Trojans I can't seem to remove

[jendump]

Hello,

I have managed to get my computer infected again. I've run adware, antispyware beta, spybot, and active scan. There are a few files I can't find or remove. Have also ran cccleaner. Can you please help me.

Here is my hijack scan
Logfile of HijackThis v1.99.1
Scan saved at 6:05:27 PM, on 7/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://content.embella.com/plugins/aw70webplayers/full/activex_cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117031398201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6624C50-5906-43B0-AA8C-4A549303ABD5}: NameServer = 68.94.156.1 151.164.30.104
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe


and active scan:
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SNMH6JE5\auto_update[1]
Thank you very much.

Jennifer

 

[Cheeseball81]

Click here to download the trial version of Ewido Security Suite:
http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· DO NOT run a scan yet.

Restart your computer into Safe Mode now.
(Start tapping the F8 key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

Post a new Hijack This log and the results of the Ewido scan.

 

[jendump]

Here are the scan results:

HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup

C:\Documents and Settings\Jenn\Cookies\jenn@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup

C:\Documents and Settings\Jenn\Cookies\jenn@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup

C:\Documents and Settings\Jenn\Cookies\jenn@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


and the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:53 PM, on 7/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://content.embella.com/plugins/aw70webplayers/full/activex_cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117031398201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6624C50-5906-43B0-AA8C-4A549303ABD5}: NameServer = 68.94.156.1 151.164.30.104
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe


Please let me know the next step. Thanks

Jenn

 

[Cheeseball81]

With IE closed, run Hijack This again.
Put a checkmark on this entry and hit "fix checked":

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.

 

[Flrman1]

This service needs to be removed also:

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

Click here to download regquery.zip. Unzip the regquery.bat file that is in the zip file to your desktop.

Doubleclick on the regquery.bat file to run it. It will open a Look.txt file. Attach the Look.txt file to your next post. Don't try to copy and paste it.

 

[jendump]

Completed. Here's the new hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:04:34 PM, on 7/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://content.embella.com/plugins/aw70webplayers/full/activex_cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117031398201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe


Thanks, jenn

 

[Flrman1]

We posted at the same time. I want to make sure you saw this:

This service needs to be removed also:

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

Click here to download regquery.zip. Unzip the regquery.bat file that is in the zip file to your desktop.

Doubleclick on the regquery.bat file to run it. It will open a Look.txt file. Attach the Look.txt file to your next post. Don't try to copy and paste it.

 

[jendump]

Forgot to attach that other file.

Jenn

 

[Cheeseball81]

I'll let flrman take over from here

 

[jendump]

Ok, thank you for taking me this far.

Jenn

PS - I fixed that other entry as well

 

[Flrman1]

* Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Click Here and download Killbox and save it to your desktop.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Workstation Service Library.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open Hijack This and click on the "Open Misc Tools section" button. Click the "Delete an NT service" button. Copy and paste the following line in that box:

Microsoft Locator Service

Click OK.


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste the following line then click on the button that has the red circle with the X in the middle. It will ask for confimation to delete the file. Click Yes.

C:\WINDOWS\wkssvc.exe

Exit Killbox.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan

 

[Flrman1]

Let me also remind you again as I have before that you need to go to Windows Update and get Windows updated. You are at a much higher risk of continuing to get these type infections until you do.

 

[jendump]

Hello.

I ran through the steps, and here is what I found. When I ran killbox, i was not able to delete c:\windows\wkssvc.exe because it said it could not be found.

Also, I went to windows update and I had 15 critical updates to download. I did these before I ran the hijack scan. Can you tell if I have that service pack update?

Here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:47 AM, on 6/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [nuvyxi] C:\WINDOWS\System32\nuvyxi.exe
O4 - HKLM\..\Run: [gglcg] C:\WINDOWS\System32\gglcg.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [rkdfb] C:\WINDOWS\System32\rkdfb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117031398201
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6624C50-5906-43B0-AA8C-4A549303ABD5}: NameServer = 68.94.156.1 151.164.30.104
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Thanks,

Jenn

 

[jendump]

And here's the virus scan log:

Virus Scan0 virus cleaned, 0 virus deleted

Trojan/Worm Check0 worm/Trojan horse deleted

Spyware Check1 spyware program removed

We have detected 1 spyware(s) on your computer.
- 1 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
ADW_APROPOS.OAdwareRemoval successful

