1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Maybe problem not solved!!!!

Discussion in 'Windows XP' started by skipscud, Jul 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    As instructed, I installed 256mb more RAM. Stuttering and hanging up have not improved.
    See earlier post, for what has transpired (May 27 Can computers stutter)

    Here is HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:24:33 PM, on 7/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\apache\Apache.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\Program Files\McAfee.com\VSO\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\apache\Apache.exe
    c:\apache\APACHE.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\apache\APACHE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Verizon Online\bin\mpbtn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
    O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.4.3.36/omaha/omaha-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.6.1.37/aces/aces-en_US.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.6.1.29/slots/alibaba-en_US.cab
    O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/backgammon/backgammon-en_US.cab
    O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.7.0.40/blackjack/blackjack-en_US.cab
    O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.6.5.22/cascade/cascade-en_US.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.7.0.40/videoblackjack/videoblackjack-en_US.cab
    O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.4.34/canasta/canasta-en_US.cab
    O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.5.3.37/checkers2/checkers-en_US.cab
    O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.5.0.45/chess2/chess2-ob-assets.cab
    O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.6.0.27/cribbage/cribbage-en_US.cab
    O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.6.2.21/checkeredflag/checkeredflag-en_US.cab
    O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.6.0.34/domino/domino-en_US.cab
    O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.5.2.26/euchre/euchre-en_US.cab
    O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.5.22/firstclass2/firstclass2-en_US.cab
    O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.6.5.22/superbingo/superbingo-en_US.cab
    O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.6.5.31/greenback/greenback-en_US.cab
    O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.6.3.34/harvest/harvest-en_US.cab
    O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.6.0.34/hearts/hearts-en_US.cab
    O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/drawpoker/drawpoker-en_US.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.6.2.21/jigsaw/jigsaw-en_US.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-5.9.3.29/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.6.5.31/gin/gin-en_US.cab
    O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/mhpoker/mhpoker-en_US.cab
    O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.6.5.22/lottso/lottso-en_US.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.5.22/mahjong/mahjong-en_US.cab
    O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.6.2.21/mlslots/mlslots-en_US.cab
    O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.6.5.31/paigow/paigow-en_US.cab
    O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.53/freecell/freecell-ob-assets.cab
    O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.5.4.34/penguins/penguins-en_US.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/waterwheel/waterwheel-en_US.cab
    O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.0.32/flinger/flinger-en_US.cab
    O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pinochle/pinochle-en_US.cab
    O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.5.1.24/piratesgold/piratesgold-en_US.cab
    O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.6.5.22/popfu/popfu-en_US.cab
    O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.27/poppazoppa/poppazoppa-en_US.cab
    O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.4.34/poppit2/poppit2-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.30/poppit/poppit-ob-assets.cab
    O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.6.5.31/hotstreak/hotstreak-en_US.cab
    O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.6.2.35/squares/squares-en_US.cab
    O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.6.0.34/ride/ride-en_US.cab
    O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet-5.9.0.25/slots/scifi-ob-assets.cab
    O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.6.0.34/slots/showbiz2-en_US.cab
    O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.0.32/puck/puck-en_US.cab
    O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.6.1.29/spades2/spades2-en_US.cab
    O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/spider/spider-en_US.cab
    O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.6.2.21/squelchies/squelchies-en_US.cab
    O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.5.1.24/stax/stax-en_US.cab
    O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.6.5.31/sweeper/sweeper-en_US.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.6.2.35/sweettooth/sweettooth-en_US.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/holdem/holdem-en_US.cab
    O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.0.32/peaks/peaks-en_US.cab
    O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.5.3.44/jumbee/jumbee-en_US.cab
    O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.6.5.31/turbo21/turbo21-en_US.cab
    O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.0.40/turbo22/turbo22-en_US.cab
    O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.35/videopoker2/videopoker-ob-assets.cab
    O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.6.1.37/memories/memories-en_US.cab
    O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.6.4.21/wordwhomp2/whomp2-en_US.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.4.21/whackdown/whackdown-en_US.cab
    O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.7.0.40/wordjong/wordjong-en_US.cab
    O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.1.29/worldclass/worldclass-en_US.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pogo.com/online2/pogop/diner_dash/DinerDash.1.0.0.80.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINDOWS\system32\jevtxpg.dll (file missing)
    O23 - Service: Apache - Unknown owner - c:\apache\Apache.exe" --ntservice (file missing)
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)

    So far, nothing has jumped out to anyone that might be causing the problem besides too little RAM.
    Any other suggestions? I will work with you but need my hand held as I know some things about computers but am not advanced very far, especially if I need to work regedit or something like that.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    check and "fix" this item in the scanlog:

    O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINDOWS\system32\jevtxpg.dll (file missing)

    Is this your install >> O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)


    Does the problem occur in a "clean boot" configuration?


    Run msconfig and select the "Services" tab. Check "Hide Microsoft Services" and then disable the rest. Also uncheck "load startup group" on the general page.

    See this link for detailed information:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353

    Now restart and test the issue at hand

    If no problems, run msconfig and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

    If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

    Get the idea? You want to isolate the problem to a specific startup if possible.

