Help - Search - Members - Calendar
Full Version: 6 skis virus
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
6skis
Dec 18 2004, 03:55 PM
I have a constant C++ runtime library error C:/windows/explorer.exe. I also have multiple popups, even when I'm not on-line. I downloaded ad-aware yesterday, it detected 230 "problems", which were quarantined, however, for some reason the "deleting files" message was displayed for over 8 hours. I closed the program because I'm not sure if it should take hours to delete infected files. Thanks for the help....



Logfile of HijackThis v1.99.0
Scan saved at 8:51:58 AM, on 12/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\GWMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ysedo.dll/sp.html#51014
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [qncjezrnj] C:\WINDOWS\SYSTEM\uwtaop.exe
O4 - HKLM\..\Run: [ADDSS32.EXE] C:\WINDOWS\ADDSS32.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/259d420f56aed696ab03/...ip/RdxIE601.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
LoPhatPhuud
Dec 18 2004, 10:00 PM
You have a few 'garden variety' exploits and one nasty one. For a start we will clean the easy ones, then do the difficult one next.

So first:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ysedo.dll/sp.html#51014
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll

O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [qncjezrnj] C:\WINDOWS\SYSTEM\uwtaop.exe
O4 - HKLM\..\Run: [ADDSS32.EXE] C:\WINDOWS\ADDSS32.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/259d420f56aed696ab03/...ip/RdxIE601.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab



Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\SYSTEM\abu.exe
C:\WINDOWS\SYSTEM\uwtaop.exe
C:\WINDOWS\ADDSS32.EXE


*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 199.0 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Then run HiJackThis again and post a new log in this thread.
6skis
Dec 19 2004, 01:23 AM
Here's my new thread after taking the steps you suggested. A few notes...
1. I couldn't find two files to delete: C:\windows\system\uwtaop.exe. or C:\windows\addss32.exe

2. I did see a file "Aboutblank"when I unhid the system files...should I delete that?

3. The runtime error is still constant.

Thanks for the help, I have no idea what I'm doing so I really appreciate your user friendly explanations.


Logfile of HijackThis v1.99.0
Scan saved at 6:21:59 PM, on 12/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\GWMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVTIB32.EXE
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
LoPhatPhuud
Dec 19 2004, 01:35 AM
OK, first, get rid of SpyHUnter. Its a piece pf junk. Before you install any spyware removal/protection program, always check this website: http://www.spywarewarrior.com/rogue_anti-spyware.htm


Also, your log shows start-up entries for McAfee, AVG, and Symantec Anti-Virus programs. You running tasks only show McAfee, but those entries need to be removed if you are not using those programs. Only run one AV that has a real time component.


Now, to tackle the VX2 exploit, then we will finish your log after the next HJT log is posted. The VX2 fix is in two steps. First we discover, then we remove.

Step 1:
OK, I believe we have a solution.

First:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat. It will run for a while. Do not get impatient, have a Coke or Pepsi and allow it to finish!

Copy the Notepad document that opens (output.txt) and paste it contents in this thread.
6skis
Dec 19 2004, 01:45 AM
You're right, I'm only running mcafee right now but have run AVG and symantec in the past. I removed them previously from the add/delete function in control panel, do I need to do something more?

Below is the log you requested from Dllcompare. Thanks, this is great help!


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\lsnkinfo.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\hstplug.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\swgr.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\witdecod.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mbc40.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sflwid.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mzc30.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ccseqchk.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cxyptext.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\weascr.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\denwsock.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\medamg9x.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\fs20enu.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\leimg11n.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\chutoa.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\msg200~1.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mlls31.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dymclien.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\arrace.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\csrviddc.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\oqethk32.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cnfview.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\in3sys32.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
________________________________________________

868 items found: 868 files (23 H/S), 0 directories.
Total of file sizes: 179,795,957 bytes 171.46 M

--------------------End log---------------------
6skis
Dec 19 2004, 01:58 AM
I can't get the file find.bat from the download, the three files downloaded are find, locate and strings, and none of them seem to want to run without generating errors.
6skis
Dec 19 2004, 02:45 PM
Here's what I get when I tried to run findit, it only took a few seconds and generated errors, so I'm not sure this is what you're looking for.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------

