Unsolved
This post is more than 5 years old
1 Message
0
361
Task managaer disabled by admin caused by virus - hijack log in message body - Help Plz!
Logfile of HijackThis v1.99.1
Scan saved at 2:07:56 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msiexec32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\PROGRA~1\Winferno\SECURE~1\SIEPulse.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\userint32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\dljcladf.exe
C:\Documents and Settings\Serena\My Documents\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Winferno\Secure IE\SecureIE.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SIE2004] "C:\PROGRA~1\Winferno\SECURE~1\SIEPulse.exe"
O4 - HKLM\..\Run: [HPIJetSend] C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dljcladf] C:\WINDOWS\system32\dljcladf.exe
O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\MSConfig1.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Download File - C:\Program Files\Winferno\Secure IE\Scripts\AddToTransferQueue.htm
O8 - Extra context menu item: &Highlight - C:\Program Files\Winferno\Secure IE\Scripts\highlight.htm
O8 - Extra context menu item: Zoom &In - C:\Program Files\Winferno\Secure IE\Scripts\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\Program Files\Winferno\Secure IE\Scripts\zoomout.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: www.beagles-on-the-web.com
O15 - Trusted Zone: www.betwsi.com
O15 - Trusted Zone: www.bmgmusicservice.com
O15 - Trusted Zone: chaseonline.chase.com
O15 - Trusted Zone: www.computerjobs.com
O15 - Trusted Zone: q050-w5.coned.com
O15 - Trusted Zone: www.couponage.com
O15 - Trusted Zone: client.dbm.com
O15 - Trusted Zone: www.e-zpassny.com
O15 - Trusted Zone: cablevision.ebilling.com
O15 - Trusted Zone: msn.espn.go.com
O15 - Trusted Zone: www.killsometime.com
O15 - Trusted Zone: *.lakelandschools.us
O15 - Trusted Zone: www.livejournal.com
O15 - Trusted Zone: secure.mlb.com
O15 - Trusted Zone: *.mta.info
O15 - Trusted Zone: nyscc.newyorkjets.com
O15 - Trusted Zone: *.ny.us
O15 - Trusted Zone: www.nylottery.org
O15 - Trusted Zone: webmail.optonline.net
O15 - Trusted Zone: www.paypal.com
O15 - Trusted Zone: dictionary.reference.com
O15 - Trusted Zone: www.ridecatamountride.com
O15 - Trusted Zone: www.searsmastercard.com
O15 - Trusted Zone: www.sportsline.com
O15 - Trusted Zone: newyorkjets.stubhub.com
O15 - Trusted Zone: myaccount.verizonwireless.com
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Documents and Settings\Serena\My Documents\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
zbestwun2001
8.8K Posts
0
July 3rd, 2005 18:00
Be sure to look this solution over before you begin. There are a some item(s) I'm not familar with. If you recognze any, then just omit them from this fix.
Go to Add/Remove programs and remove(uninstall) the following, if present:
WinTools
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Download LSPFix and unzip to your desktop, then run it. Now, we need to:
1. check(tick) " I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:
calsp.dll
3. then click " >>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click " Finish >>"
Next, Open a command prompt by:
1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).
Now, locate and ' stop' the following services, if present:
WinTools for IE service (WinToolsSvc) owner ... ( C:\Program Files\Common Files\WinTools\WToolsS.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\dljcladf.exe
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [dljcladf] C:\WINDOWS\system32\dljcladf.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
... (Unless you've restricted the use of registry editing, have HiJackThis fix this.)
O15 - Trusted Zone: www.beagles-on-the-web.com
O15 - Trusted Zone: www.betwsi.com
O15 - Trusted Zone: www.bmgmusicservice.com
O15 - Trusted Zone: chaseonline.chase.com
O15 - Trusted Zone: www.computerjobs.com
O15 - Trusted Zone: q050-w5.coned.com
O15 - Trusted Zone: www.couponage.com
O15 - Trusted Zone: client.dbm.com
O15 - Trusted Zone: www.e-zpassny.com
O15 - Trusted Zone: cablevision.ebilling.com
O15 - Trusted Zone: msn.espn.go.com
O15 - Trusted Zone: www.killsometime.com
O15 - Trusted Zone: *.lakelandschools.us
O15 - Trusted Zone: www.livejournal.com
O15 - Trusted Zone: secure.mlb.com
O15 - Trusted Zone: *.mta.info
O15 - Trusted Zone: nyscc.newyorkjets.com
O15 - Trusted Zone: *.ny.us
O15 - Trusted Zone: www.nylottery.org
O15 - Trusted Zone: webmail.optonline.net
O15 - Trusted Zone: www.paypal.com
O15 - Trusted Zone: dictionary.reference.com
O15 - Trusted Zone: www.ridecatamountride.com
O15 - Trusted Zone: www.searsmastercard.com
O15 - Trusted Zone: www.sportsline.com
O15 - Trusted Zone: newyorkjets.stubhub.com
O15 - Trusted Zone: myaccount.verizonwireless.com
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\Program Files\Common Files\WinTools
C:\PROGRA~1\COMMON~1\WinTools
files...
C:\WINDOWS\system32\dljcladf.exe
c:\windows\system32\calsp.dll
Search for...
*.mta.inf
www.sea
www.spo
...using " Start | Search...".
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Reboot and post back a new log, and let me know how everything goes.
Steve