 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
 Posted: Mon Apr 04, 2005 12:21 pm Post subject: slimshield menace |
 |
|
hi i got the slimshield on my computer i included the hijackthislogfile.. can somebody please help me?
Logfile of HijackThis v1.99.1
Scan saved at 22:17:31, on 4/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\Vte.exe
C:\WINDOWS\system32\open32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.belgacom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Noa] C:\WINDOWS\System32\Vte.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Vta] C:\WINDOWS\System32\Gsl.exe
O4 - HKLM\..\Run: [Nvd] C:\WINDOWS\System32\Vaq.exe
O4 - HKLM\..\Run: [Qga] C:\WINDOWS\Urn.exe
O4 - HKLM\..\Run: [Ija] C:\WINDOWS\System32\Rrh.exe
O4 - HKLM\..\Run: [Ibq] C:\WINDOWS\App.exe
O4 - HKLM\..\Run: [Mam] C:\WINDOWS\Rrv.exe
O4 - HKLM\..\Run: [Abi] C:\WINDOWS\Occ.exe
O4 - HKLM\..\Run: [Veu] C:\WINDOWS\Jnv.exe
O4 - HKLM\..\Run: [Thd] C:\WINDOWS\System32\Msp.exe
O4 - HKLM\..\Run: [Lks] C:\WINDOWS\System32\Lpt.exe
O4 - HKLM\..\Run: [Qum] C:\WINDOWS\Qja.exe
O4 - HKLM\..\Run: [Sst] C:\WINDOWS\System32\Rbp.exe
O4 - HKLM\..\Run: [Qmv] C:\WINDOWS\Nvl.exe
O4 - HKLM\..\Run: [Plk] C:\WINDOWS\Eua.exe
O4 - HKLM\..\Run: [Ptg] C:\WINDOWS\Hof.exe
O4 - HKLM\..\Run: [Sru] C:\WINDOWS\Keg.exe
O4 - HKLM\..\Run: [Bvm] C:\WINDOWS\System32\Ftk.exe
O4 - HKLM\..\Run: [Pnk] C:\WINDOWS\System32\Ekv.exe
O4 - HKLM\..\Run: [Bdj] C:\WINDOWS\System32\Gem.exe
O4 - HKLM\..\Run: [Cqf] C:\WINDOWS\Vqm.exe
O4 - HKLM\..\Run: [Jnj] C:\WINDOWS\System32\Akt.exe
O4 - HKLM\..\Run: [Kbh] C:\WINDOWS\Hov.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\Ekl.exe
O4 - HKLM\..\Run: [Oef] C:\WINDOWS\Qvv.exe
O4 - HKLM\..\Run: [Cat] C:\WINDOWS\Dta.exe
O4 - HKLM\..\Run: [Lvb] C:\WINDOWS\Bci.exe
O4 - HKLM\..\Run: [Nme] C:\WINDOWS\Ats.exe
O4 - HKLM\..\Run: [Iko] C:\WINDOWS\Rnk.exe
O4 - HKLM\..\Run: [Udo] C:\WINDOWS\Ept.exe
O4 - HKLM\..\Run: [Foq] C:\WINDOWS\Fkj.exe
O4 - HKLM\..\Run: [Rec] C:\WINDOWS\Pnu.exe
O4 - HKLM\..\Run: [Cqk] C:\WINDOWS\Bjl.exe
O4 - HKLM\..\Run: [Qeb] C:\WINDOWS\System32\Lpv.exe
O4 - HKLM\..\Run: [Qea] C:\WINDOWS\Ugk.exe
O4 - HKLM\..\Run: [Ejh] C:\WINDOWS\Roc.exe
O4 - HKLM\..\Run: [Loa] C:\WINDOWS\System32\Vga.exe
O4 - HKLM\..\Run: [Olm] C:\WINDOWS\System32\Ash.exe
O4 - HKLM\..\Run: [Bsr] C:\WINDOWS\Vhe.exe
O4 - HKLM\..\Run: [Hnj] C:\WINDOWS\Nvg.exe
O4 - HKLM\..\Run: [Mfo] C:\WINDOWS\System32\Con.exe
O4 - HKLM\..\Run: [Oqt] C:\WINDOWS\Ede.exe
O4 - HKLM\..\Run: [Ftm] C:\WINDOWS\System32\Jhb.exe
O4 - HKLM\..\Run: [Kub] C:\WINDOWS\Pqg.exe
O4 - HKLM\..\Run: [Kqd] C:\WINDOWS\System32\Opf.exe
O4 - HKLM\..\Run: [Aef] C:\WINDOWS\System32\Ndd.exe
O4 - HKLM\..\Run: [Mnm] C:\WINDOWS\System32\Nut.exe
O4 - HKLM\..\Run: [Ucp] C:\WINDOWS\System32\Pcq.exe
O4 - HKLM\..\Run: [Eta] C:\WINDOWS\Pcm.exe
O4 - HKLM\..\Run: [Acj] C:\WINDOWS\Mjs.exe
O4 - HKLM\..\Run: [Jib] C:\WINDOWS\System32\Lsm.exe
O4 - HKLM\..\Run: [Peq] C:\WINDOWS\System32\Oll.exe
O4 - HKLM\..\Run: [Ujv] C:\WINDOWS\System32\Bjh.exe
