Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Any help here would be greatly appreciated! - Whitley


whitley abbey

Recommended Posts

Posted

IObit Security 360

 

Over the last few days my PC froze, I did a thorough scan and found I had a backdoor trojan which denied all attempts at removal. Only IObit360 can find the trojan and I am now suspecting a false positive and the freezing was caused by something else.

 

 

OS:Windows XP

Version:1.3.0.10

Define Version:1313

Time Elapsed:00:03:51

Objects Scanned:47471

Threats Found:11

 

|Name|Type|Description|ID|

Backdoor.Trojan - Removed, Registry Key, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan - Removed, Registry Key, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Posted

Hi whitley abbey,

 

I am prety sure that {43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} is related to a backdoor.

 

Use a rootkit remover software.

 

There were 11 treats found, what were the others?

 

It will be useful if you supply HijackThis report

 

Cheers

Posted
Hi whitley abbey,

 

I am prety sure that {43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} is related to a backdoor.

 

Use a rootkit remover software.

 

There were 11 treats found, what were the others?

 

It will be useful if you supply HijackThis report

 

Cheers

 

One or two things I don't understand. It will be useful if you supply HijackThis report, what does this mean? and Use a rootkit remover software What is this and where would I find it? I am afraid this is all new to me. Up until now, I have never had a virus, trojan etc. take hold of my current PC, so I have never had to deal with it. Suppose I have been lucky.

 

 

I have just rerun the scan, here are the results, slightly different as two of the original 11 have been cured:

 

 

IObit Security 360

 

OS:Windows XP

Version:1.3.0.10

Define Version:1313

Time Elapsed:00:02:37

Objects Scanned:47810

Threats Found:9

 

|Name|Type|Description|ID|

Spyware.Agent, Folder, C:\WINDOWS\system32\lowsec, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\local.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds.lll, 3-2256

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Trojan.Win32/Agent, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network Value=UID, 4-24156

Posted

Hi Whitley Abbey!

 

There is definite infection in your machine. Located in the tools section of Iobit 360 you will find Hijack scan. Run it and save the log... then copy and paste it onto your next post. This will be most helpful!:smile:

 

-Mel

Posted
There is definite infection in your machine. Located in the tools section of Iobit 360 you will find Hijack scan. Run it and save the log... then copy and paste it onto your next post. This will be most helpful!:smile:

 

-Mel

 

Thanks for the hekp Melvin, here is a copy of the hijack log.

 

 

 

Logfile of IObit HijackScan v0.2.0.0

Scan saved at 19:13:28, on 2010-1-23

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\McAfee\MSC\mcmscsvc.exe

c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\WINDOWS\system32\Mixer.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\ie7\iexplore.exe

C:\Program Files\Yahoo!\browser\ycommon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll

O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F}SysReqLabNVD.Detection.1 -

O23 - Service: ATK Keyboard Service - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: Google Software Updater - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: ForceWare IP service - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Posted

How long?

 

How long have you had this machine? Did the McAfee anti-virus come pre loaded?

 

To start I recommend you use the free revo uninstaller to remove all of your toolbars, find it here... click the advanced option upon uninstall to make sure and remove the leftover traces.

http://www.revouninstaller.com/revo_uninstaller_free_download.html

 

You will find the free one on the left side of the page after scrolling down!

 

Uninstall all of the toolbars using the advanced option.

 

Then run Advanced SystemCare to repair your registry.

 

 

How long has it been since your McAfee was updated?

Posted
How long have you had this machine? Did the McAfee anti-virus come pre loaded?

 

To start I recommend you use the free revo uninstaller to remove all of your toolbars, find it here... click the advanced option upon uninstall to make sure and remove the leftover traces.

http://www.revouninstaller.com/revo_uninstaller_free_download.html

 

You will find the free one on the left side of the page after scrolling down!

 

Uninstall all of the toolbars using the advanced option.

 

Then run Advanced SystemCare to repair your registry.

 

 

How long has it been since your McAfee was updated?

 

The hard drive is the oldest thing on my PC, I replaced the mother board, processor, video card and most of the other hardware about a year ago. I used to have Norton Symantec before that.

 

I have had McAfee for a little under a year, it comes as part of my broadband package and I have no choice as it is the only one that is compatible with BT Yahoo. I am not happy about it, but I have little choice at the moment. McAfee is update automatically every time an update is available, so in theory, I ought to be properly protected. I did try to update manually yesterday, but was told I had the latest updates installed.

 

I am off to download revo now. Let us hope it works. Thanks for the help.

Posted

Revo downloaded and toolbars cleaned no problem

 

Ran Advanced Sysytem Care and while at the registry checking stage, I got a BSOD and had to reboot. The BSOD said that I might have to remove any hardware I recently installed or check windows for updated drivers.