Volume in drive C has no label
Volume Serial Number is 2A12-1307
Directory of C:\WINDOWS\SYSTEM32

30,477.22 MB free

------- Hidden Files in System32 Directory -------


Volume in drive C has no label
Volume Serial Number is 2A12-1307
Directory of C:\WINDOWS\SYSTEM32

30,477.22 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 2A12-1307
Directory of C:\WINDOWS\SYSTEM32

30,477.22 MB free

--------- Temp Files in System32 Directory --------


Volume in drive C has no label
Volume Serial Number is 2A12-1307
Directory of C:\WINDOWS\SYSTEM32

30,477.22 MB free

---------------- User Agent ------------


------------ Keys Under Notify ------------


------------ Keys Under Notify ------------


------------ Keys Under Notify ------------


------------------ Locate.com Results ------------------

------------------ Locate.com Results ------------------

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


No matches found.

------------ Strings.exe Qoologic Results ------------


No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


-------------- Strings.exe Aspack Results -------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------


----------------- HKLM Run Key ------------------


----------------- HKLM Run Key ------------------





LoPhatPhuud
Dec 19 2004, 11:25 PM
My error, Find-It only runs under Win NT/XP. DllCOmpare supplied the info I need. Also, we will remove the Symantec and AVG resitry entries when we clean the HJT log.


Print these instructions, then disconnect from the internet until you are finished.

First:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Run Killbox.exe and be sure that 'Delete on Reboot' is selected

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINDOWS\SYSTEM\lsnkinfo.dll
C:\WINDOWS\SYSTEM\hstplug.dll
C:\WINDOWS\SYSTEM\swgr.dll
C:\WINDOWS\SYSTEM\witdecod.dll
C:\WINDOWS\SYSTEM\mbc40.dll
C:\WINDOWS\SYSTEM\sflwid.dll
C:\WINDOWS\SYSTEM\mzc30.dl
C:\WINDOWS\SYSTEM\ccseqchk.dll
C:\WINDOWS\SYSTEM\cxyptext.dll
C:\WINDOWS\SYSTEM\weascr.dll
C:\WINDOWS\SYSTEM\denwsock.dll
C:\WINDOWS\SYSTEM\medamg9x.dll
C:\WINDOWS\SYSTEM\fs20enu.dll
C:\WINDOWS\SYSTEM\leimg11n.dll
C:\WINDOWS\SYSTEM\chutoa.dll
C:\WINDOWS\SYSTEM\msg200~1.dll
C:\WINDOWS\SYSTEM\mlls31.dll
C:\WINDOWS\SYSTEM\dymclien.dll
C:\WINDOWS\SYSTEM\arrace.dll
C:\WINDOWS\SYSTEM\csrviddc.dll
C:\WINDOWS\SYSTEM\oqethk32.dll
C:\WINDOWS\SYSTEM\cnfview.dll
C:\WINDOWS\SYSTEM\in3sys32.dll
C:\Recycler\desktop.ini

C:\Windows\System32\guard.tmp

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVTIB32.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\PROGRAM FILES\WINDOWS CONTROLAD\ <-- delete entire folder

Reboot in Normal Mode.

Run HiJackThis again and post a new log in this thread.


[b]Third:
Run DllCompare again and post the log in this thread.


Last:
Download the following tool and install it in its own folder:
http://www.downloads.subratam.org/VX2Finder9x(126).exe

=== Get Name of Hidden dll ===
Run vx2finder9x(126).exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review
6skis
Dec 20 2004, 05:05 AM
I ran into a couple of problems w/ killbox:

1. I couldn't find...
C:\windows\system\witdecod.dll or
C:\windows\system\msg200~1.dll (there is a msg200.cpy.dll) or C:\windows\system32\guard.tmp or
C:\recycler\desktop.ini

2. After I deleted all the above files and rebooted, they were all still listed in windows when I rechecked following the reboot. When I was in killbox, I selected 'delete on reboot' but did not get a dialog box asking to reboot after each deletion. So, after I was done selecting all the files I exited killbox and restarted the computer myself...was this wrong?
LoPhatPhuud
Dec 20 2004, 05:15 AM
You used Killbox incorrectly.

Either copy and paste the file name in the address bar, or use the folder icon to find the file. Then you MUST press the delete button (red 'x') to the right of the address area. Then you will get the dialog box asking if you want to reboot.