O4 - HKLM\..\Run: [Ggo] C:\WINDOWS\Abg.exe
O4 - HKLM\..\Run: [Ovl] C:\WINDOWS\Tct.exe
O4 - HKLM\..\Run: [Skk] C:\WINDOWS\System32\Edd.exe
O4 - HKLM\..\Run: [Ilg] C:\WINDOWS\System32\Mfn.exe
O4 - HKLM\..\Run: [Uru] C:\WINDOWS\System32\Tci.exe
O4 - HKLM\..\Run: [Foj] C:\WINDOWS\Pro.exe
O4 - HKLM\..\Run: [Dat] C:\WINDOWS\Eph.exe
O4 - HKLM\..\Run: [Ubb] C:\WINDOWS\System32\Hdv.exe
O4 - HKLM\..\Run: [Uhb] C:\WINDOWS\Lqq.exe
O4 - HKLM\..\Run: [Iph] C:\WINDOWS\System32\Cue.exe
O4 - HKLM\..\Run: [Jco] C:\WINDOWS\Dfi.exe
O4 - HKLM\..\Run: [Nlc] C:\WINDOWS\Dmc.exe
O4 - HKLM\..\Run: [Hpe] C:\WINDOWS\System32\Mrh.exe
O4 - HKLM\..\Run: [Hvp] C:\WINDOWS\System32\Eio.exe
O4 - HKLM\..\Run: [Ota] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cqn] C:\WINDOWS\Acr.exe
O4 - HKLM\..\Run: [Okv] C:\WINDOWS\Qcr.exe
O4 - HKLM\..\Run: [Hmu] C:\WINDOWS\System32\Lcm.exe
O4 - HKLM\..\Run: [Ink] C:\WINDOWS\System32\Iqn.exe
O4 - HKLM\..\Run: [Cff] C:\WINDOWS\System32\Mua.exe
O4 - HKLM\..\Run: [Lsn] C:\WINDOWS\Oeg.exe
O4 - HKLM\..\Run: [Shf] C:\WINDOWS\Bhn.exe
O4 - HKLM\..\Run: [Vqm] C:\WINDOWS\Tmp.exe
O4 - HKLM\..\Run: [Akb] C:\WINDOWS\Hdf.exe
O4 - HKLM\..\Run: [Tdg] C:\WINDOWS\System32\Foe.exe
O4 - HKLM\..\Run: [Phr] C:\WINDOWS\Til.exe
O4 - HKLM\..\Run: [Ete] C:\WINDOWS\Scl.exe
O4 - HKLM\..\Run: [Ban] C:\WINDOWS\Tnr.exe
O4 - HKLM\..\Run: [Hud] C:\WINDOWS\System32\Vla.exe
O4 - HKLM\..\Run: [Iji] C:\WINDOWS\Ffk.exe
O4 - HKLM\..\Run: [Udm] C:\WINDOWS\System32\Ijf.exe
O4 - HKLM\..\Run: [Pii] C:\WINDOWS\System32\Nel.exe
O4 - HKLM\..\Run: [Rer] C:\WINDOWS\Rhf.exe
O4 - HKLM\..\Run: [Slm] C:\WINDOWS\Vcq.exe
O4 - HKLM\..\Run: [Dqh] C:\WINDOWS\Ast.exe
O4 - HKLM\..\Run: [Evk] C:\WINDOWS\Ort.exe
O4 - HKLM\..\Run: [Tqe] C:\WINDOWS\Oip.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Hfe] C:\WINDOWS\Tgu.exe
O4 - HKLM\..\Run: [Gmj] C:\WINDOWS\Msf.exe
O4 - HKLM\..\Run: [Svn] C:\WINDOWS\system32\Dtl.exe
O4 - HKLM\..\Run: [Hom] C:\WINDOWS\Qse.exe
O4 - HKLM\..\Run: [Ubq] C:\WINDOWS\system32\Pjq.exe
O4 - HKLM\..\Run: [Uhm] C:\WINDOWS\Sai.exe
O4 - HKLM\..\Run: [Cbt] C:\WINDOWS\system32\Vce.exe
O4 - HKLM\..\Run: [Ukv] C:\WINDOWS\system32\Jkk.exe
O4 - HKLM\..\Run: [Bgi] C:\WINDOWS\Bhq.exe
O4 - HKLM\..\Run: [Ara] C:\WINDOWS\Ikp.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\Qfp.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\system32\Rsj.exe
O4 - HKLM\..\Run: [Vcs] C:\WINDOWS\system32\Nib.exe
O4 - HKLM\..\Run: [Ulh] C:\WINDOWS\Eas.exe
O4 - HKLM\..\Run: [Hbf] C:\WINDOWS\system32\Nbb.exe
O4 - HKLM\..\Run: [Eet] C:\WINDOWS\Usj.exe
O4 - HKLM\..\Run: [Jck] C:\WINDOWS\system32\Dso.exe
O4 - HKLM\..\Run: [Noe] C:\WINDOWS\Qrk.exe
O4 - HKLM\..\Run: [Vuo] C:\WINDOWS\system32\Lui.exe
O4 - HKLM\..\Run: [Ebj] C:\WINDOWS\Qth.exe
O4 - HKLM\..\Run: [Dve] C:\WINDOWS\Efe.exe
O4 - HKLM\..\Run: [Lqh] C:\WINDOWS\Akr.exe
O4 - HKLM\..\Run: [Tcl] C:\WINDOWS\system32\Rko.exe
O4 - HKLM\..\Run: [Mhk] C:\WINDOWS\Odb.exe
O4 - HKLM\..\Run: [Ars] C:\WINDOWS\Gtq.exe
