McAfee False Alarm?

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

McAfee False Alarm?, Real virus or a false alarm?

Options

schlitters View Member Profile	Aug 2 2005, 01:06 PM Post #1
New Member Posts: 5 OS: XP	McAfee Viruscan tells me I have the New Win32 virus in Winows\System32\winlogon.exe which cannot be removed. I performed a DOS scan and it came up empty. I've run the recommended software and no one else is picking up this virus. Viruscan also picked up the New Malware.j trojan but no one else is picking this up, including TrojanHunter. The trojan report disappears if I turn off heuristic scanning. I also have an annoying red (!) in my taskbar which brings up a website for PSGuard. I found this folder and deleted it. It regularly brings up a window which tells me my computer is infected. I'm using Windows XP sp1 Here's my HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 2:52:18 PM, on 8/2/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\WINDOWS\System32\ezSP_Px.exe C:\program files\support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\ICO.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\WINDOWS\System32\intell32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\PowerPanel\Program\PcfMgr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido\security suite\ewidoctrl.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\WINDOWS\explorer.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\America Online 9.0\aolwbspd.exe C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe C:\WINDOWS\System32\WISPTIS.EXE C:\Program Files\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WriteFileware Class - {33E8230A-AFA8-4db4-8684-CBA061C98D1E} - C:\WINDOWS\System32\rwl.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: (no name) - {CC2FC83E-6931-456F-A87F-1A777C7C1D87} - blank (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400" O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {0AF17935-F3D3-384D-7A67-2F153DA40C41} - http://69.50.182.94/1/gdnUS1089.exe O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://69.50.182.86/file/hhctrl.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab O16 - DPF: {6331EEAC-D8FE-69E0-0F37-4601144B080F} - http://69.50.182.94/1/gdnUS1089.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122998785114 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://www.content-loader.com/load/ccaccess.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{64BA3BE8-D7D1-4AD6-A4AA-D42A897040DF}: NameServer = 205.188.146.145 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Any help will be appreciated. Attached File(s) log1.txt ( 12.15K ) Number of downloads: 15

g2i2r4 View Member Profile	Aug 2 2005, 03:59 PM Post #2
retired HiJack Helper Posts: 5,080 From: The Netherlands, Europe OS: XP Home, XP Pro, Vista Home	Welcome schlitters to Geeks to Go! Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later. Be sure to follow ALL instructions! Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. * Place a shortcut to Panda ActiveScan on your desktop. * Please download the trial version of ewido security suite. Install ewido security suite When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido, there should be an icon on your desktop double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. Once the updates are installed, close Ewido for now. * If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06. Check Here on how setup and use it - please make sure you update it first. * Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml * Open HijackThis Place a check against each of the following, making sure you get them all and not any others by mistake: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - Default URLSearchHook is missing O2 - BHO: WriteFileware Class - {33E8230A-AFA8-4db4-8684-CBA061C98D1E} - C:\WINDOWS\System32\rwl.dll O2 - BHO: (no name) - {CC2FC83E-6931-456F-A87F-1A777C7C1D87} - blank (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O16 - DPF: {0AF17935-F3D3-384D-7A67-2F153DA40C41} - http://69.50.182.94/1/gdnUS1089.exe O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://69.50.182.86/file/hhctrl.ocx O16 - DPF: {6331EEAC-D8FE-69E0-0F37-4601144B080F} - http://69.50.182.94/1/gdnUS1089.exe O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://www.content-loader.com/load/ccaccess.cab Close all programs leaving only HijackThis running. Click on Fix Checked when finished and exit HijackThis. * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Post me the contents of the smitfiles.txt log as you post back. * Open Ad-aware and do a full scan. Remove all it finds. * Now open Ewido Security Suite: * Click on scanner * Click Complete System Scan and the scan will begin. * During the scan it will prompt you to clean files, click OK * When the scan is finished, look at the bottom of the screen and click the Save report button. * Save the report to your desktop Reboot your computer. * Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. * Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

schlitters View Member Profile	Aug 3 2005, 12:50 PM Post #3
New Member Posts: 5 OS: XP	OK, did all that and removed the red (!) myself. McAfee now tells me that the winlogon.exe is infected with the Spy-Agent.n trojan and cannot be cleaned. Some program must be looking for hhcrtl.ocx because I'm getting an error message that the file cannot be found. This error seems to pop up when I access the internet. Here are the requested logs. --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 11:33:11 AM, 8/3/2005 + Report-Checksum: 170062F5 + Scan result: C:\Documents and Settings\DAVID\Cookies\david@sento.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup ::Report End smitRem log file version 2.3 by noahdfear The current date is: Wed 08/03/2005 The current time is: 13:46:30.21 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ CLEAN! Logfile of HijackThis v1.99.1 Scan saved at 2:04:03 PM, on 8/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido\security suite\ewidoctrl.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\program files\support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\ICO.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\PowerPanel\Program\PcfMgr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe C:\Program Files\Microsoft Games\Age of Empires II\empires2.exe C:\Program Files\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400" O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122998785114 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Thanks for the Help!