Microsoft Vulnerability Check33 vulnerabilities detected

Results:
Risk LevelIssueHow to Fix
CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through the use
of a malformed Advanced Streaming Format (ASF)
file. It is caused by a buffer overflow in
Microsoft Windows Media Player 6.4. MS01-056
CriticalThis vulnerability enables a remote
attacker to execute arbitrary codes on the users
system. It is caused by Internet Explorer 6.0
believing that the file to be opened is safe to
open without user confirmation, due to some
changes made in the HTML header.;This
vulnerability enables a remote attacker to read
any file contained in the users system that could
be opened through Internet Explorer 5.5 or
6.0.;This vulnerability enables a remote attacker
to represent the file name in the File Download
dialogue box of Internet Explorer 5.5 or 6.0 with
a different name that could fool users into
thinking that the said file is safe to download.
MS01-058
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code via a web page
that specifies embedded ActiveX controls in a way
that causes 2 Unicode strings to be concatenated
when buffer overflow in the implementation of an
HTML directive in mshtml.dll in Internet Explorer
5.5 and 6.0 is triggered.;A remote attacker could
read arbitrary files via malformed requests to the
GetObject function because Internet Explorer 5.01,
5.5 and 6.0 bypass some of GetObject's security
checks.;File Download box in Internet Explorer
5.01, 5.5 and 6.0 allows the modification of the
displayed name of the file through
Content-Disposition and Content-Type HTML header
fields, which could allow an attacker to trick a
user into believing that a file is safe to
download.;Because Internet Explorer 5.01, 5.5 and
6.0 does not properly handle the Content-Type HTML
header field, a remote attacker is allowed to
modify which application is used to process a
document.;Internet Explorer 5.5 and 6.0 bypass
restrictions for executing scripts via an object
that processes asynchronous events after the
initial security checks have been made, which
could allow a remote attacker to compromise user
system through the said vulnerability.;Internet
Explorer 5.5 and 6.0 allows the reading of certain
files and spoofing of the URL in the address bar
through the Document.open function, which could
allow a remote attacker to compromise user system
through the said vulnerability.;This vulnerability
allows a remote attacker to read arbitrary files
by specifying a local file as an XML Data Source.
This is caused by the XMLHTTP control found in
Microsoft XML Core Services 2.6 and later not
properly handling Internet Explorer Security Zone
settings. MS02-005
CriticalThis vulnerability enables a remote
attacker to run scripts in the Local Computer
zone. This is done via a script that is embedded
in a cookie that would be saved to the users
system.;This vulnerability enables a remote
attacker to invoke an executable on the users
system via an HTML web page that includes an
object tag. MS02-015
CriticalThis vulnerability allows an attacker to
cause a denial of service attack to a target
server machine. This is caused by a buffer
overflow in SMB protocol in Microsoft Windows NT,
Windows 2000, and Windows XP. MS02-045
CriticalThis vulnerability enables a remote
attacker to execute arbitrary code by creating an
.MP3 or .WMA file that contains a corrupt custom
attribute. This is caused by a buffer overflow in
the Windows Shell function in Microsoft Windows
XP. MS02-072
Highly CriticalThis vulnerability enables local
users to execute arbitrary code through an RPC
call. This is caused by a buffer overflow in the
RPC Locator service for Windows NT 4.0, Windows NT
4.0 Terminal Server Edition, Windows 2000, and
Windows XP. MS03-001
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
WebDAV request to IIS 5.0. This is caused by a
buffer overflow in NTDLL.DLL on Windows NT 4.0,
Windows NT 4.0 Terminal Server Edition, Windows
2000, and Windows XP. MS03-007
Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014
CriticalThis vulnerability enables a remote
attacker to cause a denial of service and execute
arbitrary code through a specially formed web page
or HTML e-mail. This is caused by a flaw in the
way the HTML converter for Microsoft Windows
handles a conversion request during a
cut-and-paste operation. MS03-023
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
malformed message. This is caused by a buffer
overflow in certain DCOM interface for RPC in
Microsoft Windows NT 4.0, 2000, XP, and Server
2003. MS03-026
CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
specially crafted MIDI file. This is caused by
multiple buffer overflows in a Microsoft Windows
DirectX MIDI library (QUARTZ.DLL). MS03-030
CriticalThis vulnerability could allow a remote
attacker to execute arbitrary code via a malformed
RPC request with a long filename parameter. This
is caused by a heap-based buffer overflow found in
the Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack, which could allow local attackers
to gain privileges via certain messages sent to
the __RemoteGetClassObject interface.;This
vulnerability could allow a remote attacker to
execute arbitrary code via a malformed activation
request packet with modified length fields. This
is caused by a heap-based buffer overflow in the
Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack. This is caused by two threads
processing the same RPC request, which will lead
to its using memory after it has been freed.;This
vulnerability could allow a remote attacker to
cause a denial of service attack via a queue
registration request. This is caused by a buffer
overflow in the Microsoft Message Queue Manager.
MS03-039
Highly CriticalThese vulnerabilities, which are
due to Internet Explorer not properly determining
an object type returned from a Web server in a
popup window or during XML data binding,
respectively, could allow an attacker to run
arbitrary code on a user's system. MS03-040
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code without user
approval. This is caused by the authenticode
capability in Microsoft Windows NT through Server
2003 not prompting the user to download and
install ActiveX controls when system is low on
memory. MS03-041
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code on the affected
system. This is caused of a buffer overflow in the
Messenger Service for Windows NT through Server
2003. MS03-043
ImportantThis vulnerability is due to a buffer
overrun in the ListBox and ComboBox controls found
in User32.dll. Any program that implements the
ListBox control or the ComboBox control could
allow arbitrary code to be executed at the same
privilege level. This vulnerability cannot be
exploited remotely. MS03-045
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and
Support Center (HCP) and is due to the way it
handles HCP URL validation. This vulnerability
could allow an attacker to remotely execute
arbitrary code with Local System privileges.
MS04-015
ModerateThis is a denial of service (DoS)
vulnerability. It affects applications that
implement the IDirectPlay4 Application Programming
Interface (API) of Microsoft DirectPlay.
Applications that use this API are typically
network-based multiplayer games.;An attacker who
successfully exploits this vulnerability could
cause the DirectX application to fail while a user
is playing a game. The affected user would then
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038

 

[Flrman1]

Click here to download L2mfix.

Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!.