Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
15 Posts
Discussion Starter · #1 ·
Logfile of HijackThis v1.99.0
Scan saved at 6:13:50 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\Temp\salm.exe
C:\temp\CXTPLS~1.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

:(

anyone can help?
 

·
Registered
Joined
·
49,014 Posts
Add/remove programs remove
AdStatus
Bulls Eye
Web Rebates

CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows, Open cwshredder.exe then click "Fix" and let
it run.

Print this and boo to safe mode – use HJT to fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
C:\WINDOWS\zeta.exe
C:\WINDOWS\System32\msbe.dll

Delete these folders
C:\Program Files\Web_Rebates
C:\Program Files\BullsEye Network
C:\Program Files\AdStatus Service

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.99.0
Scan saved at 10:24:07 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

____________________

C:\WINDOWS\System32\msbe.dll unadlbe to find and delete this file, even tho in view all files

There was also a file in my temp folder that was oddly named that wouldn't delete because it was 'in use', however its gone now

Now there are
Bargains.exe
cxtpls_loader_ff.exe
optimize.exe
salm.exe
and WebRebates_CDT_InstallSilent.exe

"Adstatus Service" has also reappeared in the program files but not the others.
 

·
Registered
Joined
·
45,855 Posts
Can you check and fix these again in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

Then go to Internet Options > Programs tab and select "reset web settings".

Reboot. If those entries return, please do the following. Install, UPDATE, and run a full Ad-Aware SE scan and include the VX2 plugin. Have it delete all it targets.

Then run Startdreck following the instructions below and upload the log as an attachment along with a new HijackThis scanlog.

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

http://www.niksoft.at/_data/startdreck.zip

Instructions:

Run StartDreck.exe. Click the 'Config'. In addition to the default checks, include the following:

Under 'Registry' - All registry options
Under 'System/Drivers' - Running Processes and List Modules
Click 'OK'. Now, back on the main screen, click the 'Save' button > Give it a name and click 'Save' > locate it and launch it.

Upload the log as an attachment.
 

·
Registered
Joined
·
1 Posts
I got this when I went to a web site. It's in the temp file folder. It did have a few more related files I deleted them but I cant get rid of this one. I have tryed just deleting them from my c drive no luck. Any ideas?
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top