1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Another smitfraud.c trojan and fallout...

Discussion in 'Malware and Virus Removal Archive' started by Idrillium, 2005/06/27.

Thread Status:
Not open for further replies.
  1. 2005/06/27
    Idrillium

    Idrillium Inactive Thread Starter

    Joined:
    2005/06/26
    Messages:
    2
    Likes Received:
    0
    This is my first serious look on this computer that was bought used couple years ago. It has Windows XP with SP2.

    My son managed to snag this smitfraud thing whilst surfing the web :rolleyes: , and it seems tough to get rid of. Between my McAfee 2005 anti-virus program, Spybot S&D (updated 6/21), and AdAware (updated 6/21), they found alot! McAfee had found a trojan.biz file and I deleted it. I also deleted Fastclick and IBIS Huntbar with Spybot, and IBIS Huntbar with AdAware.

    Still things aren't right. When closing the McAfee program I get a red x application error that says:
    mghtml.exe - Application Error
    The instruction at "0x00be8a32" referenced memory at "0x00c01e94 ". The memory could not be read. Click OK to terminate program

    Also, closing Wordperfect comes up with:
    PerfectFont:wpwin10.exe - Application Error
    The instruction at "0x00f08a32" referenced memory at "0x00f21e94. The memory could not be "read "

    The first of these 'memory' application errors was when Yahoo Messenger was closed, but I removed that application figuring I could reload it when all is well.

    So, I started over and I proceeded to do:

    1. A McAfee scan and it came up with nothing.

    2. An online scan with Spyware Doctor from PCTools.com. It came up with:
    5 entries of 'Instant Access HKLM\software\microsoft\codestoredatabase\distribution units\string of numbers' followed by nothing, \contains, \contains\files, \InstalledVersion

    1 entry of Instant Access c\windows\tmlpcert2005

    1 entry of Instant Access c\windows\downloaded program files\nethv32.inf

    5 entries of stoolbar HKLM\Software\BTIEIN

    1 entry of transponder.ceres c\windows\INF\ceres.inf

    4 entries of Huntbar HKLM\Software\BTIEIN

    1 entry of nCase

    4 entries of WildTangent - 1 c\windows\system32\wtcpl.cpl & 3 in C\Program Files\JavaSoft\1.3.1._04

    I could get more detailed on what that listed, and is it worth paying the $40 for that program to 'remove' them?

    Anyway. moving on.... I did a:

    3. Complete scan (again) with Spybot S&D and Ad-aware SE Personal. They both came up with IBIS Huntbar and couldn't remove it. (Further investigation found a 'search toolbar' folder in Program Files that has a 'temp' folder in it that doesn't allow itself to be opened or deleted. Sane thing with the IBIS reg key.)

    4. Downloaded and scanned with HijackThis.
    Here is the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:36:16 PM, on 6/26/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\AntiSpyWare\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iezpc.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZ-PC Internet 509-674-9700
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iezpc.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mid-tn.com/utilities/tdserver.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE8F9F83-FABC-4CB8-BFB8-675BE79463EF}: NameServer = 216.126.136.250 216.126.128.40
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
    O20 - AppInit_DLLs: byniha.dll
    O23 - Service: Bynih Service (BynihSrv) - Unknown owner - C:\WINDOWS\system32\bynih.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


    Any ideas on what I should do here?
     
    Idrillium,
    #1
  2. 2005/07/03
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Idrillium :)

    Sorry for the delay.

    Download smitRem.zip and save the file to your desktop.
    Right click on the file and extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    Check for updates to Ad-aware.
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    Open Ad-aware and run in full scan mode. Remove all it finds.


    Now open Ewido Security Suite
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save Report
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
    Save the scan log and post it along with a new HijackThis Log and the Ewido Log.
    Let us know if any problems persist.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2005/07/05
    Idrillium

    Idrillium Inactive Thread Starter

    Joined:
    2005/06/26
    Messages:
    2
    Likes Received:
    0
    Thanks!

    Thanks for getting back to me, and no problem on the delay as I had no chance to get back to this issue until today.

    Here are the results of the logs:

    Active scan:
    Incident Status Location

    Adware:Adware/WinTools No disinfected Windows Registry
    Adware:Adware/MyWebSearch No disinfected C:\Program Files\Search Toolbar
    Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\ceres.inf
    Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Sam's School\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\marketing48[1].htm
    Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\ceres.inf

    --------------------------------------------------------

    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 4:26:36 PM, 7/4/2005
    + Report-Checksum: 9ECB31AE

    + Scan result:

    HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{469C7080-8EC8-43A6-AD97-45848113743C} -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\Sam's School\Cookies\sam's school@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@valueclick.ne[1].txt -> Spyware.Cookie.Ne : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@weborama[2].txt -> Spyware.Cookie.Weborama : Cleaned with backup
    C:\Documents and Settings\Shadow Keeper\Cookies\shadow keeper@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Program Files\Hewlett-Packard\Memories Disc\hpodlog.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP661\A0046762.dll -> Spyware.Wheaterbug : Cleaned with backup

    --------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 10:50:02 PM, on 7/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\AntiSpyWare\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iezpc.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZ-PC Internet 509-674-9700
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iezpc.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mid-tn.com/utilities/tdserver.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE8F9F83-FABC-4CB8-BFB8-675BE79463EF}: NameServer = 216.126.136.250 216.126.128.40
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    ------------------------------------------------


    I no longer have the errors when closing the McAfee or WordPerfect but there is still a problem with the Search Toolbar. ewido was unable to clean it, just as AdAware & Spybot S&D can't clear it:

    HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning


    Any ideas on this issue?
     
    Idrillium,
    #3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...