    Note: if you already have items unchecked under msconfig > startups and are in “selective” startup mode – you should note what these are before beginning. They will need to be de-selected again.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    That particular SSODL is a Smitfraud infection so please do this.

    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  4. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    SmitFraudFix v2.75

    Scan done at 10:38:16.23, Mon 07/24/2006
    Run from C:\unzipped\SmitfraudFix[1]\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ld???.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

    C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Also, here is a new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:43:42 AM, on 7/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\Program Files\McAfee.com\VSO\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\VSO\OasClnt.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\notepad.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.4.3.36/omaha/omaha-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.6.1.37/aces/aces-en_US.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.6.1.29/slots/alibaba-en_US.cab
    O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/backgammon/backgammon-en_US.cab
    O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.7.0.40/blackjack/blackjack-en_US.cab
    O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.6.5.22/cascade/cascade-en_US.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.7.0.40/videoblackjack/videoblackjack-en_US.cab
    O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.4.34/canasta/canasta-en_US.cab
    O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.5.3.37/checkers2/checkers-en_US.cab
    O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.5.0.45/chess2/chess2-ob-assets.cab
    O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.6.0.27/cribbage/cribbage-en_US.cab
    O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.6.2.21/checkeredflag/checkeredflag-en_US.cab
    O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.6.0.34/domino/domino-en_US.cab
    O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.5.2.26/euchre/euchre-en_US.cab
    O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.5.22/firstclass2/firstclass2-en_US.cab
    O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.6.5.22/superbingo/superbingo-en_US.cab
    O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.6.5.31/greenback/greenback-en_US.cab
    O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.6.3.34/harvest/harvest-en_US.cab
    O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.6.0.34/hearts/hearts-en_US.cab
    O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/drawpoker/drawpoker-en_US.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.6.2.21/jigsaw/jigsaw-en_US.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-5.9.3.29/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.6.5.31/gin/gin-en_US.cab
    O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/mhpoker/mhpoker-en_US.cab
    O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.6.5.22/lottso/lottso-en_US.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.5.22/mahjong/mahjong-en_US.cab
    O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.6.2.21/mlslots/mlslots-en_US.cab
    O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.6.5.31/paigow/paigow-en_US.cab
    O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.53/freecell/freecell-ob-assets.cab
    O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.5.4.34/penguins/penguins-en_US.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/waterwheel/waterwheel-en_US.cab
    O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.0.32/flinger/flinger-en_US.cab
    O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pinochle/pinochle-en_US.cab
    O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.5.1.24/piratesgold/piratesgold-en_US.cab
    O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.6.5.22/popfu/popfu-en_US.cab
    O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.27/poppazoppa/poppazoppa-en_US.cab
    O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.4.34/poppit2/poppit2-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.30/poppit/poppit-ob-assets.cab
    O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.6.5.31/hotstreak/hotstreak-en_US.cab
    O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.6.2.35/squares/squares-en_US.cab
    O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.6.0.34/ride/ride-en_US.cab
    O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet-5.9.0.25/slots/scifi-ob-assets.cab
    O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.6.0.34/slots/showbiz2-en_US.cab
    O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.0.32/puck/puck-en_US.cab
    O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.6.1.29/spades2/spades2-en_US.cab
    O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/spider/spider-en_US.cab
    O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.6.2.21/squelchies/squelchies-en_US.cab
    O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.5.1.24/stax/stax-en_US.cab
    O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.6.5.31/sweeper/sweeper-en_US.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.6.2.35/sweettooth/sweettooth-en_US.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/holdem/holdem-en_US.cab
    O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.0.32/peaks/peaks-en_US.cab
    O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.5.3.44/jumbee/jumbee-en_US.cab
    O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.6.5.31/turbo21/turbo21-en_US.cab
    O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.0.40/turbo22/turbo22-en_US.cab
    O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.35/videopoker2/videopoker-ob-assets.cab
    O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.6.1.37/memories/memories-en_US.cab
    O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.0.40/wordwhomp2/whomp2-en_US.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.4.21/whackdown/whackdown-en_US.cab
    O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.7.0.40/wordjong/wordjong-en_US.cab
    O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.1.29/worldclass/worldclass-en_US.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pogo.com/online2/pogop/diner_dash/DinerDash.1.0.0.80.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  6. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    Followed your directions. Background disappeared.
    Here is rapport.txt log:
    SmitFraudFix v2.75

    Scan done at 11:48:13.95, Mon 07/24/2006
    Run from C:\unzipped\SmitfraudFix[1]\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  8. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    Cookiegal,
    Ewido went to report and said NO REPORT
    Here is the Panda file and HJT log:

    Incident Status Location

    Adware:adware/ncase Not disinfected c:\temp\salmau.dat
    Adware:adware/cydoor Not disinfected C:\WINDOWS\system32\cd_clint.dll
    Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll
    Dialer:dialer.b Not disinfected c:\windows\system32\ia.dll
    Adware:adware/gator Not disinfected c:\GatorPatch.log
    Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
    Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
    Adware:adware/transponder Not disinfected c:\windows\thin-114-1-x-x.exe
    Adware:adware/downloadware Not disinfected c:\program files\MedCh
    Spyware:spyware/conducent-timesink Not disinfected c:\program files\TimeSink
    Adware:adware/sbsoft Not disinfected Windows Registry
    Adware:adware/wupd Not disinfected Windows Registry
    Adware:adware/mediatickets Not disinfected Windows Registry
    Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/ist.istbar Not disinfected Windows Registry
    Adware:adware/memorywatcher Not disinfected Windows Registry
    Adware:adware/savenow Not disinfected Windows Registry
    Dialer:dialer.gun Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][6].txt
    Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/E-eliminator Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Dialer:Dialer.OK Not disinfected C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\backups\backup-20041216-175358-754.inf
    Logfile of HijackThis v1.99.1
    Scan saved at 10:48:50 PM, on 7/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\Program Files\McAfee.com\VSO\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
    O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/backgammon/backgammon-en_US.cab
    O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.6.5.22/cascade/cascade-en_US.cab
    O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.5.22/firstclass2/firstclass2-en_US.cab
    O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/mhpoker/mhpoker-en_US.cab
    O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.0.32/puck/puck-en_US.cab
    O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/spider/spider-en_US.cab
    O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.0.40/turbo22/turbo22-en_US.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pogo.com/online2/pogop/diner_dash/DinerDash.1.0.0.80.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    I'm attaching a Fixskip.zip file to this post. Save it to your desktop but don't do anything with it yet. We will use it later in safe mode.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      c:\temp\salmau.dat

      C:\WINDOWS\system32\cd_clint.dll

      c:\windows\system32\cidft.dll

      c:\windows\system32\ia.dll

      c:\GatorPatch.log

      c:\windows\pcconfig.dat

      c:\windows\sepsd.bin

      c:\windows\thin-114-1-x-x.exe

      c:\program files\MedCh

      c:\program files\TimeSink


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Unzip the Fixskip.zip file that you saved to your desktop earlier and double click the Fixskip.reg file and allow it to enter into the registry.


    Boot back to Windows normally and post another HijackThis log please.
     

    Attached Files:

  10. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    Cookiegal,
    The minibox for kill box did not list selections forme. Instead, it said it would delete files in C:Documents then reported files deleted. Is this okay?

    Here is HJT log from today:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:40:25 PM, on 7/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\Program Files\McAfee.com\VSO\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
    O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.6.5.22/backgammon/backgammon-en_US.cab
    O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.6.5.22/cascade/cascade-en_US.cab
    O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.6.5.22/firstclass2/firstclass2-en_US.cab
    O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.6.5.31/mhpoker/mhpoker-en_US.cab
    O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.0.32/puck/puck-en_US.cab
    O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.6.2.21/spider/spider-en_US.cab
    O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.0.40/turbo22/turbo22-en_US.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pogo.com/online2/pogop/diner_dash/DinerDash.1.0.0.80.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    I don't understand what you're saying about Killbox. We didn't delete any files in C:Documents. :confused:

    The log looks good but I need you to run another Panda scan and post the results please so I can see if the files are all gone and if the regfix worked.
     
  12. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    Here is the Scan Report you requested:


    Incident Status Location

    Adware:adware/ncase Not disinfected c:\temp\salm_gdf.dat
    Adware:adware/nowfind Not disinfected c:\windows\system32\cidpoq32.dll
    Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2218.exe
    Dialer:dialer.b Not disinfected c:\windows\tmlpcert2005
    Adware:adware/sbsoft Not disinfected Windows Registry
    Adware:adware/wupd Not disinfected Windows Registry
    Adware:adware/mediatickets Not disinfected Windows Registry
    Adware:adware/sidesearch Not disinfected Windows Registry
    Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/ist.istbar Not disinfected Windows Registry
    Adware:adware/memorywatcher Not disinfected Windows Registry
    Adware:adware/savenow Not disinfected Windows Registry
    Dialer:dialer.gun Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    Dialer:Dialer.OK Not disinfected C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\backups\backup-20041216-175358-754.inf
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Boot to safe mode and run Killbox on these files:

    c:\temp\salm_gdf.dat

    c:\windows\system32\cidpoq32.dll

    c:\windows\downloaded program files\gdnUS2218.exe

    c:\windows\tmlpcert2005

    C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\backups\backup-20041216-175358-754.inf



    How many user profiles are there on this computer?

    Do you have Administrator rights?
     
  14. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    Cookiegal,
    Only one user profile.
    I am designated as administrator.
    Two computers using a router for DSL.
    When I clicked on Killbox while in Safe MOde, I had Pocket Killbox come up. When I deleted the files you listed and went to tools, for Report, I got the following message, "Killbox will attempt to delete temp files in C:\Documents and Settings\Owner\LocalSettings\Temp."
    I clicked on okay and was returned to the main screen.
     
  15. skipscud

    skipscud Thread Starter

    Joined:
    Dec 13, 2004
    Messages:
    137
    I went to Tools then clicked on Delete temp files and got the message I noted
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485718

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice