My sister got cut off by her ISP yesterday for supposedly having an virus
infected PC.

A virus scan (AVG) with the latest update didn't show up anything on her
desktop and AVAST on her laptop also failed to find anything.

She *does* have some malware though. She got extra toolbars and undeletable
icons on her desktop and I'm pretty sure it LOP (or one of its varients).

I'm not sure if this would cause enough traffic to get her blocked by her
ISP though.

Apart from AVG, we've also run MS anti-spyware which temporarily got rid on
the toolbars etc, but only until the next reboot.

I've run hijackthis but I'll freely admit that I'm getting a little out of
my depth here. What's worrying us is that we haven't found any viruses but
we've been told that if it happens again, she'll be blocked for good by her
ISP.

I've pasted the log below and to the Tomcoyote forum but it looks so high
traffic I don't hold out too much hope of getting a response there (maybe
I'm being unduely pessimistic).

TIA for any help anyone can offer.

Tim


Logfile of HijackThis v1.99.1
Scan saved at 15:27:41, on 03/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Sue Downie\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client -
http://backpack.webmaster.com/backpack/cr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) -
https://remote.barnardos.org.uk/dana...terisSetup.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX
Control) -
http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) -
http://plugin.euro-infomedia.com/mpv0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -
C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - -
C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Tim Downie wrote:
> My sister got cut off by her ISP yesterday for supposedly having an virus
> infected PC.
>
> A virus scan (AVG) with the latest update didn't show up anything on her
> desktop and AVAST on her laptop also failed to find anything.
>
> She *does* have some malware though. She got extra toolbars and undeletable
> icons on her desktop and I'm pretty sure it LOP (or one of its varients).
>
> I'm not sure if this would cause enough traffic to get her blocked by her
> ISP though.
>
> Apart from AVG, we've also run MS anti-spyware which temporarily got rid on
> the toolbars etc, but only until the next reboot.
>
> I've run hijackthis but I'll freely admit that I'm getting a little out of
> my depth here. What's worrying us is that we haven't found any viruses but
> we've been told that if it happens again, she'll be blocked for good by her
> ISP.
>
> I've pasted the log below and to the Tomcoyote forum but it looks so high
> traffic I don't hold out too much hope of getting a response there (maybe
> I'm being unduely pessimistic).
>
> TIA for any help anyone can offer.
>
> Tim
>
>
> Logfile of HijackThis v1.99.1
> Scan saved at 15:27:41, on 03/06/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> C:\WINDOWS\wanmpsvc.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> C:\Program Files\Real\RealPlayer\RealPlay.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\PROGRA~1\AIM\aim.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
> C:\Program Files\Mozilla Firefox\firefox.exe
> C:\Program Files\Outlook Express\msimn.exe
> C:\Documents and Settings\Sue Downie\Desktop\HijackThis.exe
>
> O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
> C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
> Files\Spybot - Search & Destroy\SDHelper.dll
> O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
> C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
> O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
> Works\WksSb.exe /AllUsers
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
> Files\Microsoft Shared\Works Shared\WkUFind.exe
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
> Manager\ViewMgr.exe
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
> SYSTEMBOOTHIDEPLAYER
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [New.net Startup] rundll32
> C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
> O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
> /background
> O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =
> C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
> C:\PROGRA~1\AIM\aim.exe
> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
> C:\WINDOWS\system32\Shdocvw.dll
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: ConferenceRoom Java Client -
> http://backpack.webmaster.com/backpack/cr.cab
> O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
> http://www.ipix.com/download/ipixx.cab
> O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) -
> https://remote.barnardos.org.uk/dana...terisSetup.cab
> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
> http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
> O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX
> Control) -
> http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
> International Setup Player) - http://www.napster.com/client/isetup.cab
> O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) -
> http://plugin.euro-infomedia.com/mpv0.cab
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -
> C:\WINDOWS\System32\ImapiRox.exe
> O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
> Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> O23 - Service: SmartLinkService (SLService) - -
> C:\WINDOWS\SYSTEM32\slserv.exe
> O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
> Online, Inc. - C:\WINDOWS\wanmpsvc.exe
>
>
>
>
>
>
Use EMCO Malware bouncer..it will find and remove in about 20 seconds..

Http://www.Searchingsecure.com
Free anonymous search engine, list yur site free

From: "Service" <(E-Mail Removed)>


| Use EMCO Malware bouncer..it will find and remove in about 20 seconds..
|
| Http://www.Searchingsecure.com
| Free anonymous search engine, list yur site free

EMCO Malware bouncer is listed on Spyware Warrior !

http://www.spywarewarrior.com/rogue_anti-spyware.htm

"prone to false positives; poor scan reporting [A: 12-23-04 / U: 12-23-04]"

Thus it should NOT be used.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Tim Downie" <(E-Mail Removed)>

| My sister got cut off by her ISP yesterday for supposedly having an virus
| infected PC.
|
| A virus scan (AVG) with the latest update didn't show up anything on her
| desktop and AVAST on her laptop also failed to find anything.
|
| She *does* have some malware though. She got extra toolbars and undeletable
| icons on her desktop and I'm pretty sure it LOP (or one of its varients).
|
| I'm not sure if this would cause enough traffic to get her blocked by her
| ISP though.
|
| Apart from AVG, we've also run MS anti-spyware which temporarily got rid on
| the toolbars etc, but only until the next reboot.
|
| I've run hijackthis but I'll freely admit that I'm getting a little out of
| my depth here. What's worrying us is that we haven't found any viruses but
| we've been told that if it happens again, she'll be blocked for good by her
| ISP.
|
| I've pasted the log below and to the Tomcoyote forum but it looks so high
| traffic I don't hold out too much hope of getting a response there (maybe
| I'm being unduely pessimistic).
|
| TIA for any help anyone can offer.
|
| Tim

< HJT Log Snipped >

We this is NOT one of them. However, a quick glance in the log I found...

O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\newdot~1.dll,NewDotNetStartup -s
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\newdot~1.dll,NewDotNetStartup -s
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe



Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.06)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *





--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Register at Castlecops forum and post your story there . There's
people over there who know all there is to know about HJT-logs .

Registration is free anyway and it's far more secure to take advice
from the experts on this than to go "experimenting " by yourself .

HJT is not an easy program for the novice .In fact : it isn't meant
for the novice at all.


http://castlecops.com/forums.html






On Fri, 3 Jun 2005 17:48:30 +0100, "Tim Downie"
<(E-Mail Removed)> wrote:

>My sister got cut off by her ISP yesterday for supposedly having an virus
>infected PC.
>
>A virus scan (AVG) with the latest update didn't show up anything on her
>desktop and AVAST on her laptop also failed to find anything.
>
>She *does* have some malware though. She got extra toolbars and undeletable
>icons on her desktop and I'm pretty sure it LOP (or one of its varients).
>
>I'm not sure if this would cause enough traffic to get her blocked by her
>ISP though.
>
>Apart from AVG, we've also run MS anti-spyware which temporarily got rid on
>the toolbars etc, but only until the next reboot.
>
>I've run hijackthis but I'll freely admit that I'm getting a little out of
>my depth here. What's worrying us is that we haven't found any viruses but
>we've been told that if it happens again, she'll be blocked for good by her
>ISP.
>
>I've pasted the log below and to the Tomcoyote forum but it looks so high
>traffic I don't hold out too much hope of getting a response there (maybe
>I'm being unduely pessimistic).
>
>TIA for any help anyone can offer.
>
>Tim
>
>
>Logfile of HijackThis v1.99.1
>Scan saved at 15:27:41, on 03/06/2005
>Platform: Windows XP SP2 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\spoolsv.exe
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
>C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
>C:\WINDOWS\wanmpsvc.exe
>C:\WINDOWS\Explorer.EXE
>C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
>C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
>C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
>C:\Program Files\Real\RealPlayer\RealPlay.exe
>C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
>C:\PROGRA~1\AIM\aim.exe
>C:\WINDOWS\system32\ctfmon.exe
>C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
>C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
>C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
>C:\Program Files\Mozilla Firefox\firefox.exe
>C:\Program Files\Outlook Express\msimn.exe
>C:\Documents and Settings\Sue Downie\Desktop\HijackThis.exe
>
>O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
>C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
>O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
>C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
>Files\Spybot - Search & Destroy\SDHelper.dll
>O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
>C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
>O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
>O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
>Works\WksSb.exe /AllUsers
>O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
>Files\Microsoft Shared\Works Shared\WkUFind.exe
>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>Files\QuickTime\qttask.exe" -atboottime
>O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
>O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
>Manager\ViewMgr.exe
>O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
>O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
>O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
>SYSTEMBOOTHIDEPLAYER
>O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
>AntiSpyware\gcasServ.exe"
>O4 - HKLM\..\Run: [New.net Startup] rundll32
>C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
>O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
>O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
>/background
>O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =
>C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>Office\Office10\OSA.EXE
>O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
>O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
>C:\PROGRA~1\AIM\aim.exe
>O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
>C:\WINDOWS\system32\Shdocvw.dll
>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
>C:\Program Files\Messenger\msmsgs.exe
>O9 - Extra 'Tools' menuitem: Windows Messenger -
>{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>Files\Messenger\msmsgs.exe
>O12 - Plugin for .spop: C:\Program Files\Internet
>Explorer\Plugins\NPDocBox.dll
>O16 - DPF: ConferenceRoom Java Client -
>http://backpack.webmaster.com/backpack/cr.cab
>O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
>http://www.ipix.com/download/ipixx.cab
>O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) -
>https://remote.barnardos.org.uk/dana...terisSetup.cab
>O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
>http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
>O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX
>Control) -
>http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
>O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
>International Setup Player) - http://www.napster.com/client/isetup.cab
>O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) -
>http://plugin.euro-infomedia.com/mpv0.cab
>O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
>O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
>C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
>O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -
>C:\WINDOWS\System32\ImapiRox.exe
>O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
>Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
>O23 - Service: SmartLinkService (SLService) - -
>C:\WINDOWS\SYSTEM32\slserv.exe
>O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
>Online, Inc. - C:\WINDOWS\wanmpsvc.exe
>
>
>
>
>

