[Potential Virus? Help would be appreciated.] -
Potential Virus? Help would be appreciated.
Discuss Potential Virus? Help would be appreciated.
Posted by: jdschof
Recently posted an issue concerning what appears to be a virus that prevents me from accessing personal web space on eBay, PayPal etc.
Ran many virus detections (McAfee, Avast, AVG to try and located and bin - no joy todate).
Below is current log of registry - is there anything eroneous that could be causing the blockage?
Logfile of HijackThis v1.99.1
Scan saved at 21:56:56, on 21/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.uk/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://global.acer.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.uk/[/url]
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.EXE
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Posted by: Lobos
Hello jdschof
If you don't already have it, download, install and run [url=http://www.lavasoft.de/support/download/]AdAware SE Personal[/url].
Next, check for, and download any available updates:
1. click "[b][i]Check for updates now[/i][/b]".
2. Click "[b][i]Connect[/i][/b]".
3. If updates(definitions) are available click "[b][i]Ok[/i][/b]", otherwise, click "[b][i]Ok[/i][/b]".
4. Click "[b][i]Finish[/i][/b]".
-
Next, configure [b]AdAware[/b] to be as effective as possible:
1. Click the '[i]gear[/i]' in the upper-right hand corner of the [b]AdAware[/b] Window.
2. Click Scanning, and check(tick) the following:
[color=#336600]Scan within archives
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file[/color]
3. Click "[b][i]Tweak[/i][/b]".
4. Click "[b][i]Scanning Engine[/i][/b]", then check(tick) the following:
[color=#336600]Unload recognized proceses & modules during scan[/color]
5. Click "[b][i]Cleaning Engine[/i][/b]", then check(tick) then following:
>[color=#336600]Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Winodws remove files in use at next reboot
Delete quarantined objects after retoring[/color]
6. Then click "[b][i]Proceed[/i][/b]"
-
Now, let [b]AdAware[/b] locate and remove anything it finds, by:
1. Click "[b][i]Start[/i][/b]".
2. Check(tick) "[b][i]perform full system scan[/i][/b]".
3. Click "[b][i]Next[/i][/b]".
-
Exit the program.
===============
Download, unzip to your desktop [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] and run it, then:
1. Click "[b][i]Check For Update[/i][/b]" make sure your version is 2.14
([i]If an update isn't available, skip to step #4.[/i])
2. Click "[b][i]Click here to Download the upate[/i][/b]".
3. When the new version has been downloaded, click "[b][i]Save[/i][/b]".
4. Click "[b][i]Fix ->[/i][/b]"
===============
Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present:
[b][color=#ff0000]iMesh[/color][/b]
[b][color=#ff0000]iMesh Ad Support[/color][/b]
The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]iMeshBHO.dll[/color][/b]
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]IMESHBAR.DLL[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Before we begin, let's move [b]HiJackThis[/b] to it's own folder; like [b]c:\HJT[/b]. When we're done '[i]cleaning[/i]' off your system, we're going to '[i]flush[/i]' the temporary folders which, with [b]HiJackThis[/b] [color=#ff0000][i]in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later[/i][/color].
Also move the "[b][i]Backups[/i][/b]" folder, for [b]HiJackThis[/b], if present.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll [/b][/color]
[color=#9933cc][b] O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL [/b][/color]
[color=#9933cc][b] O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) [/b][/color]
[color=#9933cc][b] O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP [/b][/color]
[color=#9933cc][b] O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm [/b][/color]
[color=#9933cc][b] O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm [/b][/color]
[color=#9933cc][b] O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]folders...[/i]
[b]C:\Program Files\[color=#ff0000]iMesh[/color][/b]
[b]C:\Program Files\[color=#ff0000]iMeshBar[/color][/b]
[b]C:\PROGRA~1\[color=#ff0000]DAP[/color][/b]
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: jdschof
Hi Lobos, many thanks for your helpful advice, prior to your message I had actually removed imesh and Download Accelerator as I thought they could be to blame.
I have followed each and every step as you suggest and attached is the revised HiJack log; does this look any healthier?
Incidentally, I performed all the actions in safe mode; was this correct?
Regards
Makalu9999
Posted by: Lobos
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [msci] C:\DOCUME~1\David\LOCALS~1\Temp\2005426225525_mcin
fo.exe /insfin [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]files...[/i]
[b]C:\DOCUME~1\David\LOCALS~1\Temp\[color=#ff0000]
2005426225525_mcinfo.exe[/color][/b]
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Post back a new log, and let me know how everything goes.
How is your computer running
-
Lobos.
Posted by: Warez Monster
Remove entries at your own risk
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll Entries found in this registry zone are potentially nasty. This application ([00000000-6CB0-410C-8C3D-8FA8D2011D0A] - Result: 00000000-6CB0-410C-8C3D-8FA8D2011D0A) has been checked Must be fixed!
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) Unnecessary (deactivated) entry that can be fixed.
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE This entry should be fixed by HijackThis!
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.