Thread: PROBLEM - CAN YOU HELP?
View Single Post
  #1  
Old 01-29-2005, 12:09 PM
fatmanstratman fatmanstratman is offline
Junior Member
  
Join Date: Jan 2005
Posts: 4
Hi,

I'm a newbie here so if I screw up please forgive me!

I'm using SpyBot, Adaware SE, SpywareGuard, VX2 Finder, PC BugDoctor etc. etc., but I just can't seem to shake off some really annoying malware.

I have run Adaware 100's of times, but although it identifies the malware (usually VX2's in the form of 3 or 4 *.dll files + an annoying thing called 'Guard.tmp' and 'Status.MPF') it just can't kill 'em! New malware *.dll files appear each time I reboot, and every time I delete the annoying 'Status.MPF' (found in WINNT\SYSTEM32) it regenerates itself. I'm running Windows 2000.

I've tried everything but I'm having to turn to you guys for help if that's ok.

Here's my HijackThis scan from earlier today:

Logfile of HijackThis v1.99.0
Scan saved at 17:06:27, on 29/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\McAFEE\PERSON~1\MPFSERVICE.exe
C:\Kodak Digital Camera\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Digicam\ulead photo explorer 7.0\Monitor.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\UMonit2K.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0F2. EXE
C:\WINNT\System32\keyhook.exe
C:\McAFEE\PERSON~1\MpfTray.exe
C:\Documents and Settings\Application Data\soae.exe
C:\McAFEE\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
C:\Kodak Digital Camera\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\explorer.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Digicam\ulead photo explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [UMonit2K.exe] "C:\WINNT\System32\UMonit2K.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0F2. EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [MPFExe] C:\McAFEE\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [Aoss] C:\Documents and Settings\Application Data\soae.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Application Data\My-disgo\MyKey disgo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak Digital Camera\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\NPSibelius.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5E8690-26C9-4B53-B6FD-36089FFA3FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\McAFEE\PERSON~1\MPFSERVICE.exe
O23 - Service: ptssvc - KODAK - C:\Kodak Digital Camera\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\javaxk.exe (file missing)

Having read through a few other threads, I have taken the precaution of downloading KillBox and DllCompare, but haven't used them as yet. I think I would sooner follow your guidance if that's ok!

Cheers,

Fatman