g2i2r4 View Member Profile	Aug 3 2005, 03:07 PM Post #4
retired HiJack Helper Posts: 5,080 From: The Netherlands, Europe OS: XP Home, XP Pro, Vista Home	The hhcrtl.oxc belongs to Visual Studio Service Pack. See if you can update either Microsoft or DirectX. Can you show me the panda log, I'd like to see what it found. Does McAfee tell you more that just that?

schlitters View Member Profile	Aug 4 2005, 10:36 AM Post #5
New Member Posts: 5 OS: XP	Activescan (Panda) Report Incident Status Location Virus:Bck/AutoProxy.A Disinfected Operating system Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM\SVCHOST.EXE Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt Virus:Bck/AutoProxy.A Disinfected C:\Documents and Settings\DAVID\Local Settings\Temp\2DC.tmp Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied_s7_c_28.exe] Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied.inf] Adware:Adware/ISearch No disinfected C:\Program Files\hijackthis\backups\backup-20050803-104720-747.inf Dialer:Dialer.ZE No disinfected C:\Program Files\hijackthis\backups\backup-20050803-104720-771.inf Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe Dialer:Dialer.Gen No disinfected C:\WINDOWS\switchagreement.txt Virus:Bck/AutoProxy.A Disinfected C:\WINDOWS\system\SVCHOST.EXE Virus:Trj/Downloader.DTD Disinfected C:\WINDOWS\system32\mshlp.exe Dialer:Dialer.BZG No disinfected C:\WINDOWS\system32\mskav.exe McAfee pop-up window says: "The file C:\WINDOWS\system32\winlogon.exe is infectd by the Spy-Agent.n trojan and cannot be cleaned." Thanks!

g2i2r4 View Member Profile	Aug 4 2005, 02:07 PM Post #6
retired HiJack Helper Posts: 5,080 From: The Netherlands, Europe OS: XP Home, XP Pro, Vista Home	Download the Killbox. Unzip it to the desktop Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each C:\eied_s7.cab C:\WINDOWS\switchagreement.txt C:\WINDOWS\system32\mskav.exe For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes. If your computer does not restart automatically, please restart it manually. * I need you to download MWav** This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning: Memory Startup Folders Drive - All Local Drives Folder - then click "browse" to change the directory to C: (default is C:\Windows) Registry System Folders Services Include Sub-Directory Scan All Files Please make sure ALL of these are checked, then press the scan button. This typically will take hours to complete. NOTE Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete. Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log will be extremely BIG so there is no way to copy the whole thing. I just need the infected items list.**

schlitters View Member Profile	Aug 5 2005, 12:55 PM Post #7
New Member Posts: 5 OS: XP	OK I ran Killbox, rebooted, and running MWav now. I'll post the virus log when finished. In the mean time, any ideas on how I find and reinstall the missing HHCTRL.OCX file? I get periodic popups saying its missing.

g2i2r4 View Member Profile	Aug 5 2005, 02:05 PM Post #8
retired HiJack Helper Posts: 5,080 From: The Netherlands, Europe OS: XP Home, XP Pro, Vista Home	The file could be either missing or corrupt. Go to start - run copy and paste the purple text: sfc /scannow press OK. Follow the prompts. Reboot after that and let me know the outcome.

schlitters View Member Profile	Aug 9 2005, 08:39 AM Post #9
New Member Posts: 5 OS: XP	Ran MWAV (9+ hours!). Virus log below. Ran scannow & rebooted. No error message, no change. something is still looking for HHCTRL.OCX. Log: Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken. *Various errors like the folowing: Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\ccaccess.dll". Action Taken: No Action Taken. File C:\WINDOWS\System32\mskav.exe infected by "Trojan.Win32.Dialer.kc" Virus! Action Taken: No Action Taken. File C:\Program Files\hijackthis\log file 8-2-05.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\Program Files\hijackthis\log1.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP1\A0000218.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP1\A0000287.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken. File C:\Program Files\hijackthis\log file 8-2-05.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\Program Files\hijackthis\log1.txt infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP1\A0000218.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP1\A0000287.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP2\A0000612.exe infected by "Trojan.Win32.Dialer.kc" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP3\A0000643.exe infected by "Trojan.Win32.Dialer.kc" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{C7510B55-FE00-40B4-A936-3EBED665CF58}\RP3\A0000660.exe infected by "Trojan.Win32.Dialer.kc" Virus! Action Taken: No Action Taken. [B]File C:\WINDOWS\system32\dllcache\winlogon.exe infected by "Type_Win32" Virus! Action Taken: No Action Taken. File C:\WINDOWS\system32\winlogon.exe infected by "Type_Win32" Virus! Action Taken: No Action Taken. * It looks like MWAV is detecting the same virus in the winlogon.exe file. ***

g2i2r4 View Member Profile	Aug 9 2005, 12:50 PM Post #10
retired HiJack Helper Posts: 5,080 From: The Netherlands, Europe OS: XP Home, XP Pro, Vista Home	Please go to this page: http://www.microsoft.com/technet/security/...026.mspx#EEAUAA Apply the update. This should help on the HHCTRL.OCX. I'll have a look at the winlogon issue. [edit] Our expert Metallica gave me this tip This post has been edited by g2i2r4: Aug 10 2005, 07:29 AM

g2i2r4

Aug 9 2005, 01:20 PM

Post