Gerbil,
Thanks so much for your help, you guys are fantastic.
I have uninstalled Combofix.
I think that we are good to go.
Ive had some of these types of issues before but this one was pretty irritating. Looks like I am not the only one out there dealing with this nasty.
Thanks again,
Sickofit
Allright, here is the "updated" full scan. There were 10 files, all TDSS. I looked for these and never found them but apparantely they were there.
Is there a next step?
Full Scan post update:
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3
12/2/2008 8:49:23 PM
mbam-log-2008-12-02 (20-49-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 130290
Time elapsed: 43 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSkfkl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoaha.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoxum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurxb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSrvdc.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
In the prior to update full scan, there were items that I removed and I am not sure it is reflected here but here is the Full Scan prior to update:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
12/2/2008 7:14:08 PM
mbam-log-2008-12-02 (19-14-08).txt
Scan type: Full Scan (C:\|)
Objects scanned: 126109
Time elapsed: 45 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Quick Scan post update:
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3
12/2/2008 7:51:33 PM
mbam-log-2008-12-02 (19-51-33).txt
Scan type: Quick Scan
Objects scanned: 69654
Time elapsed: 6 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Daddy\nah_sgjj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Quick Scan prior to update:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
12/2/2008 6:27:29 PM
mbam-log-2008-12-02 (18-27-29).txt
Scan type: Quick Scan
Objects scanned: 65590
Time elapsed: 6 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Daddy\Application Data\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Log (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Settings (Rogue.MalwareBot) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Daddy\Application Data\MalwareBot\rs.dat (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Log\2008 Dec 01 - 02_25_58 PM_406.log (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Settings\ScanResults.pie (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS5e4d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS5f76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS6c86.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSSb071.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
…
Well I managed to forget to update first so I will post (2) quick scans. First one prior to update, second post update.
I have performed one full scan prior to update which I will post last, I have to run another full scan post update, when it is done I will post it
Ok gentlemen, finally a bit of success. Combo fix has been run and the log follows. Waiting on a reply before trying Malwarebytes.
Log:
ComboFix 08-12-01.03 - Administrator 2008-12-02 17:22:50.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.816 [GMT -6:00]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\Drivers\TDSSrvdc.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoaha.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSoxum.dll
c:\windows\system32\TDSSqrde.log
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSSurxb.dll
c:\windows\system32\TDSSweat.dat
c:\windows\system32\TDSSxehr.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-12-02 17:17 . 2008-12-02 17:17 <DIR> d-------- C:\CMBFIX
2008-12-02 16:48 . 2008-12-02 17:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 16:48 . 2008-12-02 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 16:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 16:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 23:22 . 2008-12-01 23:22 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-01 23:22 . 2008-12-01 23:22 <DIR> d-------- c:\program files\Panda Security
2008-12-01 23:22 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-01 23:21 . 2008-12-02 17:04 <DIR> d-------- c:\documents and settings\Administrator.HAL\Application Data\AVG7
2008-12-01 23:18 . 2006-06-19 17:04 <DIR> d-------- c:\documents and settings\Administrator.HAL\Application Data\Gtek
2008-12-01 23:18 . 2008-12-01 23:18 <DIR> d-------- c:\documents and settings\Administrator.HAL
2008-11-30 20:25 . 2008-11-30 20:25 <DIR> d-------- c:\documents and settings\Administrator
2008-11-30 16:48 . 2008-11-30 16:48 …
Ok, cant get to either of the f-secure sites. Searched for the TDSSserv files and came up with 2 and deleted. Mbam still wont run. I am going to download some of these to disc from another computer and rename them. Hopefully "something" will work from there
Ok, I can get to panda in safe mode. No luck on Kaspersky or on the Combo. Same problem.
I registered with panda, downloaded 2.0, enabled active x control, however, when it sets to update the active scan 2.0 I get an error and cant get any further.
sickofit
Crunchie,
I've tried to rename it, with no luck. Seems to me that when I transferred the file from cd to the computer the virus locked it up. It will not let me run it and it will not let me remove it.
Ive tried renaming on the cd and moving it over again but that is not working either.
Gerbil
When I try to click on the link, my Internet Explorer will not let me get to the link. Says the page is unavailable. This is the problem I was telling you about, apparantely whatever this virus is, it has the ability to see if I am trying to access a page that has any type of spyware removal tools on it and it gives me the unavailable page.
gerbil,
Yes, I found 3 files that you had mentioned:
runhh6110411.exe
learn32.dll (x2)
Ina
I deleted these as you requested but I am having trouble finding anything else in D & S.
I am locked out of one of my DOCUMENT folders, IE redirects any searches for spyware, i.e. malwarebytes.org. Getting fake Micro update notices that direct me to www.defender-review, although I have not seen that one in a while. Will not allow avgfree to update - no connection available. avg does not find anything on scan.
