DaniWeb IT Discussion Community
1 2
Show 40 post(s) from this thread on one page

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Woe is Me (http://www.daniweb.com/forums/thread13006.html)

MayDay1911 Oct 27th, 2004 9:04 am
Woe is Me
 
I've attempted to clean my system several times to no avail as that Win32 Driver will not go away!!!! :mad:

Here is my HijackLog:

Logfile of HijackThis v1.97.7
Scan saved at 8:51:44 PM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\smsc.exe
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
f:\PROGRA~1\mcafee.com\agent\McDash.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - F:\WINDOWS\System32\ruyavo.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} - F:\WINDOWS\System32\taceoaf.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - F:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PvzP.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Thanks in advance!

crunchie Oct 27th, 2004 9:34 am
Re: Woe is Me
 
Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Open Task Manager & end process on the following:
smsc.exe
Then go to F:\WINDOWS\System32 and delete the file manually.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - F:\WINDOWS\System32\ruyavo.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} - F:\WINDOWS\System32\taceoaf.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - F:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PvzP.dll

O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe

Search for wuamgrd.exe and delete if found.

Reboot after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

MayDay1911 Oct 28th, 2004 11:16 am
Re: Woe is Me
 
Good morning,

I followed the instructions to a tee and here is the new logfile:

Logfile of HijackThis v1.98.2
Scan saved at 8:02:54 PM, on 10/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?

Thanks again!

DMR Oct 28th, 2004 3:27 pm
Re: Woe is Me
 
Quote:
Originally Posted by MayDay1911
Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?
The Win 32 Driver and smsc.exe entries indicate an infection by one of the variants of the AGOBOT/FORBOT worm; assuming that you're using current virus definition updates, any of the major AV packages (including McAfee's) should be able to deal with it.

In terms of your log- it now looks clean, except perhaps for the MaxSpeed entries:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe

At least one anti-virus company (Sophos) links it to a trojan.

MayDay1911 Oct 29th, 2004 4:35 pm
Re: Woe is Me
 
Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer. By the Win32 Driver evading detection on the McAfee system scan, SpySweeper system scan and HijackThis scan, is there any other application or software that can get rid of it?

As for the MaxSpeed, I will check "fix checked" on my next HJT log.

Thanks!

DMR Oct 29th, 2004 8:27 pm
Re: Woe is Me
 
Quote:
Originally Posted by MayDay1911
Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer.
It isn't the version of your anti-virus program itself that's important- what's important is that you have downloaded the most current virus definition updates for that program; new definition updates for any of the major AV programs can be released as often as every other day. If you haven't kept current with those updates since installing the program itself, your AV program is pretty much useless at this point. Both McAfee and Norton offer free updates for a certain period of time (which varies by product) after installing the programs. Within that time period you can freely download all of the current product updates, but after the time expires you will have to pay a monthly or yearly fee in order to download the updates.

crunchie Oct 30th, 2004 2:08 am
Re: Woe is Me
 
The deletion of those files should have rid you of the virus.

Go here to TrendMicro for an on-line scan & set it to autoclean for you.

Try this scan at Panda as well.

MayDay1911 Nov 3rd, 2004 2:38 pm
Re: Woe is Me
 
Good afternoon,

Crunchie, I'm not sure if this should be placed with Tech Support, but it is in keeping with the aforementioned system listed in the log.

I have attempted to access the internet for the purpose of utilizing the Panda scan, but each and EVERY time I try, I get the "unable to locate server" message. Supposedly my system is free of viruses, but could they have damaged my internet access prior to their removal? I feel like I'm back at square one.

DMR Nov 3rd, 2004 2:55 pm
Re: Woe is Me
 
Quote:
Originally Posted by MayDay1911
could they have damaged my internet access prior to their removal?
Yes, in a couple of different ways.

If you can reach some/most sites, but cannot reach anti-virus, anti-spyware, or other such security-oriented sites:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Navigate to your C:\windows\system32\drivers\etc folder and find the file named "hosts".

- Open that file in Windows Notepad. Aside from the comment lines at the beginning of the file (the lines which begin with a " # "), it should contain only the following entry:

127.0.0.1 localhost

If you find other similar-looking entries below that, delete all of them and save the file.

Important: Notepad will want to add a .txt extention to the newly-saved filename, so after saving the file and closing Notepad you will need to rename the file back to simply "hosts" (that is, remove the .txt from the end of the filename).

If the connection problem occurs with all/any sites you try to reach, let us know that.

MayDay1911 Nov 4th, 2004 9:28 am
Re: Woe is Me
 
DMR,

Thanks for that instruction! I was able to do everything but the very last item. My system wouldn't allow the changing of an established format (in this case notebook to service). My intention is to change it on the system here at work and return the file to my home system.

In the process of opening that file, I discovered 728 alternate entries (729 - if you count a duplicate localhost entry at the very end).

I won't know if the system will allow internet access until I return home this evening to give it a shot.

Thanks again.


All times are GMT -4. The time now is 11:34 pm.
1 2
Show 40 post(s) from this thread on one page

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC