10 replies to this topic

[Dan Zachary]

Something got through all my defenses and onto our computer. I am unable to find anything using the latest versions of Macafee antivirus and spyware, Microsoft Antispyware (beta 1), Adaware, spybot search and destroy, Ewido, Bit Defender, Microtrends online virus search and nothing looks unusual to me in HiJack This!. I have ran all these programs in both normal Windows mode and safe mode.

Bazooka did find something called "Exploit Toolbarpartner.com", but the only file that they list that I can find is "msxmidi.exe" in my Windows directory and the size is 0 kb. I cannot delete it in safe mode. I get a message saying it is being used by another program.

Another odd thing is the notification area of my taskbar (next to the clock) sometimes shows one or two things like the internet connection, but does not show my Macafee icon and other things, sometimes it shows nothing. Seems like it is trying to hide some notification. I rely on this to know for sure that my antivirus is working.

I am posting my HiJack This! log (I am in safe mode right now) and have saved a rather lengthy Microsoft Antispyware log if you are interested.

Thank you in advance for helping me with this frustrating and time consuming mess.

Logfile of HijackThis v1.99.1
Scan saved at 12:26:33 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [vmvcSIsKy] C:\WINDOWS\puskdkqv.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[pskelley]

Hello Dan, this may be your problem: O4 - HKLM\..\Run: [vmvcSIsKy] C:\WINDOWS\puskdkqv.exe If you want a check before removing it, use one or more of these free online scans and post the results for me.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustota...h/index_en.html

I need to see your HJT log in normal mode with everything enabled in MSConfig. I can't tell with what you have shown me if this item is in running programs or not. Since you have run Ad-aware and Spybot I will give you this link: http://tomcoyote.org/aawsb.php please make sure you have the latest versions and are configured as in the link. When you run these programs, run Spybot first with a reboot between them. Since you have ewido on board, update to the newest data. I would like to run a cleaner at the end. This item is probably running from Prefetch so we will empty that, or a temp files and the cleaner will take care of that. Please do this:

1) Once ewido is updated, run it allowing it to remove everything it locates unless you know it is not bad. Use these instructions:
Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

I must see that log, so make sure you save it.
Your spyware programs will stop HJT, be offline first, then turn them off until you finish with HJT. Make sure you enable them again before going back online.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
O4 - HKLM\..\Run: [vmvcSIsKy] C:\WINDOWS\puskdkqv.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\puskdkqv.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

4) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp Run CCleaner, when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log in normal mode with everything enabled in MSConfig and the Ewido scan results in this same thread along with any feedback you have. Let me know if that fixes the problem.

Thanks...pskelley
TomCoyote forum
Slyware Warrior

When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.syma...src=sec_doc_nam

Edited by pskelley, 26 November 2005 - 01:36 PM.

[Dan Zachary]

Hi and thank you for your response.

Last night I noticed in prefetch a program called WinGenerics.dll had loaded. After a Yahoo search I found it to be associated with the "Appropos.C" Virus/Spyware. Searching for that lead me to Bleepingcomputer.com where someone else had the same problem. They had a program to get rid of it at http://swandog46.gee...approposfix.exe. I have ran that in safe mode (it got rid of the folder it was in and all the randomly named registries associated) and I am doing antivirus/antispyware searches in safe mode now to see if anything else shows up.

This thing had been saving what I was doing in special files that I assume would be sent off to someone. Hopefully this will take care of things, but when I can I will restart in normal windows and do the other things that you requested. I have printed them out so I can do it just as you said.

Thanks again so much and let me know if I am doing something wrong.

[pskelley]

Hi Dan, Nope...if you located a Apropos Rookit infection, getting rid of it is the right thing to do. I would not have this information until after I looked at the ewido scan report. Please make sure you reboot the computer as soon as you finish saving the ewido scan report. Keep an eye on the computer for any unusual signs. I will know more once I get those reports.

Here's some information for you: http://www.pcsupport...om/rootkits.htm
http://securityrespo....apropos.c.html
http://www.viruslist...scuss=168740859
http://www.google.co...=define:Rootkit
http://en.wikipedia.org/wiki/Rootkit
http://www.sysintern...tal-rights.html

Since you ran swandog46's removal tool, watch for any activity to indicate it's presence. Chances are it came in with a Downloaded Program File. I will give you a link now so you can tighten control on ActiveX in case you have not done so.
http://www.bleepingc...topict2520.html

Thanks...Phil

[Dan Zachary]

Update: I ran many different scans in safe mode finding nothing. When I restarted in normal Windows it took a while (like it was trying to load something) and is still painfully slow. Windows antivirus asked me if I wanted to allow some BHO's (I told it to block them). It also said something about allowing a Microsoft Shell Doc or something like that (it went to quick for me to write it down). I have updated and am now scanning with Ewido again. I will continue going down your list when I can. I am writing to you from another computer so as not to disturb scan. Oh yeah, I looked at Hijackthis while in safe mode and got rid of the reference to puskdkqv.exe. That "approposfix" program seems to have deleted it from computer and a Yahoo search turns up nothing on it, so it must have been a random named file associated with that problem. Whatever this is, it is pretty sneaky as nothing seems to find it. It also appears to download and load things without me knowing about it. Thanks again and I will update as soon as possible.

[Dan Zachary]

O.K., I did everything you said and here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:58 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HijackThis!\HijackThis.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Here is the Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:17:19 PM, 11/26/2005
+ Report-Checksum: 606FD5BF

+ Scan result:

No infected objects found.