David H. Lipman wrote:
> * * * Please report back your results * * *

Thanks David, a lot of useful stuff.

HOWEVER, I'm 40 miles away from the computer at present so I can't do it
right now.

One thing I'd like to do is somehow limit my sister's computer to a
"download only" mode while we sort things out as I really don't want to risk
getting her booted off her ISP for good. Is there an easy way to do this?

It connects through a router/modem with built in hardware firewall.

Tim

"Tim Downie" wrote:
> My sister got cut off by her ISP yesterday for supposedly having an virus infected
> PC.
>
> A virus scan (AVG) with the latest update didn't show up anything on her desktop
> and AVAST on her laptop also failed to find anything.
>
> She *does* have some malware though. She got extra toolbars and undeletable icons
> on her desktop and I'm pretty sure it LOP (or one of its varients).
>
> I'm not sure if this would cause enough traffic to get her blocked by her ISP
> though.
>
> Apart from AVG, we've also run MS anti-spyware which temporarily got rid on the
> toolbars etc, but only until the next reboot.
>
> I've run hijackthis but I'll freely admit that I'm getting a little out of my
> depth here. What's worrying us is that we haven't found any viruses but we've
> been told that if it happens again, she'll be blocked for good by her ISP.
>
> I've pasted the log below and to the Tomcoyote forum but it looks so high traffic
> I don't hold out too much hope of getting a response there (maybe I'm being
> unduely pessimistic).
>
> TIA for any help anyone can offer.
< log file snipped>

You may submit your HijackThis log files to any of the below Forums for
expert analysis.
*Note that all Forums _require_ Registration prior to posting*

(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://castlecops.com/forum67.html)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=2)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://www.wilderssecurity.com/forumdisplay.php?f=24)
(http://boards.cexx.org/viewforum.php?f=1)
(http://www.malwarebytes.biz/forums/i...hp?showforum=5)
(http://forum.gladiator-antivirus.com/index.php)
(http://www.dslreports.com/forum/security)

Silj

--
siljaline

David H. Lipman wrote:
> From: "Service" <(E-Mail Removed)>
>
>
> | Use EMCO Malware bouncer..it will find and remove in about 20 seconds..
> |
> | Http://www.Searchingsecure.com
> | Free anonymous search engine, list yur site free
>
> EMCO Malware bouncer is listed on Spyware Warrior !
>
> http://www.spywarewarrior.com/rogue_anti-spyware.htm
>
> "prone to false positives; poor scan reporting [A: 12-23-04 / U: 12-23-04]"
>
> Thus it should NOT be used.
>
Thanks for the heads up! I've used it had had good luck...


Http://www.Searchingsecure.com

From: "Service" <(E-Mail Removed)>


| Thanks for the heads up! I've used it had had good luck...
|
| Http://www.Searchingsecure.com

You haven't compared it to others. Neither have I. However, I have learned to trust the
findings of Spyware Warrior.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Sure, I recommand you use Net Limiter and limit upload bandwidth.

I also recommand you install Process Guard and dont let anything run
that you do not trust.