O4 - HKLM\..\Run: [Krd] C:\WINDOWS\Qcv.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\system32\Lsk.exe
O4 - HKLM\..\Run: [Tum] C:\WINDOWS\system32\Sig.exe
O4 - HKLM\..\Run: [Une] C:\WINDOWS\system32\Aua.exe
O4 - HKLM\..\Run: [Pbn] C:\WINDOWS\system32\Gjh.exe
O4 - HKLM\..\Run: [Ecl] C:\WINDOWS\Vkr.exe
O4 - HKLM\..\Run: [Fts] C:\WINDOWS\system32\Epf.exe
O4 - HKLM\..\Run: [Scb] C:\WINDOWS\system32\Oou.exe
O4 - HKLM\..\Run: [Icm] C:\WINDOWS\system32\Umb.exe
O4 - HKLM\..\Run: [Ivn] C:\WINDOWS\system32\Uub.exe
O4 - HKLM\..\Run: [Uae] C:\WINDOWS\Mot.exe
O4 - HKLM\..\Run: [Ofo] C:\WINDOWS\system32\Qar.exe
O4 - HKLM\..\Run: [Lqt] C:\WINDOWS\Jln.exe
O4 - HKLM\..\Run: [Pbj] C:\WINDOWS\Uvs.exe
O4 - HKLM\..\Run: [Kde] C:\WINDOWS\Bcm.exe
O4 - HKLM\..\Run: [Iso] C:\WINDOWS\Umr.exe
O4 - HKLM\..\Run: [Vks] C:\WINDOWS\system32\Mgt.exe
O4 - HKLM\..\Run: [Beu] C:\WINDOWS\system32\Ric.exe
O4 - HKLM\..\Run: [Nef] C:\WINDOWS\Jfo.exe
O4 - HKLM\..\Run: [Ddl] C:\WINDOWS\system32\Hpv.exe
O4 - HKLM\..\Run: [Frr] C:\WINDOWS\system32\Tnu.exe
O4 - HKLM\..\Run: [Teh] C:\WINDOWS\Lus.exe
O4 - HKLM\..\Run: [Tfo] C:\WINDOWS\Rjh.exe
O4 - HKLM\..\Run: [Jml] C:\WINDOWS\Idr.exe
O4 - HKLM\..\Run: [Oar] C:\WINDOWS\Qkr.exe
O4 - HKLM\..\Run: [Dnk] C:\WINDOWS\system32\Dur.exe
O4 - HKLM\..\Run: [Gnv] C:\WINDOWS\system32\Dar.exe
O4 - HKLM\..\Run: [Flj] C:\WINDOWS\Cvn.exe
O4 - HKLM\..\Run: [Jgf] C:\WINDOWS\Ohk.exe
O4 - HKLM\..\Run: [Osg] C:\WINDOWS\system32\Dkt.exe
O4 - HKLM\..\Run: [Avu] C:\WINDOWS\system32\Hbn.exe
O4 - HKLM\..\Run: [Qug] C:\WINDOWS\system32\Tjf.exe
O4 - HKLM\..\Run: [Bkv] C:\WINDOWS\system32\Mua.exe
O4 - HKLM\..\Run: [Cvh] C:\WINDOWS\system32\Crj.exe
O4 - HKLM\..\Run: [Dbr] C:\WINDOWS\system32\Vvo.exe
O4 - HKLM\..\Run: [Lme] C:\WINDOWS\system32\Uak.exe
O4 - HKLM\..\Run: [Tqd] C:\WINDOWS\system32\Avc.exe
O4 - HKLM\..\Run: [Laq] C:\WINDOWS\Mqk.exe
O4 - HKLM\..\Run: [Sfs] C:\WINDOWS\Tif.exe
O4 - HKLM\..\Run: [Jut] C:\WINDOWS\Aug.exe
O4 - HKLM\..\Run: [Dor] C:\WINDOWS\system32\Bvd.exe
O4 - HKLM\..\Run: [Dnd] C:\WINDOWS\Dis.exe
O4 - HKLM\..\Run: [Rbo] C:\WINDOWS\system32\Kdl.exe
O4 - HKLM\..\Run: [Rjt] C:\WINDOWS\system32\Rqt.exe
O4 - HKLM\..\Run: [Lnm] C:\WINDOWS\Mkt.exe
O4 - HKLM\..\Run: [Dbh] C:\WINDOWS\Bvl.exe
O4 - HKLM\..\Run: [Vpk] C:\WINDOWS\system32\Jiu.exe
O4 - HKLM\..\Run: [Rfp] C:\WINDOWS\Nhp.exe
O4 - HKLM\..\Run: [Sds] C:\WINDOWS\Dhh.exe
O4 - HKLM\..\Run: [Bdu] C:\WINDOWS\Kcf.exe
O4 - HKLM\..\Run: [Dni] C:\WINDOWS\system32\Bjc.exe
O4 - HKCU\..\Run: [Noa] C:\WINDOWS\System32\Vte.exe
O4 - HKCU\..\Run: [Vta] C:\WINDOWS\System32\Gsl.exe
O4 - HKCU\..\Run: [Nvd] C:\WINDOWS\System32\Vaq.exe
O4 - HKCU\..\Run: [Qga] C:\WINDOWS\Urn.exe
O4 - HKCU\..\Run: [Ija] C:\WINDOWS\System32\Rrh.exe
O4 - HKCU\..\Run: [Ibq] C:\WINDOWS\App.exe
O4 - HKCU\..\Run: [Mam] C:\WINDOWS\Rrv.exe
O4 - HKCU\..\Run: [Abi] C:\WINDOWS\Occ.exe
O4 - HKCU\..\Run: [Veu] C:\WINDOWS\Jnv.exe
O4 - HKCU\..\Run: [Thd] C:\WINDOWS\System32\Msp.exe
O4 - HKCU\..\Run: [Lks] C:\WINDOWS\System32\Lpt.exe