 

After reboot, I ran ASC, then ran IObit security and got this report:

 

IObit Security 360

 

OS:Windows XP

Version:1.3.0.10

Define Version:1313

Time Elapsed:00:04:59

Objects Scanned:47444

Threats Found:9

 

|Name|Type|Description|ID|

Spyware.Agent, Folder, C:\WINDOWS\system32\lowsec, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\local.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds.lll, 3-2256

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Trojan.Win32/Agent, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network Value=UID, 4-24156

Posted

Hi whitley!

 

I must draw the attention of some others to this! Be very careful and move slow. Do you have a backup stand alone hard drive?

 

Also what version of windows are you running?

Posted

I believe Enoskype's advice is correct!

 

I cannot advise you here. This is a deep infection. I have brought this matter to another forum leader's attention who is here right now. Enoskype isn't (Its late where he is)

 

Its also late where Solbjerg is but not quite so late and he is here.

 

Please advise what version of windows and your hardware!!

Posted
I must draw the attention of some others to this! Be very careful and move slow. Do you have a backup stand alone hard drive?

 

Also what version of windows are you running?

 

No I don't have a back up hard drive. I have been looking at either buying an external HD for back up purposes and/or buying a new internal HD and installing Windows 7. I currently use Windows XP Home.

 

Had this problem not occured, I was going to see what is available locally today. I think it is called sods law :-(

Posted

Or Murphy's law.

 

What can go wrong will go wrong... not to fret! I'm just not familiar with this, but others are here! We will learn together!

 

Meanwhile can you run and post another logfile of your system after toolbar uninstalls? I don't think it will help in this case, but it might.:-|

 

Thanks!! -Mel

Posted
What can go wrong will go wrong... not to fret! I'm just not familiar with this, but others are here! We will learn together!

 

Meanwhile can you run and post another logfile of your system after toolbar uninstalls? I don't think it will help in this case, but it might.:-|

 

Thanks!! -Mel

 

Sorry for being a bit thick, being tired doesn't help either (nearly 22:30 in the UK and I was up at 05:00 this morning), but which logfile do you want me to upload, the one after a hijack scan? If so:

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 22:19:3, on 2010-1-23

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\WINDOWS\system32\Mixer.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\system32\rundll32.exe

c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Yahoo!\browser\ycommon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F}SysReqLabNVD.Detection.1 -

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) (ForceWare Intelligent Application Manager (IAM)) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: YPCService (YPCService) - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

[edit] I have just noticed that I still have a toolbar that I missed, the McAfee SiteAdvisor Toolbar and the Ask toolbar, I am sure I did uninstall that one.

Posted

Hi Whitley

 

I know you want a solution. I can't provide it in this case. I don't think you are limited to McAfee though... no matter what they say!

 

Soon somebody else will post I'm sure!:grin:

Posted

Hi Whitley

 

The new scan of your machine looks much better. On the remaining toolbar entries there is an option to fix checked in Iobit 360 scan. I would do this. The infecton remains though... it appears we will have to wait for somebody on this, get some sleep... don't think your machine is gonna crash. If you do decide to rest... go ahead and shut it down then reboot it when you want to see if a solution/resolution has been found.

 

Wish I was more helpful in this case!!

 

Sincerely -Mel

Posted
The new scan of your machine looks much better. On the remaining toolbar entries there is an option to fix checked in Iobit 360 scan. I would do this. The infection remains though... it appears we will have to wait for somebody on this, get some sleep... don't think your machine is gonna crash. If you do decide to rest... go ahead and shut it down then reboot it when you want to see if a solution/resolution has been found.

 

Wish I was more helpful in this case!!

 

Sincerely -Mel

 

Mel,

 

I have done as you suggested and checked and fixed the two toolbar entries. I am going to shut down for the night now.

 

Just because the problem isn't yet fixed does not mean progress hasn't been made. Every step taken is a step closer to a resolution. You have been a great help and I appreciate it very much, thank you.

Posted

Any help here would be greatly appreciated! - Whitley

 

Whitley has an infection that I know not how to help with. The original post is in a place we don't look to often... thus I'm creating this thread on Whitley's behalf:

Posted
I know you want a solution. I can't provide it in this case. I don't think you are limited to McAfee though... no matter what they say!

 

Soon somebody else will post I'm sure!:grin:

 

The email system does not work with other security, which is why I have to have McAfee, or I have to disable the firewall when using email and I am not prepared to do that. I think all BT Yahoo customers have this problem. It has worked well up until now. This is the first serious infection I have had since I started to use the internet 10 years ago, so can't complain too much.

Posted

Hi there again,

 

Which Service Pack version are you using on your XP?

You can check this by right clicking on My Computer icon and clicking Properties.

 

-If you are not using SP3, please upate to Service Pack 3 ( XP sp3).

