I started getting alerts from McAfee about a Pup appearing in my Temporary Internet
Files. The program was called Dialer-269 and the file name was gdnUS2218.exe. Attempts to
delete it through McAfee were unsuccessful because it apparently was marked as a read
only or perhaps system file.
I have manually deleted it several times, but it continues to return.
Then a program called SpywareQuake 2.0 installed itself on my computer. I have deleted it
several times using the XP Add-Remove Programs utility, but it reinstalls itself.
A full system scan with McAfee does not reveal any problems other than tracking cookies
and the gdnUS2218.exe file noted above.
Spybot v1.4 returned a Vcodec problem with two files: \system32\ts.ico and
\system32\ncompat.tlb. Spybot was able to delete the first file, but the second file
required a reboot. I deleted these files several times but they continue to return.
Along the way, something installed itself in my system tray. It is an icon that blinks
back and forth between a red circle with diagonal line through it, and what looks like a
green wheelchair symbol. Associated with it is a box that pops up just above the tray
that says:
Your computer is infected!
Critical System Error!
System detected virus activities. They may cause critical system failure. Please, use
antim alware (sic) software to clean and protect your system from parasite programs.
Click here to get all available software.
I have not clicked anything out of concern that it may make things worse.
Since I installed Ewido and scanned my computer, it is popping up periodically to say
that a file called ldDC49.tmp is showing up in \system32\1024, and that the infection is
called Downloader.Zlob.jc. Ewido has cleaned this several times and it keep reappearing.
It has also popped up to say that Spyware Quake is reinstalled. But as noted above,
after being uninstalled it continues to install itself.
The latest thing to happen is that each time I try to open "My Computer" it freezes.
I am running a 2-week old reinstall of XP Pro SP2 on a relatively current machine. Prior
to this problem I have been using use McAfee Online for my virus scanner, Ad Aware for my
anti-spyware software, and IE6 for my browser. (Have now switched to Firefox.)
HiJack This and Ewido scan logs are attached.
If anyone has any suggestions I would be grateful.
Thanks.
--Bob Rausch
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:54:09 AM, 3/27/2006
+ Report-Checksum: DE79A95C
+ Scan result:
HKU\S-1-5-21-790525478-583907252-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\RSR\Cookies\rsr@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\RSR\Cookies\rsr@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\RSR\Local Settings\Temp\Cookies\rsr@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\Computer Software\Fastream NetFile\NetFile.exe -> Adware.Cydoor : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\Computer Software\GoZilla\GOZ35.EXE -> Adware.Aureate : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\Computer Software\ICQ\ICQ2\NDetect.exe -> Backdoor.IP_Protect : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\Computer Software\ICQ\ICQ2a\NDetect.exe -> Backdoor.IP_Protect : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\GW\Dupes\Software\GoZilla\GOZIL35.ZIP/goz35.exe -> Adware.Aureate : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\H&W\F drive\03057\Cookies\03057@gm_preferences.txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\H&W\F drive\03057\Cookies\03057@preferences(1).txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken stuff\quicken transfers from p4\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken stuff\quicken transfers from p42\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken transfers from p4\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken transfers from p4 - 2\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken transfers from p4 - 3\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
C:\Documents and Settings\RSR\My Documents\quicken stuff\Quicken - old data\quicken transfers from p4 - 4\quicken stuff\xxQUICKENW\INET\COMMON\SYSTEM\BGT.DLL -> Trojan.Lmir.acq : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 1:46:44 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\scansoft\PAPERP~1\fbdirect.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\RSR\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Download - {777D0B4C-75C9-4874-ABFF-80B4BE8DC532} - C:\Program Files\Download Toolbar\IEBand2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\\scansoft\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\scansoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Save To Gallery - res://C:\Program Files\Download Toolbar\IEBand2.dll/DownloadToGallery.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142230406546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142280742250
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://Z:\tools\EN\bin\npseatools.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)