O4 - HKCU\..\Run: [Qum] C:\WINDOWS\Qja.exe
O4 - HKCU\..\Run: [Sst] C:\WINDOWS\System32\Rbp.exe
O4 - HKCU\..\Run: [Qmv] C:\WINDOWS\Nvl.exe
O4 - HKCU\..\Run: [Plk] C:\WINDOWS\Eua.exe
O4 - HKCU\..\Run: [Ptg] C:\WINDOWS\Hof.exe
O4 - HKCU\..\Run: [Sru] C:\WINDOWS\Keg.exe
O4 - HKCU\..\Run: [Bvm] C:\WINDOWS\System32\Ftk.exe
O4 - HKCU\..\Run: [Pnk] C:\WINDOWS\System32\Ekv.exe
O4 - HKCU\..\Run: [Bdj] C:\WINDOWS\System32\Gem.exe
O4 - HKCU\..\Run: [Cqf] C:\WINDOWS\Vqm.exe
O4 - HKCU\..\Run: [Jnj] C:\WINDOWS\System32\Akt.exe
O4 - HKCU\..\Run: [Kbh] C:\WINDOWS\Hov.exe
O4 - HKCU\..\Run: [Ois] C:\WINDOWS\Ekl.exe
O4 - HKCU\..\Run: [Oef] C:\WINDOWS\Qvv.exe
O4 - HKCU\..\Run: [Cat] C:\WINDOWS\Dta.exe
O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\Bci.exe
O4 - HKCU\..\Run: [Nme] C:\WINDOWS\Ats.exe
O4 - HKCU\..\Run: [Iko] C:\WINDOWS\Rnk.exe
O4 - HKCU\..\Run: [Udo] C:\WINDOWS\Ept.exe
O4 - HKCU\..\Run: [Foq] C:\WINDOWS\Fkj.exe
O4 - HKCU\..\Run: [Rec] C:\WINDOWS\Pnu.exe
O4 - HKCU\..\Run: [Cqk] C:\WINDOWS\Bjl.exe
O4 - HKCU\..\Run: [Qeb] C:\WINDOWS\System32\Lpv.exe
O4 - HKCU\..\Run: [Qea] C:\WINDOWS\Ugk.exe
O4 - HKCU\..\Run: [Ejh] C:\WINDOWS\Roc.exe
O4 - HKCU\..\Run: [Loa] C:\WINDOWS\System32\Vga.exe
O4 - HKCU\..\Run: [Olm] C:\WINDOWS\System32\Ash.exe
O4 - HKCU\..\Run: [Bsr] C:\WINDOWS\Vhe.exe
O4 - HKCU\..\Run: [Hnj] C:\WINDOWS\Nvg.exe
O4 - HKCU\..\Run: [Mfo] C:\WINDOWS\System32\Con.exe
O4 - HKCU\..\Run: [Oqt] C:\WINDOWS\Ede.exe
O4 - HKCU\..\Run: [Ftm] C:\WINDOWS\System32\Jhb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Kub] C:\WINDOWS\Pqg.exe
O4 - HKCU\..\Run: [Kqd] C:\WINDOWS\System32\Opf.exe
O4 - HKCU\..\Run: [Aef] C:\WINDOWS\System32\Ndd.exe
O4 - HKCU\..\Run: [Mnm] C:\WINDOWS\System32\Nut.exe
O4 - HKCU\..\Run: [Ucp] C:\WINDOWS\System32\Pcq.exe
O4 - HKCU\..\Run: [Eta] C:\WINDOWS\Pcm.exe
O4 - HKCU\..\Run: [Acj] C:\WINDOWS\Mjs.exe
O4 - HKCU\..\Run: [Jib] C:\WINDOWS\System32\Lsm.exe
O4 - HKCU\..\Run: [Peq] C:\WINDOWS\System32\Oll.exe
O4 - HKCU\..\Run: [Ujv] C:\WINDOWS\System32\Bjh.exe
O4 - HKCU\..\Run: [Ggo] C:\WINDOWS\Abg.exe
O4 - HKCU\..\Run: [Ovl] C:\WINDOWS\Tct.exe
O4 - HKCU\..\Run: [Skk] C:\WINDOWS\System32\Edd.exe
O4 - HKCU\..\Run: [Ilg] C:\WINDOWS\System32\Mfn.exe
O4 - HKCU\..\Run: [Uru] C:\WINDOWS\System32\Tci.exe
O4 - HKCU\..\Run: [Foj] C:\WINDOWS\Pro.exe
O4 - HKCU\..\Run: [Dat] C:\WINDOWS\Eph.exe
O4 - HKCU\..\Run: [Ubb] C:\WINDOWS\System32\Hdv.exe
O4 - HKCU\..\Run: [Uhb] C:\WINDOWS\Lqq.exe
O4 - HKCU\..\Run: [Iph] C:\WINDOWS\System32\Cue.exe
O4 - HKCU\..\Run: [Jco] C:\WINDOWS\Dfi.exe
O4 - HKCU\..\Run: [Nlc] C:\WINDOWS\Dmc.exe
O4 - HKCU\..\Run: [Hpe] C:\WINDOWS\System32\Mrh.exe
O4 - HKCU\..\Run: [Hvp] C:\WINDOWS\System32\Eio.exe
O4 - HKCU\..\Run: [Ota] C:\WINDOWS\System32\Jus.exe
O4 - HKCU\..\Run: [Cqn] C:\WINDOWS\Acr.exe
O4 - HKCU\..\Run: [Okv] C:\WINDOWS\Qcr.exe
O4 - HKCU\..\Run: [Hmu] C:\WINDOWS\System32\Lcm.exe
O4 - HKCU\..\Run: [Ink] C:\WINDOWS\System32\Iqn.exe
O4 - HKCU\..\Run: [Cff] C:\WINDOWS\System32\Mua.exe
