Results 1 to 10 of 10

Thread: Need help removing cmdService

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default Need help removing cmdService

    Hello,

    SpyBot S&D detects cmdService, but says it can't remove it, perhaps because it's in use. It asks whether it can ran again on my next restart, and I say OK and restart. On restart, it goes through the search again, locates the file but still can't remove it.

    Here is my HiJackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:56:45 PM, on 12/26/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\aupdate.exe
    C:\WINDOWS\qacvwgb.exe
    C:\WINDOWS\z00098.exe
    C:\windows\system32\rldsregl.exe
    C:\WINDOWS\poklozeA.exe
    C:\WINDOWS\SYS99.exe
    C:\WINDOWS\win3208424-2071813.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\r?gsvr32.exe
    C:\Program Files\rdso\eetu.exe
    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R3 - URLSearchHook: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
    O2 - BHO: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe
    O4 - HKLM\..\Run: [qacvwgb] C:\WINDOWS\qacvwgb.exe
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\kwinmsaw.exe CORN001
    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe
    O4 - HKLM\..\Run: [{2A-A2-2D-D0-ZN}] C:\windows\system32\rldsregl.exe CORN001
    O4 - HKLM\..\Run: [poklozeA] C:\WINDOWS\poklozeA.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
    O4 - HKLM\..\Run: [win3208424-2071813] C:\WINDOWS\win3208424-2071813.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Zwh] C:\WINDOWS\System32\r?gsvr32.exe
    O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinmsaw.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135030712048
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135030670568
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - AppInit_DLLs: bnelggdh.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    Thanks!

    Mike Holmes

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    cmdservice seems to be a fasle positive in spybot. you have quite afew other nasties to get rid of.

    first thing is to go get ewido security,install update but do scan with it yet.
    will your out there also check for updates for spybot and your AV. then we will use hjt and boot into safe mode

    ewido:
    1. Download Ewido and install
    Ewido Security Suite. It is a free trial version of the program:

    http://www.ewido.net/en/download/

    2. Install ewido security suite
    3. Launch ewido, there should be an icon on your desktop double-click it.
    4. The program will now go to the main screen

    You will need to update ewido to the latest definition files.

    1. On the left hand side of the main screen click update
    2. Then click on Start Update

    The update will start and a progress bar will show the updates being installed.
    ---------------------------------------
    next run hjt:

    scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

    R3 - URLSearchHook: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll

    O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll

    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll

    O2 - BHO: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe

    O4 - HKLM\..\Run: [qacvwgb] C:\WINDOWS\qacvwgb.exe

    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\kwinmsaw.exe CORN001

    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe

    O4 - HKLM\..\Run: [{2A-A2-2D-D0-ZN}] C:\windows\system32\rldsregl.exe CORN001

    O4 - HKLM\..\Run: [poklozeA] C:\WINDOWS\poklozeA.exe

    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe

    O4 - HKLM\..\Run: [win3208424-2071813] C:\WINDOWS\win3208424-2071813.exe

    O4 - HKCU\..\Run: [Zwh] C:\WINDOWS\System32\r?gsvr32.exe

    O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv

    O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinmsaw.exe

    O20 - AppInit_DLLs: bnelggdh.dll
    -------------------------------------------
    now restart computer into SAFE MODE. you reach safe mode by tapping the f8 key during reboot. chose the first option, SAFE MODE.

    once in safe mode run ewido, spybot and your antivirus app

    ewido:
    launch ewido:
    1. Click on scanner
    2. Click on Complete System Scan and the scan will begin.
    3. NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
    4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    5. Click Save report.
    6. Save the report .txt file to your desktop.

    Now close ewido security suite.
    ------------------------------------
    also in safe mode do this;

    Click Start>Run then type %temp%
    Hit OK. Delete all the files you can.

    Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
    ---------------------------------------------
    reboot normally, rescan and post a new hjt log as well as the saved ewido log......shelf life

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    shelf life,

    Thanks for your help! I did as you suggested -- it took a while, but hopefully it will be worth it.

    I am attaching the HJT and ewido log files. Thanks again!

    Mike Holmes

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    attached logs for easier viewing

    Logfile of HijackThis v1.99.1
    Scan saved at 11:12:08 PM, on 12/27/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)
    O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\sfi2.dll (file missing)
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
    O4 - HKCU\..\Run: [omf] C:\WINDOWS\omf.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135030712048
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135030670568
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O18 - Filter: text/html - (no CLSID) - (no file)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 9:50:24 PM, 12/27/2005
    + Report-Checksum: FBF93033

    + Scan result:

    HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
    HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S -> Adware.Searchforit : Cleaned with backup
    HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp -> Adware.Searchforit : Cleaned with backup
    HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp\sfitb -> Adware.Searchforit : Cleaned with backup
    HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp\sfitb\145 -> Adware.Searchforit : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.9:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.10:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.22:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.25:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@adopt.specificclick[3].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@entrepreneur.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@reduxads.valuead[2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Marguerite\Cookies\marguerite@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temp\99_app99.exe -> Dropper.Agent.xw : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temp\adwsetup_upd.exe -> Dropper.Agent.abb : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temp\i9.tmp -> Spyware.SurfSide : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temporary Internet Files\Content.IE5\HPC2K3H3\omf[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\Documents and Settings\Marguerite\Local Settings\Temporary Internet Files\Content.IE5\R2BZK346\mm[2].js -> Spyware.Chitika : Cleaned with backup
    C:\Documents and Settings\Michael\Cookies\michael@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wjkocnajoeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Michael\Cookies\michael@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Michael\Local Settings\Temp\i46.tmp -> Spyware.SurfSide : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016905.exe -> Spyware.VirtualBouncer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016909.dll -> Spyware.CASClient : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017030.dll -> Hijacker.Small.jf : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017067.exe -> Adware.EZula : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017110.exe -> Downloader.VB.hw : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017113.exe -> Adware.CASClient : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017117.exe -> Adware.EZula : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017118.exe -> Dropper.Small.qn : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017119.exe -> Spyware.VirtualBouncer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017426.exe -> Adware.EZula : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017435.exe -> Dropper.VB.kk : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017471.exe -> Downloader.VB.nw : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017522.exe -> Downloader.Adload.k : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017528.exe -> Downloader.Adload.k : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017562.exe -> Downloader.Dyfuca.EI : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017647.exe -> Downloader.Dyfuca.EI : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017729.dll -> Adware.SurfSide : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP51\A0018067.exe -> Spyware.VirtualBouncer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018417.exe -> Downloader.VB.nw : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018418.exe -> Adware.CASClient : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018419.exe -> Dropper.Small.qn : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018557.exe -> Spyware.ZenoSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018558.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018562.exe -> Downloader.VB.hj : Cleaned with backup
    C:\WINDOWS\gcdxamf.exe -> Dropper.Agent.mu : Cleaned with backup
    C:\WINDOWS\pf79.exe -> Downloader.Dyfuca.EI : Cleaned with backup
    C:\WINDOWS\SYSTEM32\aupdate.exe -> Downloader.Adload.k : Cleaned with backup
    C:\WINDOWS\SYSTEM32\b2search.exe -> Adware.EZula : Cleaned with backup
    C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\SYSTEM32\fran-hot.exe -> Adware.EZula : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sate.exe -> Downloader.IstBar : Cleaned with backup
    C:\WINDOWS\SYSTEM32\zdinst_CORN001.exe -> Spyware.ZenoSearch : Cleaned with backup

  5. #5
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi MichaelHolmes,

    good. looking better. few more to go. same thing. we will use hjt, boot into safe mode and run ewido, spybot and your antivirus again. check for updates to them first.

    scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar

    O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)

    O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca2.dll

    O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\sfi2.dll (file missing)

    O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
    O4 - HKCU\..\Run: [omf] C:\WINDOWS\omf.exe

    O18 - Filter: text/html - (no CLSID) - (no file)
    --------------------------------------------
    reboot into safe mode by tapping the f8 key during restart. chose the first, SAFE MODE option. run ewido etc in safe mode..

    also in safe mode go to start>settings>control panel>click the internet options icon> under the program tab click on reset web settings
    --------------------------------------------
    reboot computer normally, rescan and post a new hjt log.........

  6. #6
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi shelf life,

    I ran through the process that you described. Here is the new HJT log.

    Thanks!

    Mike

    Logfile of HijackThis v1.99.1
    Scan saved at 10:02:35 PM, on 12/28/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135030712048
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135030670568
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi MichaelHolmes,

    last log looks good to me. if everythings good on that end i leave you with this:

    All it takes is a few changes:


    Make sure you keep your Windows OS current by visiting Windows update
    occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

    Also download, install and keep updated- Antivirus Software (and use only one):
    Free for home users:
    avast! 4 Home Edition Download
    AVG free version 7.0
    AntiVir Personal Edition

    Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
    Internet Explorer Privacy & Security Settings
    Working with Internet Explorer 6 Security
    Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser.
    Like Firefox,
    And Pegasus Mail for a safer e-mail, no tweaking needed.

    Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser.
    look here
    and here


    Install a firewall. A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
    Zone Alarm
    Kerio Personal Firewall
    Outpost Firewall
    Sygate Personal Firewall
    Tiny Firewall
    BlackIce



    Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
    CounterSpy Free trial version
    Spybot Search and destroy
    Ad-Aware SE Personal edition
    Microsoft AntiSpyware (beta version)
    Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" programs that "claim to remove" spyware.Check here first.

    Other programs to consider:
    Process Guard stop events/processes with user intervention
    SpywareBlaster add security to IE
    IE-SPYAD adds adware peddlers sites/domains to IE restricted zone
    CleanUp cleans out temps,history, autoforms etc

    AntiTrojan software to fill in the gap:
    a2 free
    Ewido Security Suite
    Trojan Hunter (30 day trial version)
    TDS-3 trail version discontinued as of 07/05
    Tauscan trial version


    Learn More:
    Browser Checkup
    Parasite Free
    Safe Hex
    Shelf Lifes site
    Home Computer Security
    Wilders Security Advisors

    Watch what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. Do you trust the source?

  8. #8
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi shelf life,

    Thanks for all of your help! I have implemented most of the suggestions in your last post, and will continue and get the system in better shape. I've installed the Windows updates, a new browser and Pegasus email so far.

    I'll make a contribution to the forum. You saved us some bucks by enabling me to fix these problems myself!


    Thanks again,

    Mike Holmes

  9. #9
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi MichaelHolmes,

    glad to help. happy safe surfing

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,693

    Default

    As the problem appears to be resolved this topic will be archived.
    If you need it re-opened please pm me or one of the forum mods.

    Glad we could help.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •