Please help with removal of BHO - reappear on logon

**chucketti** · 2006-06-08, 14:43

Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Motorola Digital Audio Player Manager, MotorolaDAP, "C:\WINDOWS\System32\MotorolaDAP.exe" ["Motorola Inc."]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Rio MSC Manager, RioMSC, "C:\WINDOWS\System32\RioMSC.exe" ["Digital Networks North America, Inc."]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" "{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)

{"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, w32time, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
Local Port\Driver = "localspl.dll" [MS]
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]

-- (total run time: 194 seconds)

**LonnyRJones** · 2006-06-16, 17:04

Hi chucketti

Sorry about the delay, mention the problems again please.

**chucketti** · 2006-06-19, 13:06

That's OK - summertime...

The problem might not seem very big - but since there are some connection problems happening in my system at the same time, I would like to get rid of all the malware as a part of troubleshooting.
It's fastclick: a window wit the fastclick address usually appeares at the slosing of MS outlook window. Usually, it closes itself quickly, but sometimes remains frozen.

I run several different antivirus and ant-spyware programs, but this one is still in the system :(

**illukka** · 2006-06-21, 20:10

hi

sorry for the late reply

when the popup ad happens are there any browser windows open ?
does it happen often ?
what kind of ads are there ?

the SR log didnt show anything, can you answer these questions before we dig deeper

**chucketti** · 2006-06-22, 13:52

Hi, ILUCCA

The popup window always appears quickly after I open and close MS Outlook, even if all browsers are closed (and haven't been opened since reboot).
It seems attached to MS Outlook.

I did not know it's there until couple times it got frozen for some reason, There are no ads, just an empty window.

I think maybe I'll leave it on that (you are saying the log is fine) because it seems that Fastclick does nothing in my system at this point (although some malware is obviously present - but it seems harmless maybe due to overall protection of my system.)

I might have gotten the malware from a German uploading-downloading service rapidshare.de which I regularly use, since the same fastclick (but carrying ads, not empty) showed up in another system (a different location, not connected with the current system).

Anyway, It's good that you did not see anything ominous - thank you very much for the help.

**illukka** · 2006-06-23, 23:22

hi

i'd like to get to the bottom of this if possible

so one more scan

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.

**chucketti** · 2006-06-24, 17:17

Hi,
I like that you don't give up

(I am the same way - but in a different field)

I only got a very short log - not sure that's what we need.
I run gmer as you instructed: rootkit - scan, but there was no "save" option, only "copy" which I did and came to this text:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-24 11:12:09
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_DEVICE_CONTROL [EFC08116] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_DEVICE_CONTROL [EFC08116] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_DEVICE_CONTROL [EFC08116] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_DEVICE_CONTROL [EFC08116] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_DEVICE_CONTROL [EFC08116] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [EFC08253] tfsnifs.sys

---- EOF - GMER 1.0.10 ----

Instructions on the Gmer site also say to use "copy"...

**illukka** · 2006-06-29, 22:25

hi

is your machine a dell by chance?
this driver seems to be associated with dell hardware

i can't find anything there, i will ask someone else to take a look.

**chucketti** · 2006-06-30, 14:04

Ya, it's a Dell laptop.
I think there is some dead window attached to my MS Outlook.

I does not seem to do any harm at this point.

Thanks alot for your help!

**LonnyRJones** · 2006-07-11, 11:00

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).

Thread: Please help with removal of BHO - reappear on logon

Thread Tools

Display

silent runners part 5

Hi,

Posting Permissions