::Report End

It still seems slow starting up and a little slow running even simple programs like Wordpad, but it is getting better. Can this be because of all the antivirus/antispyware programs I have running? I went to Yahoo and did a search for "antivirus" which used to cause pop-ups and no pop-ups happened this time. I still have issues with the "notification area" of the task bar (next to the clock). Icons do not show up that should. MacAfee icon does not show up until start the MacAfee Security center, so I do not know if it is automatically loading or not.

I am going to have my son try playing "Call of Duty II" which is where he has the most problems to see what happens.

[Dan Zachary]

Forgot to say that Microsoft's Antivirus wouldn't let HiJackThis change the home page. My family has been to Pogo.com almost daily (have a subscription there) for over a year. It is a place to play games and I have not heard of any problems with them. I think they are a safe place.

[Dan Zachary]

My son has been playing "Call of Duty II" (a fun World War II game that you can play online against other people) and says that it is way faster now and not locking up. Please take a look at the logs I posted and see if you find anything. If I can get him off that computer again I will do a Microsoft Antivirus/Antispyware scan in Safe Mode and see if we missed anything. That program creates a huge log of the entire registry, everything that starts, etc. that I can go through. I will also check the Windows/prefetch to see if anything strange is loading. Any other ideas? I will post what happens. Probably not until tomarrow. I think that "Appropos.C" was my main problem though. Thanks again and Happy Holidays!

[Dan Zachary]

I ran the Microsoft product in safe mode doing a full search and it found nothing. When I restarted in normal mode, it caught a toolbar spyware trying to load. I still have problems I guess.

[pskelley]

Hello Dan, Since you posted multiple times I will try to respond to each post to the best of my ability in an effort to stay organized.

Time of post: Today, 03:00 PM
Just some information, these infections as you should have read, will actually pave the way for additional bad stuff. The puskdqv.exe was probably another program. The thing about the rootkit, your rarely can see them without specialized tools and with some of them not at all. The symptoms are often all we have to go by. They are very sneaky and getting worse. Once some of the ones after personal information for $$ reasons are onboard, you can never really be sure they are gone and you are safe without reformating the complete system.

Today, 06:28 PM
Logfile of HijackThis v1.99.1 Scan saved at 6:06:58 PM, on 11/26/2005

Log is clean of malware. Looks like you have programs running that can be turned off and started manually when needed to save you some resources. In your log look at the items that say: O4 - HKLM\..\Run: Use MSConfig: http://netsquirrel.com/msconfig/ then search google for the program like: OneTouchMon.exe will return: http://castlecops.co...plist-5760.html Do not turn off any programs you are advised not to and leave the security programs alone.

This item: O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE see this: http://castlecops.co...uplist-180.html you can safely delete the file I have highlited in red to stop this activity. Delete nothing else as it would effect the sound.

ewido security suite - Scan report Created on: 5:17:19 PM, 11/26/2005

Good that you are clean, bad that I have no information. The very first scan report after you installed ewido would have shown the rootkit and other stuff that would have helped me understand the infections. You may still have those scan reorts. If you installed in the default location they will be in: C:\Program Files > ewido > security suite > Reports <<< in that folder. A mouse over will give you the time of the report, post the first one.

Yes...the programs you installed all require resources and ewido uses a lot during the trial. If you decide not to purchase, you want to turn of the running program and disable it in services. If you have the disk space to spare, it is a handy scanner and updates are free for as long as you like.
Some of the programs running in the system tray may need to be restarted. If McAfee is not showing up, check to make sure it is running in the Security Center. All three items should be running unless you use a third party firewall (then turn off the SP2 Firewall to stop conflictions) If McAfee continues not to load to the System tray, discuss that with McAfee tech support, they may want you to reinstall as many of these infections corrupt key areas of antivirus programs.(and others)

Today, 06:32 PM
You should be able to set any Home Page you wish regardless of MAS. If you are sure PoGo.com is safe, by all means leave it. In my experience, these game sites are a major contributors to problems, mostly because of the bundled junk that comes with them because folks do not take the time to read the EULA agreement and they are usually to complex to understand anyway. My advice is if you do not understand your EULA, call whoever made the software and have them explain it to you in detail. New and pending legislation will clear this up if our lawmakers ever get it passed.

Today, 07:06 PM
MAS is still Beta and I will not suggest it until Microsoft clears it. I understand it is going to be finally called "Defender" and rather it will continue to be free is also up in the air...lol. I supplied information about Prefetch, malware writers do like to start stuff there because the average user does not even know they have the it. They look and look in running programs and wonder why they see nothing bad, or they delete a bad program and wonder why it won't stay gone.

Today, 09:43 PM
This stuff is always going to try to get on your computer. You need programs that will deny it acess. Ad-aware/Spybot will remove most adware but they stop nothing. Here are the freeware programs I run on all of my computers. Until Microsoft proves to me MAS is better, I will continue to run them:
SpywareBlaster
http://www.bleepingc...tutorial49.html
SpywareGuard:
http://www.bleepingc...tutorial50.html
IE-Spyad
http://www.bleepingc...tutorial53.html

Here is some information from the pros and you will see those programs mentioned by them also:
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Here are a couple of links with ideas for speeding up your computer. Don't attempt anything you are not comfortable with:
http://vlaurie.com/c...s/runbetter.htm
http://www.linkgrind...rs_article.html

RAM is very important with these games the kids are playing for them to function properly. The days of 256 and even 512 MB's are gone. You need all of the RAM you can afford. If you need more information about this, let me know.

Once you have looked at your log, gotten rid of what you installed for the cleanup and turned off what does not need to run, post a new HJT log and a ewido scan report and I will take a look. Make sure you clean the System Restore as suggested above.

Thanks...Phil

pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Edited by pskelley, 27 November 2005 - 12:03 AM.

[pskelley]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php