rad.msn.com, view.adtmt.com, www.casalamedia.com

[sonofbone]

I've tried a bit of everything. I've ran spybot, cleansweeper, adaware (now removed), ewido, & McAfee all in safe mode. Also, I've set all 3rd party cookies to be blocked & 1st party cookies to be prompted.

I'll think I'm in the clear & as soon as add in a yahoo or hotmail cookie to try and login, I'll get the rad.msn.com or view.adtmt.com sites can't be found message. Anything that can be discovered from my log would be great. Also, I'll be unable to address this until after 5 pm CST, so please don't think I'm not taking action.

http://rad.msn.com/ADSAdClient31.dll%3FGetAd
http://as.casalemedia.com/s%3Fs

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:46:21 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\PartyGaming\PartyGaming.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0XJMPHNZ\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT4016
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT4016
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/...stempopup=true
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: SpeedUpMyPC.lnk = C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[sonofbone]

Also meant to add thanks in advance and for having such a wonderful site in which you're able to help so many people. I've been reading posts today & picking up tips that I'm sure will be valuable when I finally get the kinks worked out of my system.

[pskelley]

Welcome to the forum. If you still need help and are not receiving it elsewhere I will see what I can do. First, I do not see a lot in this log, but I do see this.

1) You are running HJT from TIF and we will have no backups if needed. Move it here: C:\HJT\HijackThis.exe. If you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html

2) This program: C:\Program Files\PartyGaming\PartyGaming.exe
Please look at all of the issues at Google from it:
http://www.google.com/search?sourcei...tyGaming%2Eexe

3) I see SpySweeper and ewido both running, do you own both or either of these programs? The are both heavy resource wasters and should not be running unless you are paying for them.

4) I get the same message when I click those links: The page cannot be found. See if anything in this link helps:
http://www.microsoft.com/windows/IE/.../IEtopten.mspx

5) I suggest you do this:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

6) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Start > Control Panel > Add Remove programs and uninstall PartyGaming. Look while there and uninstall any programs you know should not be there. If you are unsure, let me know and I will look.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(click on these, if you do not use what comes up, check and remove it)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT4016
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT4016
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/...stempopup=true
(remove these)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\PartyGaming\ <<< delete the folder (might have to do this in safe mode...if the folder is empty, don't concern yourself with it)

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Update your ewido program and run a complete system scan, remove what it finds unless you know it is not bad. Save the scan results.

Post the ewido scan results, a new HJT log and any comments you think will help.

Thanks...pskelley
Safer Networking Forums

[sonofbone]

After several days of outage, I finally got my machine back up and running. The past week has been brutal. A day or two after I posted this topic I encountered several things as follows:

1) Upgraded my McAfee suite to 9.0 which shortly thereafter I lost connection with my network.
2) I discovered that those redirect issues I believe were because ads at places like ESPN, Hotmail, & various other sites couldn't be properly displayed, so it would issue the failed message. Sites with no ads caused me no problems.
3) I rebuilt my system several times to no avail.
4) 3 days later I called Gateway who had my unplug my cable modem as it booted and I was able to send/receive network traffice.
5) Then I tried to reinstall my wireless network which obviously failed, so I had to get the assistance of Linksys.
6) I finally got everything going, so I was up from midnight until 3 am following the instructions in your "So how did I get infected in the first place?" thread.

A couple of things I've learned during this mess:
1) Don't screw around on sites that you have no business being at.
2) McAfee changing your settings is definitely misleading. I ran SS&D many times seeing that firewall and antivirus disabling notice and thought I had a bug until I finally found a thread on here.

To answer some questions you had:
I had downloaded Ewido based on recommendations I saw in other threads, & Spysweeper was pushed on me by BestBuy when I bought my system.

Currently, I have the following spyware & antivirus protection up & running:
1) Spysweeper
2) SpywareBlaster
3) Spybot Search & Destroy
4) Windows Defender
5) SpywareGuard
6) IE-Spyad
7) (Had ZoneAlarm) but uninstalled due to having McAfee which wouldn't install virus protection because it thought the free version of ZoneAlarm was running virus protection.
8) McAfee Security Suite
9) Java Update 6 -- I believe and no others are installed now

Based on your recommendations, I may do the following:
1) Uninstall Spysweeper
2) Install HJT in the event of future need
3) Install ATF in the event of future need

Also, thank you for the information concerning poker applications. I understand why they want to execute a Trojan and monitor keystrokes & applications for collusion, but I still do not agree with it.

I don't really think I need to post a log at this time as I believe everything is really straightened out. If I have issues, I will post another thread with a log.

However, I do want to say thanks again for all the hard work you guys do, & I will be making a donation to either your software or your forum. Most likely it will be whichever one I can most easily deposit through.

Sincerely...sonofbone

[pskelley]

Thanks for the feedback, I'll make a few comment but first be aware I am a volunteer. I am sure the site has expenses and takes donations, but I do this because I want to and hate evil/malware. Now if you post a log or not is up to you, I just can not suggest it is clean without seeing one and often after Smitfraud is gone, other junk lingers that does not have to do with Smitfraud, your call.

If I agree with you I will not comment.

1) I use McAfee VSO and I can't believe this new junk they are pushing on people, it had sure better do the job. The whole log is full of McAfee and it has to be a bigger resource waster than Norton NAV/NIS. No way will I ever download all of that junk, I will use free AVG by Grisoft first.

2) I use Verizon DSL and on occaision I have to unplug the DSL modem and my router, power down the computer then power up the stuff. It is not unusual for the IP setting to be dropped and need to be reset. I would make them go through it in detail and write it down. I rarely have to call tech support for connection issues anymore.
You said Gateway, they still have tech support? I would think your ISP would provide that help?
I also have a Linksys router, there is a specific order to turn stuff of and then power it back up. I would ask your ISP and write down that information.

Programs: I suggest nothing by freeware, and run all of the programs you mention but Windows Defender (still don't trust it even though it is free) and ewido/SpySweeper. I suggest SS and then have it removed after the trial. I suggest ewido and suggest that it be disabled and started manually when needed. It is free then as are the updates. If a user asks about purchasing the software, I leave that up to them.
Unless you own SS, there is no valid reason to keep it I can think of. HJT uses no resourses and stays with me always:
http://www.bleepingcomputer.com/tuto...utorial42.html <<< look at all it can do.
ATF-Cleaner is a great freeware tool that uses no resources.

Keep in mind the online games have to create revenue somewhere. If you must game, I would suggest you do it online or purchase the game (make sure you read the EULA).

Thanks...Phil

[tashi]

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.