Since you did not get the dialog, I belevie I can assume you did not press the 'Delete' button.

Please redo the steps in previous post using Killbox as directed.

For the file with the '~' (tilde) in the name, you must use the Folder Icon to find the actual file. Perhaps the instructions need to clarify that. You can only use cut and paste if a full path and file name are specified. Any DOS file names (denoted by use of the tilde character), must be searched for.
6skis
Dec 20 2004, 02:51 PM
I did press the delete button, but the prompt says 'file will be deleted on next reboot', so I'm not sure how to properly exit to have the files deleted on the reboot. Please advise...
6skis
Dec 20 2004, 06:06 PM
The files still appear after I delete them in killbox. The bottom right hand corner of the killbox screen has a drop down menu with KERNEL32.DLL selcted as the default...does that matter, should I select something other than KERNEL 32.DLL?
6skis
Dec 21 2004, 02:32 AM
I experimented with one file, if I use the 'standard file kill' option in killbox it successfully deletes the file...should I just use that option for all the files that need to be deleted?
LoPhatPhuud
Dec 21 2004, 04:18 AM
The pull down menu on the bottom right is a list of known system files on your computer. Just leave that alone., Nothing will be deleted from that list.


Instaed of using Killbox, try using HiJackTHis to delete the files on reboot. Start HJT, press 'Config' then press 'Misc Tools' and select 'Delete on Reboot.. Locate the file and answer no to the dialog except for the last file.
6skis
Dec 21 2004, 05:04 AM
I tried using HJT as you suggested, but the 'delete on reboot' option in misc tools is grayed out and not selectable.
6skis
Dec 21 2004, 03:13 PM
I deleted the files using HJT standard kill, here is the thread following the deletion:

Logfile of HijackThis v1.99.0
Scan saved at 8:05:42 AM, on 12/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\GWMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab



Here's the DLL compare thread:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\sireamci.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\pjd.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wzsdmod.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dmgsig.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mlls31.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
________________________________________________

851 items found: 851 files (5 H/S), 0 directories.
Total of file sizes: 176,105,461 bytes 167.95 M

--------------------End log---------------------



Here's the VX2.Betterinternet thread:
Files Found---


User Agent String---
{0E1E4F62-4A38-41E5-B133-574414601AC8

The runtime error and pop-ups are still occuring. Thanks for all you help with this.
LoPhatPhuud
Dec 21 2004, 04:37 PM
Reboot in Safe Mode!

Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Run Killbox.exe and be sure that 'Replace on Reboot' is selected and check 'Use Dummy'

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINDOWS\SYSTEM\sireamci.dll
C:\WINDOWS\SYSTEM\pjd.dll
C:\WINDOWS\SYSTEM\wzsdmod.dll
C:\WINDOWS\SYSTEM\dmgsig.dll
C:\WINDOWS\SYSTEM\mlls31.dll
C:\WINDOWS\SYSTEM\GUARD.TMP (if it exists)

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Files in DOS format, denoted by use of the tilde ('~') character in the file name, *must* be searched for using the 'Folder' icon. Also, files specified by name only must also be searched for.
Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.
6skis
Dec 22 2004, 12:55 AM
Once again, the files would only delete using the 'standard kill' option in HJT. Also, the file C:\WINDOWS\SYSTEM\mlls31.dll, will not delete ande generates the message 'cannot delete this file' when I attempt to delete it in HJT.

The file C:\WINDOWS\SYSTEM\wzsdmod.dll, does not exist.
LoPhatPhuud
Dec 22 2004, 01:00 AM
Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.htm
http://www.niksoft.at/download/startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.



and...

Would you please use HiJackThis to produces startup list and post it here:
1. From HJT main screen, click 'Config' button
2. Click 'Misc Tools' button
3. Under 'Generate StartupList Log' button, check both boxes
4. Click 'Generate StartupList Log' button
5. Click 'Yes' in the next dialog
6. Save the log and post a copy in this thread.
6skis
Dec 22 2004, 02:11 AM
Here's the startdreck log:

StartDreck (build 2.1.7 public stable) - 2004-12-21 @ 19:01:19 (GMT -06:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as kamorski at COMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
*Spyware Doctor="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
舞unOnce
聞efault User
舞un
*Spyware Doctor="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
舞unOnce
腿ocal Machine
舞un
*CreateCD50="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
*AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
*SystemTray=SysTray.Exe
*STOPzilla="C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
*MCAgentExe=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
*MP-- The nicest hobby on Earth ;) --e=C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
*MSKAGENTEXE=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
*MSKDetectorExe=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
*MSKServerExe=C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
*QD FastAndSafe=
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*VSOCheckTask="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
*VirusScan Online="C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
*MPFExe=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
*MSConfigReminder=C:\WINDOWS\SYSTEM\msconfig.exe /reminder
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*STOPzilla Service=C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
*McVsRte=C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFEF6BA3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFAD3B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE06D7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE5903=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE58E7=C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
+FFFEB0D3=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
+FFFD29D3=C:\WINDOWS\GWMDMMSG.EXE
+FFFD738B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDBA2F=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFE0F2B=C:\WINDOWS\EXPLORER.EXE
+FFFC836B=C:\WINDOWS\RUNDLL32.EXE
+FFE3321F=C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
+FFE3B577=C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
+FFE23F57=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
+FFE2BECB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFE2D023=C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
+FFE2068F=C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
+FFE12E5F=C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
+FFE1AB73=C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
+FFE2FF3B=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
+FFE2AD37=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
+FFE15D03=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
+FFE025F3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFE7591B=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFE7CD63=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFE4851B=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
+FFE51C3B=C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
+FFE1B7F7=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFEB681F=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
+FFEB89DF=C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
+FFEAA953=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFE9204B=C:\WINDOWS\SYSTEM\HPZSTATX.EXE
+FFE931DB=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific


Here's the HJT thread you requested...thanks again for your help w/ this!

StartupList report, 12/21/2004, 7:15:08 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\GWMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
SystemTray = SysTray.Exe
STOPzilla = "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
MCAgentExe = C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
MCUpdateExe = C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
MP-- The nicest hobby on Earth ;) --e = C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
MSKAGENTEXE = C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
MSKDetectorExe = C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
MSKServerExe = C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
QD FastAndSafe =
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
VSOCheckTask = "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
VirusScan Online = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
MPFExe = C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
STOPzilla Service = C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
McVsRte = C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Spyware Doctor = "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[PerUser_HNW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[PerUser_moviemaker] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[SamplerPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_PCHealth] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_ZoneGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_PBGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove.PerUser

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 21/12/2004, 17:38:28)

[rename]
NUL=C:\WINDOWS\SYSTEM\MJIHND.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\ATF
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

*File not found*

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {E3215F20-3212-11D6-9F8B-00D0B743919D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
PCHealth Scheduler for Data Collection.job
McAfee.com Update Check 11212004172311.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[RunExeActiveX.UserControl1]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUNEXEACTIVEX.OCX
CODEBASE = file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...B?37966.6415625

[Sametime Meeting Toolkit ST25]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
OSD = C:\WINDOWS\Downloaded Program Files\Sametime Meeting Toolkit ST25.osd

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGH.OCX
CODEBASE = http://h30043.www3.hp.com/dj/qdiagh.cab?223

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[IMDownloader Class]
CODEBASE = http://www2.incredimail.com/contents/setup...er/imloader.cab

[{32564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab

[Create & Print ActiveX Plug-in]
InProcServer32 = C:\WINDOWS\SYSTEM\AXCTP.DLL
CODEBASE = http://www.imgag.com/cp/install/AxCtp.cab

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Downloader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DWNLDR.DLL
CODEBASE = http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

[Uploader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBUPLOADCLIENT.DLL
CODEBASE = http://photo.walmart.com/photo/uploads/WebUploadClient.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #5: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\mclsp.dll
Protocol #7: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #8: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #9: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #10: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #11: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #12: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #13: C:\WINDOWS\SYSTEM\mclsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
VPOWERD: *VPOWERD
NDIS: ndis.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *MTRR
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VNETBIOS: vnetbios.vxd
Hpziol00: *Hpziol00
VREDIR: vredir.vxd
DFS: dfs.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: *Registry key not found*
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 24,855 bytes
Report generated in 0.364 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
LoPhatPhuud
Dec 22 2004, 02:50 AM
Thanks for the lists. They did not reveal anything, but did eliminate a lot.