O4 - HKCU\..\Run: [Lsn] C:\WINDOWS\Oeg.exe
O4 - HKCU\..\Run: [Shf] C:\WINDOWS\Bhn.exe
O4 - HKCU\..\Run: [Vqm] C:\WINDOWS\Tmp.exe
O4 - HKCU\..\Run: [Akb] C:\WINDOWS\Hdf.exe
O4 - HKCU\..\Run: [Tdg] C:\WINDOWS\System32\Foe.exe
O4 - HKCU\..\Run: [Phr] C:\WINDOWS\Til.exe
O4 - HKCU\..\Run: [Ete] C:\WINDOWS\Scl.exe
O4 - HKCU\..\Run: [Ban] C:\WINDOWS\Tnr.exe
O4 - HKCU\..\Run: [Hud] C:\WINDOWS\System32\Vla.exe
O4 - HKCU\..\Run: [Iji] C:\WINDOWS\Ffk.exe
O4 - HKCU\..\Run: [Udm] C:\WINDOWS\System32\Ijf.exe
O4 - HKCU\..\Run: [Pii] C:\WINDOWS\System32\Nel.exe
O4 - HKCU\..\Run: [Rer] C:\WINDOWS\Rhf.exe
O4 - HKCU\..\Run: [Slm] C:\WINDOWS\Vcq.exe
O4 - HKCU\..\Run: [Dqh] C:\WINDOWS\Ast.exe
O4 - HKCU\..\Run: [Evk] C:\WINDOWS\Ort.exe
O4 - HKCU\..\Run: [Tqe] C:\WINDOWS\Oip.exe
O4 - HKCU\..\Run: [Cln] C:\WINDOWS\Rlj.exe
O4 - HKCU\..\Run: [Jhg] C:\WINDOWS\system32\Fef.exe
O4 - HKCU\..\Run: [Uar] C:\WINDOWS\Mnv.exe
O4 - HKCU\..\Run: [Ctu] C:\WINDOWS\Mfo.exe
O4 - HKCU\..\Run: [Hfe] C:\WINDOWS\Tgu.exe
O4 - HKCU\..\Run: [Gmj] C:\WINDOWS\Msf.exe
O4 - HKCU\..\Run: [Svn] C:\WINDOWS\system32\Dtl.exe
O4 - HKCU\..\Run: [Hom] C:\WINDOWS\Qse.exe
O4 - HKCU\..\Run: [Ubq] C:\WINDOWS\system32\Pjq.exe
O4 - HKCU\..\Run: [Uhm] C:\WINDOWS\Sai.exe
O4 - HKCU\..\Run: [Cbt] C:\WINDOWS\system32\Vce.exe
O4 - HKCU\..\Run: [Ukv] C:\WINDOWS\system32\Jkk.exe
O4 - HKCU\..\Run: [Bgi] C:\WINDOWS\Bhq.exe
O4 - HKCU\..\Run: [Ara] C:\WINDOWS\Ikp.exe
O4 - HKCU\..\Run: [Nfo] C:\WINDOWS\system32\Qfp.exe
O4 - HKCU\..\Run: [Sbt] C:\WINDOWS\Nvt.exe
O4 - HKCU\..\Run: [Eve] C:\WINDOWS\system32\Rsj.exe
O4 - HKCU\..\Run: [Vcs] C:\WINDOWS\system32\Nib.exe
O4 - HKCU\..\Run: [Ulh] C:\WINDOWS\Eas.exe
O4 - HKCU\..\Run: [Hbf] C:\WINDOWS\system32\Nbb.exe
O4 - HKCU\..\Run: [Eet] C:\WINDOWS\Usj.exe
O4 - HKCU\..\Run: [Jck] C:\WINDOWS\system32\Dso.exe
O4 - HKCU\..\Run: [Noe] C:\WINDOWS\Qrk.exe
O4 - HKCU\..\Run: [Vuo] C:\WINDOWS\system32\Lui.exe
O4 - HKCU\..\Run: [Ebj] C:\WINDOWS\Qth.exe
O4 - HKCU\..\Run: [Jge] C:\WINDOWS\system32\Que.exe
O4 - HKCU\..\Run: [Efn] C:\WINDOWS\Nmg.exe
O4 - HKCU\..\Run: [Nnc] C:\WINDOWS\system32\Ggv.exe
O4 - HKCU\..\Run: [Qbm] C:\WINDOWS\system32\Egn.exe
O4 - HKCU\..\Run: [Dve] C:\WINDOWS\Efe.exe
O4 - HKCU\..\Run: [Lqh] C:\WINDOWS\Akr.exe
O4 - HKCU\..\Run: [Lsr] C:\WINDOWS\Mkl.exe
O4 - HKCU\..\Run: [Egl] C:\WINDOWS\system32\Uak.exe
O4 - HKCU\..\Run: [Vls] C:\WINDOWS\Cke.exe
O4 - HKCU\..\Run: [Hab] C:\WINDOWS\Pkq.exe
O4 - HKCU\..\Run: [Tcl] C:\WINDOWS\system32\Rko.exe
O4 - HKCU\..\Run: [Tqd] C:\WINDOWS\system32\Avc.exe
O4 - HKCU\..\Run: [Mhk] C:\WINDOWS\Odb.exe
O4 - HKCU\..\Run: [Ars] C:\WINDOWS\Gtq.exe
O4 - HKCU\..\Run: [Krd] C:\WINDOWS\Qcv.exe
O4 - HKCU\..\Run: [Bra] C:\WINDOWS\system32\Lsk.exe
O4 - HKCU\..\Run: [Tum] C:\WINDOWS\system32\Sig.exe
O4 - HKCU\..\Run: [Une] C:\WINDOWS\system32\Aua.exe
O4 - HKCU\..\Run: [Pbn] C:\WINDOWS\system32\Gjh.exe
O4 - HKCU\..\Run: [Ecl] C:\WINDOWS\Vkr.exe
O4 - HKCU\..\Run: [Fts] C:\WINDOWS\system32\Epf.exe
O4 - HKCU\..\Run: [Scb] C:\WINDOWS\system32\Oou.exe
