3 replies to this topic

[citbulldog08]

So I have no idea how to get rid of the virus heat alert icon in the lower left portion of my screen next to the clock!! Someone please advise how to do get rid of it!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:16, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\java.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1BB2AB9A-E0B0-4BE9-926F-77B6B0E40CB2} - (no file)
O2 - BHO: (no name) - {27CC883D-E490-445B-A270-CE1306F7922B} - (no file)
O2 - BHO: (no name) - {307DFCF1-BCC0-4357-869C-F4DFB2C5F9D7} - (no file)
O2 - BHO: (no name) - {58FDAECF-C2D6-4AE6-9A10-FC0E0E155969} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {8019D493-5E0E-4AC9-B081-B4A6D6FDDC79} - (no file)
O2 - BHO: (no name) - {8A58892C-36DB-42BD-9130-628652F30EBE} - (no file)
O2 - BHO: (no name) - {9F95FF13-2A88-4FD4-8CF2-19494513E2FD} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: mxlact - C:\WINDOWS\Cursors\mxlact.dll (file missing)
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6938 bytes

StartupList report, 2008-04-28, 23:33:45
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\java.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint\Apoint.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SonyPowerCfg = C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
VAIO Recovery = C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
mcagent_exe = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
SiteAdvisor = C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
RamBooster = C:\Program Files\RamBooster 2.0\Rambooster.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\USARMY~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - (no file) - {1BB2AB9A-E0B0-4BE9-926F-77B6B0E40CB2}
(no name) - (no file) - {27CC883D-E490-445B-A270-CE1306F7922B}
(no name) - (no file) - {307DFCF1-BCC0-4357-869C-F4DFB2C5F9D7}
(no name) - (no file) - {58FDAECF-C2D6-4AE6-9A10-FC0E0E155969}
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - (no file) - {8019D493-5E0E-4AC9-B081-B4A6D6FDDC79}
(no name) - (no file) - {8A58892C-36DB-42BD-9130-628652F30EBE}
(no name) - (no file) - {9F95FF13-2A88-4FD4-8CF2-19494513E2FD}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=58813

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?linkid=39204

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\Owner\Cookies\index.dat||C:\DOCUME~1\Owner\LOCALS~1\History\History.IE5\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6,415 bytes
Report generated in 0.040 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[silver]

Hi citbulldog08,

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

cmd /c dir "c:\mxlact.*" /a /s >> "%userprofile%\desktop\look.txt" & notepad "%userprofile%\desktop\look.txt"

A black box will open and a file will appear on your Desktop called look.txt.
Please wait for look.txt to open in Notepad automatically.
Post the contents of look.txt in your next response.

------------------------------------------------------------------------

Download SmitfraudFix (by S!Ri) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save):
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

IMPORTANT: Do NOT run any other options until you are asked to do so!

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C: ), and launch from there.

Note: process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Further info is available here.

------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
• Make sure Format->Word Wrap is unchecked
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

------------------------------------------------------------------------

Once complete, please post the look.txt output, the SmitfraudFix report and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.

[silver]

Do you still need help with your machine? If the instructions are unclear or something isn't working, please let me know before proceeding.

[silver]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log