FIrst step is to create a Boot Diskette if you do not already have one. Boot from it and delete: C:\WINDOWS\SYSTEM\mlls31.dll,

Reboot normally then:

Check the following items in HiJackThis:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch\

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

Close all open windows except HiJackThis and press 'Fix Checked'.

Run HiJackTHis again and post a new log in this thread.


FInally, run DllCompare again and post the log in this thread.
6skis
Dec 22 2004, 02:58 AM
Sorry, but what's a boot disk and how would I make one?
Redhat
Dec 22 2004, 03:00 AM
QUOTE (6skis @ Dec 22 2004, 03:58 AM)
Sorry, but what's a boot disk and how would I make one?

http://www.computerhope.com/boot.htm
6skis
Dec 22 2004, 03:38 AM
created and booted from boot disk, received 'file not found' reply when triying to delete c:\windows\system\mlls31.dll. Should I still try to delete the other files in HJT?
LoPhatPhuud
Dec 22 2004, 03:43 AM
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.
6skis
Dec 22 2004, 02:23 PM
DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\phbdlg.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\owe2disp.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cgcd16.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mlls31.dll Tue Dec 14 2004 10:16:48a ..S.R 217,088 212.00 K
________________________________________________

851 items found: 851 files (4 H/S), 0 directories.
Total of file sizes: 176,105,461 bytes 167.95 M

--------------------End log---------------------
6skis
Dec 22 2004, 03:01 PM
FYI...I noticed a 'new' folder on my C: drive titled "!submit" that conatins many of the files you had me delete via killbox.
LoPhatPhuud
Dec 23 2004, 12:26 AM
Killbox created the !submit folder. You can delete it when we are finished:

Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Boot into safe mode.

Run Killbox.exe and be sure that 'Replace on Reboot' is selected and check 'Use Dummy'

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINDOWS\SYSTEM\phbdlg.dll
C:\WINDOWS\SYSTEM\owe2disp.dll
C:\WINDOWS\SYSTEM\cgcd16.dll
C:\WINDOWS\SYSTEM\mlls31.dll

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Files in DOS format, denoted by use of the tilde ('~') character in the file name, *must* be searched for using the 'Folder' icon. Also, files specified by name only must also be searched for.
Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.
6skis
Dec 23 2004, 02:11 AM
I tried it again, but the files are still there when I reboot. I'm getting ready to just reinstall windows and start from scratch...what do you think? Will all this junk go away if I reinstall windows?
LoPhatPhuud
Dec 23 2004, 02:22 AM
They will go away only if you reformat first.

Try creating a Boot Diskette and boot from it.

You can then do a dir command to find the dll's to delete

dir C:\Windows\System\*.dll /P /A:RHS /OD

That will show in screen amounts, by date order, including system, hidden and read only files. All the ones we want will be dated December 14, 2004

Then delete them manually
del /A:RHS <file name>
6skis
Dec 23 2004, 03:29 AM
Hey Man, I can't thank you enough for all your help. I learned a bunch and won't make the mistake of letting my guard down on the internet again. Seeing how I've never reformatted or reloaded windows in over 4 years, now's as good a time as any. Thanks again...Happy Holidays!
6skis
Dec 23 2004, 07:56 AM
OK, I'm done reformatting and loading windows...wow, what a difference! My last question for you: now that I'm running 'clean' again, what do you recommend I download to stay that way? I've installed McAfee Secuirty Suite and I have a subscription to Stopzilla, but I'm not sure I should download it again (I'm a bit paranoid after what I just went through). The 'how to stop hijackers and spyware' article on this page lists quite a few programs to download...is all that really necesary? Thanks again for your time.
LoPhatPhuud
Dec 23 2004, 06:35 PM
Lots of things you can do and my standard message for a clean log will give you a starting point. One thing to consider is using another browser as your default. I recommend, (and use) FireFox. Of course, you need to keep IE current for WIndows Update usage. but other browsers do not have the exposure that IE does.


Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level."
In the ActiveX section:
Set the first option, 'Download signed controls', to 'Prompt.
Set the second option, 'Download unsigned controls', to 'Disable'.
Finally, set 'Initialize and Script ActiveX controls not marked as safe to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewarrior.com/rogue_anti-spyware.htm

8. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://spywarewarrior.com/asw-test-guide.htm

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.