O4 - HKCU\..\Run: [Icm] C:\WINDOWS\system32\Umb.exe
O4 - HKCU\..\Run: [Ivn] C:\WINDOWS\system32\Uub.exe
O4 - HKCU\..\Run: [Uae] C:\WINDOWS\Mot.exe
O4 - HKCU\..\Run: [Ofo] C:\WINDOWS\system32\Qar.exe
O4 - HKCU\..\Run: [Rip] C:\WINDOWS\system32\Bgn.exe
O4 - HKCU\..\Run: [Qlc] C:\WINDOWS\Sdt.exe
O4 - HKCU\..\Run: [Tmv] C:\WINDOWS\system32\Ffo.exe
O4 - HKCU\..\Run: [Uou] C:\WINDOWS\system32\Idb.exe
O4 - HKCU\..\Run: [Dcn] C:\WINDOWS\system32\Lqr.exe
O4 - HKCU\..\Run: [Afg] C:\WINDOWS\Vln.exe
O4 - HKCU\..\Run: [Lqt] C:\WINDOWS\Jln.exe
O4 - HKCU\..\Run: [Fhh] C:\WINDOWS\Ast.exe
O4 - HKCU\..\Run: [Pbj] C:\WINDOWS\Uvs.exe
O4 - HKCU\..\Run: [Kde] C:\WINDOWS\Bcm.exe
O4 - HKCU\..\Run: [Iso] C:\WINDOWS\Umr.exe
O4 - HKCU\..\Run: [Vks] C:\WINDOWS\system32\Mgt.exe
O4 - HKCU\..\Run: [Beu] C:\WINDOWS\system32\Ric.exe
O4 - HKCU\..\Run: [Nef] C:\WINDOWS\Jfo.exe
O4 - HKCU\..\Run: [Ddl] C:\WINDOWS\system32\Hpv.exe
O4 - HKCU\..\Run: [Frr] C:\WINDOWS\system32\Tnu.exe
O4 - HKCU\..\Run: [Teh] C:\WINDOWS\Lus.exe
O4 - HKCU\..\Run: [Tfo] C:\WINDOWS\Rjh.exe
O4 - HKCU\..\Run: [Jml] C:\WINDOWS\Idr.exe
O4 - HKCU\..\Run: [Oar] C:\WINDOWS\Qkr.exe
O4 - HKCU\..\Run: [Dnk] C:\WINDOWS\system32\Dur.exe
O4 - HKCU\..\Run: [Gnv] C:\WINDOWS\system32\Dar.exe
O4 - HKCU\..\Run: [Flj] C:\WINDOWS\Cvn.exe
O4 - HKCU\..\Run: [Jgf] C:\WINDOWS\Ohk.exe
O4 - HKCU\..\Run: [Osg] C:\WINDOWS\system32\Dkt.exe
O4 - HKCU\..\Run: [Avu] C:\WINDOWS\system32\Hbn.exe
O4 - HKCU\..\Run: [Qug] C:\WINDOWS\system32\Tjf.exe
O4 - HKCU\..\Run: [Bkv] C:\WINDOWS\system32\Mua.exe
O4 - HKCU\..\Run: [Cvh] C:\WINDOWS\system32\Crj.exe
O4 - HKCU\..\Run: [Tts] C:\WINDOWS\Jgb.exe
O4 - HKCU\..\Run: [Dbr] C:\WINDOWS\system32\Vvo.exe
O4 - HKCU\..\Run: [Lme] C:\WINDOWS\system32\Uak.exe
O4 - HKCU\..\Run: [Laq] C:\WINDOWS\Mqk.exe
O4 - HKCU\..\Run: [Sfs] C:\WINDOWS\Tif.exe
O4 - HKCU\..\Run: [Jut] C:\WINDOWS\Aug.exe
O4 - HKCU\..\Run: [Dor] C:\WINDOWS\system32\Bvd.exe
O4 - HKCU\..\Run: [Dnd] C:\WINDOWS\Dis.exe
O4 - HKCU\..\Run: [Rbo] C:\WINDOWS\system32\Kdl.exe
O4 - HKCU\..\Run: [Rjt] C:\WINDOWS\system32\Rqt.exe
O4 - HKCU\..\Run: [Lnm] C:\WINDOWS\Mkt.exe
O4 - HKCU\..\Run: [Dbh] C:\WINDOWS\Bvl.exe
O4 - HKCU\..\Run: [Vpk] C:\WINDOWS\system32\Jiu.exe
O4 - HKCU\..\Run: [Rfp] C:\WINDOWS\Nhp.exe
O4 - HKCU\..\Run: [Sds] C:\WINDOWS\Dhh.exe
O4 - HKCU\..\Run: [Bdu] C:\WINDOWS\Kcf.exe
O4 - HKCU\..\Run: [Dni] C:\WINDOWS\system32\Bjc.exe
O4 - HKCU\..\Run: [Uqd] C:\WINDOWS\Qeo.exe
O4 - HKCU\..\Run: [Ibp] C:\WINDOWS\Isj.exe
O4 - HKCU\..\Run: [Ctb] C:\WINDOWS\Gpu.exe
O4 - HKCU\..\Run: [Dlr] C:\WINDOWS\system32\Old.exe
O4 - HKCU\..\Run: [Irj] C:\WINDOWS\Ksv.exe
O4 - HKCU\..\Run: [Uhl] C:\WINDOWS\system32\Tcg.exe
O4 - HKCU\..\Run: [Abb] C:\WINDOWS\Bbj.exe
O4 - HKCU\..\Run: [Tln] C:\WINDOWS\Oot.exe
O4 - HKCU\..\Run: [Skb] C:\WINDOWS\system32\Sgm.exe
O4 - Startup: winupdate96967638[1].exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Privacy-balk - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.belgacom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4432/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55C50A5D-0728-4F34-B5BD-5ADDD0E8D904}: NameServer = 195.238.2.21 195.238.2.22
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O21 - SSODL: MSMserv - {992A174C-D203-4989-A2C4-41AD7223A1A7} - C:\WINDOWS\System32\usrmn(2).dll (file missing)
O21 - SSODL: NTWSMON - {A60BF862-B133-43C9-9F67-5F5BC6381472} - C:\WINDOWS\System32\dpnmetid.dll
O21 - SSODL: NTDBGTOOL - {1DE41448-4F67-4E06-8263-36579A4C0C2D} - C:\WINDOWS\System32\c_93nify.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\system32\winsvc.exe
thanks... |
|
| Back to top |
|
 |
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
| Posted: Mon Apr 04, 2005 12:51 pm Post subject: |
|
|
OK, with this infection there is only one way to rid the files in a manner to prevent re-infection, as this will keep regenerating as you keep rebooting.
You need to do a search for files by date created, they should all be on the bottom of the list, all files will be 3 letters in name, and always the first letter a capital. Size of exe is 7.5kb in size.
Look in system32 and windows folders.
Be sure and check the properties of each file, as there are many legit MS files.
There will also be some html files located in the windows folder as well, they can also be deleted.
Size will be 2-3 kb.
DESKTOP HIJACK
Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.
Once you have searched for all the files, and think they have been deleted, post a new HJT log and we will see whats left over if anything.
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Mon Apr 04, 2005 1:20 pm Post subject: slimshield menace |
|
|
i already got rid of those files but there seems to be one (wich i think was the original wich i can't get rid off... every time i get a message that the program is being used or there is insufficient disk space to remove this file!
please send further advise how to remove this file out of my windows folder...
greetz 2b1 |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Fri Apr 08, 2005 11:25 am Post subject: slimshield menace |
|
|
i'm sure it's one of the infected files... (it was first created on the day the problem occured and it has no microsoft signature) tried to remove its security features thru dos with attrib but no use. i just don't have the skill to remove this file...
please advise
greetz 2b1  |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Sun Apr 10, 2005 1:12 pm Post subject: slimshield menace |
|
|
this could be a problem because i can't start the computer in safe mode. when i press f8 during start-up it only gives me the choice wich drive to boot from... not the modes to start windows in
greetz 2b1 |
|
| Back to top |
|
|
Mosaic1
SWW Distinguished Expert
Joined: 29 Jun 2004
Last Visit: 11 Aug 2011
Posts: 2174
|
| Posted: Sun Apr 10, 2005 6:06 pm Post subject: |
|
|
If it's this file:
C:\WINDOWS\System32\Vte.exe
It is in your running processes. It cannot be deleted until you kill it.