I will have to download another copy of malwarebytes to disc and rename it on the download. I copied the existing copy to the computer and now I cannot open it nor can I remove it, access denied.
I will try to download a new copy as soon as I can. In the meantime if there is anything else I can do, please let me know.
Thanks for your help,
sickofit
OK it will not let me run MBAM but I am able to get a Hijack this log. Here it is. Hopefully I can get started with this and maybe we can do something to get the MBAM to work.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:18 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Daddy\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program …
Gerbil,
Thanks for the response. I was able to access a friends computer this morning and have downloaded malwarebytes and hijack this. I am assuming that this will make this process easier to deal with. I am just hopeful that the virus will allow me to install them on my computer. Let me know exactly what I need to do with these programs and I will post whatever is needed from there.
Again, thanks for your help,
sickofit
It appears that I have been infected with this bug. I have reviewed the already existing thread that is related to ISPYNOW, however, whenever I try to access a link that has anything to do with malware or spyware I get redirected or my browser will not allow the website with the links to come up. If I had another computer I would access the links from there and download the programs to disk and load but unfortunately I do not have access to another computer.
Is there anyway someone could email me the programs necessary to fix these problems?
Thank you,
Sickofit
I also tried the manual removal directions listed on the same page as the smitrem link.
Most of the problems seem to be gone but I am still getting the popup on the task bar.
I do not know if I am missing a reg key to delete or if it is something that I can delete from sys processes.
Any more suggestions?
Thanks
Laser,
Sorry about the misunderstanding, I went back to the page and it looks like you are talking about the smitrem.exe program where when opened you run the Run This Bat file. Unfortunately, I have run this already, along with about 5 others. I am still having problems and cannot seem to get this fixed.
Thanks
Thanks for the link but I refuse to purchase their product. I would buy a new computer before I would give in to them.
I need help, please.
I have run into the Spyaxe adware program and it is currently giving me the system intrusion detected pop up on my task bar. It has not taken over my homepage as of yet but I expect it to sometime.
I have run adaware and it did find one virus which it cleaned.
I have run the smitrem program and it found nothing.
I have AVG on the machine and it finds but 1 virus. (deleted)
I am posting a HJT log, CW Shredder log and Ewido log. Please
assist in any way possible,
HJT
Logfile of HijackThis v1.99.1
Scan saved at 11:36:10 AM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hpEC44.tmp (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=091705 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} …Well, not so many pops but Mcafee is still finding files that i am unable to quaratine or fix, I have to delete them only for them to show up the next day.
I am going to run spysubtract again and see if it cleans any of those that may be left.
When i run cwshredder by itself - it finds nothing
I appreciate your help. I will post one more log after an additional run of spysubtract and cwshredder. If all looks good at that point then I guess you have fixed my problems.
Thanks a million
sickofit
dlh,
ok, a little bit confusing on the download, whether to do cwshredder or the combined spy subtract with cwshredder, I opted for the latter. Ran update and downloaded, and fixed but i think the fix was in spysubtract.
Then scanned with HJT and fixed specified files, then searced for systb.dll, deleted and removed from recycle.
Here is the updated HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:06:28 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] …
dlh,
Ok, Thanks for the response
1. Ran HJT in safe and fixed requested files
2.Could not find C:\WINDOWS\dlmax.dll
3. Could not find C:\WINDOWS\farmmext.exe
4. Ran search for efbiwte.exe and came up with 2 instances which i deleted and then removed from recycle bin.
5. Reboot in Normal and ran HJT again, Here is the log
Logfile of HijackThis v1.99.1
Scan saved at 7:57:40 PM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe
Thank you
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat …
dlh,
Thanks for the reply, here goes
1. Could not find Ebates_MoeMoneyMaker or similar in Add/Remove Programs
2. Ran fix on all you said in HJT - all worked
3. Could not delete C:\WINDOWS\dlmax.dll or C:\WINDOWS\system32\efbiwte.exe. Error says cannot delete: Access is denied
4.Deleted contents of folders you listed
5. deleted .tmp files and emptied recycle bin
New HJT log
Logfile of HijackThis v1.99.1
Scan saved at 8:09:47 AM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\
I went to msconfig and checked all and ran HJT again, here is the updated log. FYI, I am running XP Pro. I need help!!!!! Thanks again
Logfile of HijackThis v1.99.1
Scan saved at 11:11:10 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\windows\system32\efbiwte.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\system32\packager.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: …
I have tried to remove these with various spyware products with no luck, i am inundated with pops, redirects, and homepage switches. Here is the Hijackthis log, what to do now. Thanks in advance
Logfile of HijackThis v1.99.1
Scan saved at 10:20:29 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\winlogon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\windows\system32\efbiwte.exe
c:\windows\system32\packager.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\spider.exe
C:\DOCUME~1\DAMONF~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - …