCreationTime : 6-17-2006 7:33:29 PM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service

#:45 [msksrvr.exe]
FilePath : C:\PROGRA~1\McAfee\SPAMKI~1\
ProcessID : 2472
ThreadCreationTime : 6-17-2006 7:33:29 PM
BasePriority : Normal
FileVersion : 7.0.1.3
ProductVersion : 7.0
ProductName : McAfee SpamKiller
CompanyName : McAfee Inc.
FileDescription : McAfee SpamKiller Server
InternalName : MSKSRVR
LegalCopyright : Copyright © 2005, McAfee Inc.
OriginalFilename : MSKSRVR.EXE

#:46 [sqlservr.exe]
FilePath : C:\Program Files\Microsoft SQL
Server\MSSQL$MICROSOFTSMLBIZ\Binn\
ProcessID : 2784
ThreadCreationTime : 6-17-2006 7:33:33 PM
BasePriority : Normal
FileVersion : 2000.080.2039.00
ProductVersion : 8.00.2039
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Windows NT
InternalName : SQLSERVR
LegalCopyright : © 1988-2004 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft
Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLSERVR.EXE
Comments : NT INTEL X86

#:47 [nicconfigsvc.exe]
FilePath : C:\Program Files\Dell\QuickSet\
ProcessID : 2836
ThreadCreationTime : 6-17-2006 7:33:36 PM
BasePriority : Normal
FileVersion : 7, 0, 7, 0
ProductVersion : 7, 0, 7, 0
ProductName : NicConfigSvc
CompanyName : Dell Inc.
FileDescription : Internal Network Card Power Management Service
InternalName : NicConfigSvc
LegalCopyright : Copyright © 2005 Dell Inc.
OriginalFilename : NicConfigSvc.exe

#:48 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2944
ThreadCreationTime : 6-17-2006 7:33:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:49 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3136
ThreadCreationTime : 6-17-2006 7:33:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:50 [mcrdsvc.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 3432
ThreadCreationTime : 6-17-2006 7:33:53 PM
BasePriority : Normal
FileVersion : 4.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 4.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : MCRD Device Service
InternalName : McrdSvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : McrdSvc.exe

#:51 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 3984
ThreadCreationTime : 6-17-2006 7:34:06 PM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights
Reserved.
OriginalFilename : iPodService.exe

#:52 [wmiprvse.exe]
FilePath : C:\WINDOWS\system32\wbem\
ProcessID : 4060
ThreadCreationTime : 6-17-2006 7:34:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:53 [dllhost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1452
ThreadCreationTime : 6-17-2006 7:34:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : COM Surrogate
InternalName : dllhost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dllhost.exe

#:54 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1964
ThreadCreationTime : 6-17-2006 7:34:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:55 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 3036
ThreadCreationTime : 6-17-2006 7:34:14 PM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MPFAGENT.EXE
Comments : McAfee Personal Firewall Security Center Module

#:56 [ehmsas.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 3896
ThreadCreationTime : 6-17-2006 7:34:17 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe

#:57 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 712
ThreadCreationTime : 6-17-2006 8:46:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:58 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 3104
ThreadCreationTime : 6-17-2006 8:46:45 PM
BasePriority : Normal


#:59 [mcupdmgr.exe]
FilePath : C:\PROGRA~1\McAfee.com\Agent\
ProcessID : 1584
ThreadCreationTime : 6-19-2006 9:32:52 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 4
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter Update Manager
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Update Manager
InternalName : mcupdmgr
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcupdmgr.exe

#:60 [dcomcfg.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1744
ThreadCreationTime : 6-20-2006 10:22:28 PM
BasePriority : Normal


#:61 [atmclk.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 5564
ThreadCreationTime : 6-20-2006 10:22:30 PM
BasePriority : Normal


#:62 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 5224
ThreadCreationTime : 6-20-2006 11:24:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

#:63 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1716
ThreadCreationTime : 6-20-2006 11:28:21 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:64 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 5900
ThreadCreationTime : 6-20-2006 11:31:59 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:65 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 5872
ThreadCreationTime : 6-20-2006 11:31:59 PM
BasePriority : Normal
FileVersion : 5.2.3790.2453 (srv03_sp1_gdr.050525-1542)
ProductVersion : 5.2.3790.2453
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.41
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Windows Object Recognized!
Type : RegData
Data : "regedit.exe" "%1"
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : regfile\shell\open\command
Value :
Data : "regedit.exe" "%1"

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : alex@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:alex@atdmt.com/
Expires : 6-18-2011 8:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : alex@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:alex@mediaplex.com/
Expires : 6-21-2009 8:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : alex@cs.sexcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:alex@cs.sexcounter.com/
Expires : 5-12-2024 2:07:28 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : alex@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:alex@live365.com/
Expires : 6-24-2011 6:06:30 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 5



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

7:41:51 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:14.124
Objects scanned:140804
Objects identified:5
Objects ignored:0
New critical objects:5
LS CalamityJane
Jun 21 2006, 12:57 PM
Hi Alexander, welcome! smile.gif

You have a "Smitfraud" Hijacker that Adaware doesn't detect yet. The virus is "fake" and so is the warning you are getting. It's trying to fool you into buying a rogue anti-whatever product that is bogus.

I do have a free tool that can remove this for you.

First I need for you to upload a couple of files for me please to submit for detection.

Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Alexander at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files

Files to upload:

C:\WINDOWS\system32\dcomcfg.exe

C:\WINDOWS\system32\atmclk.exe

(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to be a member to upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them

I will be able to collect the files from there after you upload them and will reply next back here with the steps for removal.
Alexander
Jun 21 2006, 11:43 PM
OK, I've uploaded the requested files to the site you named. Thanks.
LS CalamityJane
Jun 22 2006, 12:01 AM
Thanks, Alexander. I got them and will get them submitted for detection.

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log
Alexander
Jun 22 2006, 01:25 AM
Thanks, again. Here are the logs you requested:

HighjackThis:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:26 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAgentEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Rapport:

SmitFraudFix v2.63

Scan done at 19:53:57.76, Wed 06/21/2006
Run from C:\Documents and Settings\Alex\Desktop
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
LS CalamityJane
Jun 22 2006, 02:43 AM
That got the lion's share of it. There is more to do but honestly I'm just wrung out for today having been online since 4:30 am this morning and it's now 9:30 p.m. Gotta take a break and I'll take a fresh look at this in the morning, ok?
Alexander
Jun 22 2006, 04:43 AM
It's no problem--get some rest.
LS CalamityJane
Jun 22 2006, 02:41 PM
McAfee is your antivirus program.
After I submitted your files last night and McAfee has added detection for this trojan and sent this extra.dat file for you to use to scan your PC with McAfee and the new definition added. (I will attach that in a zip file here)

Download the file (extra.zip) attached to the post in the following link:
http://www.lavasoftsupport.com/index.php?showtopic=1288
and you will need to unzip/decompress/extract the file within (extra.dat) to the proper folder where your McAfee .dat files are kept. (be sure that you extract the contents of this file first and save to the proper folder) Instructions:

EXTRA.DAT
This should be used with any of the McAfee AV Scanners.
The file should be copied into the directory where the other DAT files reside.

Using the find/search utility on your computer search for the following file:
SCAN.DAT

Then copy the Extra.dat we have sent you to the same folder where one of the above is located.
Once you have copied the file, reboot the system for the driver to be loaded

After rebooting do a full system scan with McAfee and let it fix or delete any infected files found.
..........................
How is your computer acting now?
Alexander
Jun 23 2006, 04:54 AM
My computer appears to be acting fine. After following your instructions, McAfee identified two files associated with Smitfraud. Additionally, another was detected, whose location is: c:\windows\system32\process.exe.
LS CalamityJane
Jun 23 2006, 07:10 PM
QUOTE(Alexander @ Jun 22 2006, 11:54 PM) *
My computer appears to be acting fine. After following your instructions, McAfee identified two files associated with Smitfraud. Additionally, another was detected, whose location is: c:\windows\system32\process.exe.


Process.exe isn't harmful. It's a tool within SmitfraudFix. If you go back and read my instructions for downloading Smitfraud fix it says:

QUOTE
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Some final cleanup and prevention recomendations follow.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files.
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help smile.gif.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
Alexander
Jun 24 2006, 12:13 AM
I'm sorry to keep bothering you with all of this... I got as far as attempting to delete all the temporary files, however, three files could not be deleted due to being currently in use. I don't recognize the files and I couldn't figure out what/who was using them.

The files are:

c:\windows\temp\perflib_perfdata_bb0
c:\documents and settings\alex\local settings\temp\perflib_perfdata_238
c:\documents and settings\alex\local settings\temp\perflib_perfdata_fd0

I don't know if any of that means anything to you, or if it's necessarily cause for concern. Regardless, I'll hold off on proceeding through the rest of your instructions until I've heard back from you.

Thanks again for all your trouble.
LS CalamityJane
Jun 24 2006, 01:49 PM
That's ok Alexander. Those are prefetch files which are harmless, it is ok just leave them alone.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.