Use Task Manager> Processes tab
Find the entry for the name of the running file and highlight it. press the end Process button.
Now see if you can delete it. |
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Tue Apr 12, 2005 2:16 am Post subject: |
|
|
hallo temerc
i managed to remove all those files, but still i can't change my background, still have the double icons... there is also a nasty pop up appearing wich is leading to horse-search.net what to do? also here is my new HJT-logfile
Logfile of HijackThis v1.99.1
Scan saved at 12:00:51, on 12/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\GSICON.EXE
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\open32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\François Ceulemans\Menu Start\Programma's\Opstarten\winupdate96967638[1].exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.belgacom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: winupdate96967638[1].exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Privacy-balk - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.belgacom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4432/mcfscan.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O21 - SSODL: MSMserv - {992A174C-D203-4989-A2C4-41AD7223A1A7} - C:\WINDOWS\System32\usrmn(2).dll (file missing)
O21 - SSODL: NTWSMON - {A60BF862-B133-43C9-9F67-5F5BC6381472} - C:\WINDOWS\System32\dpnmetid.dll
O21 - SSODL: NTDBGTOOL - {1DE41448-4F67-4E06-8263-36579A4C0C2D} - C:\WINDOWS\System32\c_93nify.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\system32\winsvc.exe
lots of thanks in advance
greetz 2b1  |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
| Posted: Tue Apr 12, 2005 7:26 am Post subject: |
|
|
- First, download HSFix from here
- After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
- Next, download CleanUp! Install it, but do not run it yet.
- Reboot into 'Safe Mode'.
- Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
- A log will be produced which you can close out of.
- Run HJT and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.belgacom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.skynet.be/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Shell] open32.exe
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O21 - SSODL: MSMserv - {992A174C-D203-4989-A2C4-41AD7223A1A7} - C:\WINDOWS\System32\usrmn(2).dll (file missing)
O21 - SSODL: NTWSMON - {A60BF862-B133-43C9-9F67-5F5BC6381472} - C:\WINDOWS\System32\dpnmetid.dll
O21 - SSODL: NTDBGTOOL - {1DE41448-4F67-4E06-8263-36579A4C0C2D} - C:\WINDOWS\System32\c_93nify.dll
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\system32\winsvc.exe
- Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
- Restart your computer into normal mode and run at least one of the following free, online virus scans:
Trend Micro
Panda ActiveScan
- Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Wed Apr 13, 2005 1:54 pm Post subject: |
|
|
hi,
i did what you told me and found the following...
Housecall found about 340 files infected with the following trojans
1. SPYWAD.B
2. SMALL.ACG
3. SMALL.AAW
4. MURLO.C
5. VIDLO.J
I MANAGED TO REMOVE THESE
I't also found HTML_COOLWEB.A in a file c:\Documents and Settings\FrançoisCeulemans\ApplicationData\Sun\Java\cache\Javapi\v1.0\file\counter.class-65b432d-340c7a79.class
I repaired this file trough McAfee although it didn't find a virus there
after this i still placed in quarantaine... when i finished doing this the slimshield red screen reappeared but the ms antispyware beta1 detects and blocks it now... although i'm not sure the coolweb and slimshield are gone
following is my latest HJT-log
Logfile of HijackThis v1.99.1
Scan saved at 23:53:35, on 13/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Privacy-balk - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.belgacom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4432/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55C50A5D-0728-4F34-B5BD-5ADDD0E8D904}: NameServer = 195.238.2.21 195.238.2.22
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\system32\winsvc.exe
thanks 2b1 |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
| Posted: Wed Apr 13, 2005 3:33 pm Post subject: |
|
|
OK, at this point, do you have any troubles with Slimshield or Horseserver? If not, then the MS\AS did its job and removed the infection.
Also, can you show me the log produced by the HSFix tool please.
We have 2 more items remaining.
We need to stop Windows update service:<<-Not legit
Go to: Start > Run > type " services.msc ", then click OK
Scroll down to the Windows update Service
Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled", click Apply, then OK.
 Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':
O17 - HKLM\System\CCS\Services\Tcpip\..\{55C50A5D-0728-4F34-B5BD-5ADDD0E8D904}: NameServer = 195.238.2.21 195.238.2.22
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\system32\winsvc.exe
Reboot, into 'Safe mode',and search for, then delete, if found, the following files/folders:
C:\WINDOWS\system32\winsvc.exe <<<--file
Reboot into Normal mode and post a new HJT log please.
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
2b1
Newbie
Joined: 04 Apr 2005
Last Visit: 26 Dec 2005
Posts: 9
|
| Posted: Sun Apr 17, 2005 11:59 am Post subject: |
|
|
hi,
tried to locate the windows update service under services but didn't find it neither did i find the file in my system32 folder.
i foudn and deleted that 017 in my HJT-scan.
but i found something else wich resembles the windows update service it's a file in my windows\system32\wisvccz.exe wich was created yesterday...
following are my hsfixlog and new HJT-log
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
tmp*.tmp
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
Logfile of HijackThis v1.99.1
Scan saved at 21:44:58, on 17/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wisvccz.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skynet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\system32\wisvccz.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Privacy-balk - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.belgacom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4432/mcfscan.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
thanks again
 2b1 |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