 

-Uninstall Ask Bar.

 

-Fix the below lines:

 

O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

 

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

 

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

 

-You are still using IS360 1.30, please download and install IS360 1.40, and update the database.

 

-FULLscan the PC, and post the report again and also HijackThis report.

 

Cheers.

Posted

Hi Whitley!

 

The Hijackthis software that Enoskype refers to at the end of his post is free and you can find it here: http://free.antivirus.com/hijackthis/ Get the one on the right side... not the beta!

 

The service pack is available from windows for free. (Service pack SP3 for XP) if you don't have it already. (I think this is what Enoskype refers to... that you are possibly running XP without the most important service pack)

 

-Mel

Posted

Thanks Enoskype!

 

Thanks for the thread consolidation!! The snap of whitleys scan reveals an even earlier version than 1.3. I will try to pay more attention to this and not get lost in the details so readily...

 

 

 

EDIT:

IObit Security 360

 

OS:Windows XP

Version:1.3.0.10

Define Version:1313

Time Elapsed:00:02:37

Objects Scanned:47810

Threats Found:9

 

Posted
Thanks for the thread consolidation!! The snap of whitleys scan reveals an even earlier version than 1.3. I will try to pay more attention to this and not get lost in the details so readily...

 

OK, so this morning I have installed the latest version of IObit security 360 and installed XP service pack 3.

 

I have scanned my system using the newsest version and here are the results:

 

IObit Security 360

 

OS:Windows XP

Version:1.4.0.11

Define Version:1313

Time Elapsed:00:05:43

Objects Scanned:47446

Threats Found:9

 

|Name|Type|Description|ID|

Spyware.Agent, Folder, C:\WINDOWS\system32\lowsec, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\local.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds.lll, 3-2256

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Trojan.Win32/Agent, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network Value=UID, 4-24156

 

-------------------------------------------------------------------------

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 9:49:31, on 2010-1-24

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\McAfee\MSC\mcmscsvc.exe

c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\mcafee.com\agent\mcagent.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\WINDOWS\system32\Mixer.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F}SysReqLabNVD.Detection.1 -

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) (ForceWare Intelligent Application Manager (IAM)) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\Program Files\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: YPCService (YPCService) - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

Not sure why there is a smilie in one of the 023 entries.

Posted

Please go to THIS webpage and follow the instructions for using ZbotKiller.exe.

 

You should be aware that that particular infection passes on any information it can find on your system concerning passwords, bank details etc. So, if you haven't already done so, find a known clean system and change all passwords.

 

Please go For Malware Removal Help

 

Also get help from HERE .

 

Use Bit Defender and let it delete the files.

 

Please give us feedback.

 

Cheers.

Posted
Please go to THIS webpage and follow the instructions for using ZbotKiller.exe.

 

You should be aware that that particular infection passes on any information it can find on your system concerning passwords, bank details etc. So, if you haven't already done so, find a known clean system and change all passwords.

 

Please go For Malware Removal Help

 

Also get help from HERE .

 

Please give us feedback.

 

Use Bit Defender and let it delete the files.

 

 

Cheers.

 

 

 

As far as I know, I have done as you suggested. Installed ZbotKiller and ran it. I ran IObit security again and still had the backdoor trojan.

 

Below are the two logs, the first from IObit and the second from ZbotKiller. I ran the ZbotKiller first.

 

 

IObit Security 360

 

OS:Windows XP

Version:1.4.0.11

Define Version:1314

Time Elapsed:00:05:33

Objects Scanned:47455

Threats Found:6

 

|Name|Type|Description|ID|

Spyware.Agent, Folder, C:\WINDOWS\system32\lowsec, 3-2256

Spyware.Agent, File, C:\WINDOWS\system32\lowsec\user.ds.lll, 3-2256

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-3057

Backdoor.Trojan, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

Backdoor.Trojan, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658}, 5-8642

 

-============================================================================================================-

 

Trojan-Spy.Win32.ZBot removing tool, Kaspersky Lab 2009

version 1.1.1 Nov 25 2009 08:36:58

Scanning Threads ...

 

Scanning Hooks ...

 

Scanning Files ...

 

 

Completed

Results:

Infected files: 0

Infected threads: 0

Hooked imports: 78

Deleted files: 0

Fixed registry keys: 0

Press any key to continue . . .

Posted
Hi whitley. You will do well to listen to enoskype first. His last post is excellent. Do what he suggests and then you can try what others are telling you. Is some one getting the message I'm trying to make known??? Back off some one!!!!!!!!!!!!!! PS I'm sorry but I speak whats on my mind.----GB

 

Okie, I have no idea what you mean. I have done exactly what enoskype has suggested and left feedback. Unless I have seriously misunderstood what he said.

 

The 'cure' didn't seem to work for me.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...